Our Brightside CISO, Jourden Parks, recently published an informative post about the state of cyber vulnerabilities and nation-state sponsored threats that have emerged and exist today. These bad actors or Advanced Persistent Threats (APTs) are patient, lurking in the shadows of our systems, pursuing our data, networks, and other assets for profit, espionage, and even war. Like an experienced rock climber, these APTs look for the slightest crack to leverage and ascend to the next level of access. When they reach the peak, they make headlines of ransomware or down systems. Or worse, they reach the peak containing the targeted data, extract what they want, and descend without tracks leaving an organization never knowing they were compromised.
Organizations from small businesses to military headquarters are under constant probing by APTs for vulnerabilities to gain access to an organization's valuable assets. The frameworks, policies, software, and hardware we implement to protect systems from APTs can provide reasonable protection. The cost and level of securing systems should match the cost of a system's breach and data loss. It's a price that needs to be evaluated at every level of every organization.
For some organizations, such as government, military, healthcare, and critical infrastructure, every effort must be taken to ensure systems remain protected and valid. And for other organizations, there are systems where theft of data or downtime has limited, or only a short-term, impact on an organization. While protecting these systems may not be considered worthy of great expense, if you lower the protection on them, you must ensure they are fully segmented from the systems requiring enhanced protection.
In the majority of events we have been called in to review or assist with, a complex, highly sophisticated actor did not cause the event. It was caused by a well-meaning member of the organization clicking on an email or otherwise responding to an inquiry about something that would benefit the organization. One simple click can enable the deployment of malware that expands like cancer in the systems. Organizations need training and monitoring; otherwise, individuals can be tricked into giving up information or access that enables a crack or opening into an organization's system.
In rock climbing, there is a technique called Jamming where a climber finds a crack, no matter how small, and inserts a body part to expand or torque it into a larger hold in which to advance. APTs are looking for that crack or crevice to slide into a targeted organization to where they can wait for access to increased privilege or a hole in a network to expand their reach.
I've witnessed this breach start with janitorial staff and executive-level individuals. Even top-level security personnel have been susceptible. While we put the systems and processes in place to prevent events, we must simultaneously design systems for early detection and quick recovery from events when they do happen.
One of the traits systems designers have taken from military design is the concept of compartmentalization. Long ago, when I was first introduced to the concept of a Sensitive Compartmented Information Facility (SCIF), it was easy to identify its value. Data and assets remained in the SCIF, and access was tightly controlled and sometimes enforced by ominous-looking, gun-toting figures ensuring the sanctity of the information store. Over the years, we have taken that concept and applied it to the design of data stores and segmented networks.
At first, we frustrated many a user with multiple onerous authentications and timeouts. And to our chagrin, our users outsmarted us by finding ways to make their life easier and circumvent our systems. One user would copy large data sets from a protected system to a locally stored spreadsheet so that they would not need to go through the 3 multi-factor logins to access the data. And there was almost no protection for their local storage. While we thought we increased protection, we decreased it. And not just a little, as even today, we don't know if that data was ever accessed or stolen by a bad actor before we discovered and secured it.
Designing systems and data protection has become as much an art as a science, with the balance between user productivity and asset protection. In some cases, an ominous protection figure is still required for assets of extreme value or vulnerability. Every user access and piece of data is evaluated on a need-to-access basis, and access is monitored to ensure large amounts of data are not read or downloaded without justification. Changes are monitored and recorded such that unauthorized changes can be reversed to quickly return systems to operation. And while I write this, it seems easy to describe, though in reality, there are many systems out there that are either older or do not inherently allow this level of protection. And some systems simply are not designed to this level due to a lack of training, experience, money, or time.
Today, there are options. Authentication methods are available that are secure and yet make it easier for the user to remain authenticated without re-authenticating with multiple, onerous multi-factor logins. There are ways to monitor the user activities for what is normal activity or even a normal rhythm of their workflow to acknowledge it's the user and not a bot acting simultaneously from their login. Detection must be built-in to every component in the systems to be effective.
When designing systems, networks, and storage today, we have multiple options to build resilient infrastructures able to recover quickly from an attack. Resilient Infrastructures are built with a proper foundation anticipating both human error and bad actor attacks. Older systems can be protected, though sometimes at a price that requires a cost-benefit replacement analysis. Sometimes, replacing what appears to be a functional system may be more cost-effective than attempting to harden it against unauthorized access or implementing recovery technologies, especially when these abilities are being built into the core of newer systems.
An organization must evaluate its entire IT infrastructure with full knowledge of the existing persistent threats. This evaluation must assume that your systems are being targeted, and there is a valid assumption to be made that it's not possible to be 100% protected given the interaction of technology and human elements involved. There are actions to be taken now with threat assessments, systems design review, upgrade or replacement of critical components, and 24/7 monitoring. The evaluation should also include what additional components or technologies will allow recovery quickly with minimal impact on the organization.
Executives and Boards are the ones who should be asking questions and not just "are we prepared?" The questions should be around how prepared you are, as a yes/no answer does not cover your fiduciary responsibilities. Ask what elements have been added to recover from an event. No executive can claim to be ignorant of the threats out there as its weekly headlines. Oversight is required to ensure an organization is prepared to defend and recover.
Threats have been part of human existence as long as humans have been alive. This extends to politics, business, and even the threats to our living conditions on planet Earth. To realize these threats originate with individual hackers and even nation-states using technology for their gain should not be news. The good news is that updated technologies, systems, and frameworks put organizations in a much better position than even last year. And though there is a current lack of experienced security professionals, securing and monitoring your systems is still possible. At Brightside, we can assist with the process from assessments to implementation to setting policy. Contact us today to discuss any element of the process.
~ Mark Munger, Chief Technology Officer, Brightside Industries Group, LLC
Comments