Cyber attackers: if you can’t stop them, disrupt them
Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.
For decades, companies have bolstered their cyber defences in a bid to thwart intruders. But while this work will always continue, firms are increasingly confronting the reality that it takes only a small slip-up, or an unnoticed flaw, for hackers to be able to get inside their systems. And then what?
So, in a shake-up of approach, many businesses are now focusing on how to mitigate cyber attacks — on the assumption that a breach is inevitable.
Some firms create internal “red teams” to probe their own systems for weaknesses, but Padraic O’Reilly, chief product officer and co-founder of cyber security risk group CyberSaint, says companies should do more “proactive or mitigative remediation”.
“You will be planning for budget cycles, and looking at risk and making risk-informed decisions, instead of just putting out fires.”
This shift comes as several highly sophisticated nation-state cyber campaigns — such as the SolarWinds hack, which even hit government agencies — have demonstrated that companies can be unknowingly vulnerable if there is just one weak link in their supply chain.
Meanwhile, ransomware attacks — in which cyber criminals encrypt an organisation’s data and demand money for releasing it — have escalated. Companies in all industries have been targeted. Data from SonicWall show a 105 per cent rise in ransomware attacks in 2021.
“The ransomware problem has become so pervasive,” warns Andrew Rubin, chief executive of security group Illumio. “That proved to everybody that you’re going to get hit almost no matter what, which is not a failure of your cyber strategy, it just means that you have to evolve your cyber strategy to both detect, as well as stop, the spread.”
One emerging field for protecting operational technology — such as critical national infrastructure, manufacturing facilities, automotive plants, and aerospace systems — is CCE or “consequence-driven, cyber-informed engineering”.
According to Stuart McKenzie, senior vice-president of Mandiant Services in Europe, Middle East, and Africa, the CCE methodology first requires companies to conduct a “crown jewels assessment” of their business from an operational perspective — establishing any elements of production that need to be operationally effective 24/7.
So-called “consequence prioritisation” is vital in making sure that electricity blackouts are avoided, and water treatment can continue, for example.
McKenzie says it is about asking the question: “How do we protect these critical assets and then, once we got something around those, look at the next layer and then look at the next layer?”
Idaho National Laboratory, which developed the framework, calls for a “system-of-systems analysis” — in other words, identifying interdependencies between systems and their components.
After that, the next step is dubbed “consequence-based targeting”: essentially mapping out the ways in which an attack might progress around a target’s computer systems and cause the most damage. It involves working out “where they need to be to conduct the attack, and what information is required to achieve those goals”, says the INL.
When this attack path mapping is done, it is down to engineers to disrupt those digital assault pathways, where they can.
Companies must assess “the threats and scenarios that an organisation faces and then play those through their systems, their processes, their business, to see where weaknesses would occur”, says Del Heppenstall, cyber security partner at KPMG.
This might include more conceptual “tabletop scenario-driven exercises which step through ‘what ifs’. If this happens, then what?”. Or it might involve more “hands on” testing, he adds. “Some clients, ultimately, want to test the resilience of their live environments.”
Mitigation measures can take multiple forms. One key approach to it is ‘segmentation’, or dividing a network into smaller parts, according to Illumio’s Rubin.
He uses the metaphor of a submarine split into an array of compartments: if a leak springs, it will only affect one small compartment rather than flood the entire submarine. “Segmentation is getting . . . a ton more attention than it ever has,” Rubin says.
Detection and having visibility over systems is also vital. This can be helped by tools that carry out “scanning for anomalies”, says Heppenstall. Another element is making comprehensive incident response preparations.
“It is worthwhile to be prepared, to put into practice the ability to respond, to validate that your controls and everything is working as intended,” says Joe McMann, Capgemini’s global cyber security portfolio head. That way, “when you do have a problem, you know exactly what to do, you’re not scrambling,” he notes.
However, McMann acknowledges that, for companies, there remains the age-old problem of trying to validate the return on an investment in security.
Cyber attack mitigation becomes part of the corporate risk management process: “It is a risk-based, cost-based decision that every business and every enterprise has to go through to weigh the pros and cons of implementing a program that would prevent impact from a certain risk in their enterprise,” he says.