Improving Cyberresilience in an Age of Continuous Attacks

Recently, a pro-Russian hacker group known as Killnet targeted the websites of several major US airports with a denial-of-service (DoS) attack.¹ Impacted were Hartsfield-Jackson International Airport (Atlanta, Georgia, USA), Los Angeles International Airport (California, USA), O’Hare International Airport and Midway International Airport (Chicago, Illinois, USA), and LaGuardia Airport (New York, New York, USA). The attack did not impact flight operations, but rather was intended to create confusion as retaliation for the United States’ support for Ukraine amid the Russia-Ukraine conflict. Every day, there is news of a major cyberbreach such as this one. We live in an age of the continuous compromise, and the political landscape has only made this more prevalent.

The attack on US airports serves as an example of hacktivism. Hacktivism comes from combining the words “hack” and “activism,” and is used to describe an attack that is politically or socially motivated. Hacktivism has grown from 1.6% to 6.2% in the past year as an attack motivation, but cybercrime is still the primary motivator at 82.4%.²

No matter the motivation, cyberattacks will continue. Many organizations gravitate toward a simple solution, believing it will cure all their woes and provide 100% cyberattack prevention. The reality is that there is no single solution to these complex challenges; rather, strategies must be integrated to create a comprehensive cybersecurity posture.

No Silver Bullet Solution

Organizations have spent approximately 10.9% of their IT budgets, or 0.48% of enterprise revenue, on cybersecurity.³ Many Fortune 500 companies have access to armies of experts, security operation centers (SOCs), next-generation sandboxes, firewalls, multifactor authentication (MFA), and endpoint detection and response (EDR) solutions. Yet it is still possible for such enterprises to be breached—and many have been.⁴ While point solutions are important components of cybersecurity, organizations should not assume that these tools cover all ground, since the average dwell time (time spent undetected in the logs or by point product tools) for attackers is more than 200 days. The truth is that cyber solutions should never be viewed as siloed capabilities. If they do not work together intelligently as an integrated and adaptive system, complete protection from advanced threats remains elusive.

If [cybersolutions] do not work together intelligently as an integrated and adaptive system, complete protection from advanced threats remains elusive.

Consider this recent example. In September 2022, Uber was breached by a threat actor who purchased stolen credentials on the dark web and spammed an Uber contractor more than 100 times in an attempt to get the individual to accept the MFA push notification.⁵ Eventually, the bad actor called the contractor on the phone, pretending to be a member of Uber’s IT team. The contractor relented and ultimately approved the MFA push notification, allowing the threat actor to add their device to the network. Once the threat actor was past the preventive controls, they scanned the internal network, found a file with administrator credentials. This allowed the threat actor privileged access to Uber’s data. This was made possible by successful social engineering, which, unfortunately, can often surpass even the best tools on the market.

Today, many cybersecurity solution providers advertise their use of cutting-edge technology such as artificial intelligence (AI). But even the most sophisticated cybersolutions cannot be wholly relied on in every situation. Consider Amazon, which, despite its engineering scale and talent, cannot filter out fake product reviews on a consistent basis.⁶ What are the chances an AI-enabled box is going to catch an advanced threat actor when Amazon still is unable to filter out fake product reviews? To catch a human, you still need a human, even in the digital era.

Tools can be useful in many incidents, but enterprises should be aware of the following 3 distinct challenges of becoming overly reliant on tools to manage cybersecurity:

1. Alert fatigue—Security information and event management (SIEM) systems are commonly used for detection. However, SIEM systems often produce many false alarms, making them the Achilles heel of the cybersecurity world. The sheer number of alerts is so high that it becomes a challenge to filter out the valid ones from false positives. Sending log data to a SIEM system turns it into nothing more than an expensive messenger for existing controls.
   Logs are great for auditors, governance and compliance, since they provide relevant information about activities on the network, especially threats. However, logs include significant amounts of data and the overwhelming amount of information can be crippling.
2. Lack of breach/incident validation—Hackers roam free because enterprises are unable to confirm whether breach alerts are actual incidents. It becomes too time-consuming and costly to investigate, and security teams often lack the skills to respond to advanced threats. Imagine being told by the police that someone may have broken into your house, but it was up to you to investigate further. That is the situation in which most organizations find themselves.
3. Fortress mentality—Though it should be clear by now that some hackers come from within an organization, enterprises cling to the illusion that cybersecurity means keeping bad things out. According to IBM, the average time to identify and contain a data breach is 277 days.⁷ That is well over 8 months for a malicious actor to dwell in an environment, learn about an organization and plan for a more sophisticated attack. It is a dangerous fantasy to believe that it is possible to keep every threat actor out of a network. By holding onto this notion, organizations are unable to adequately respond to threats.

Effective Tactics to Strengthen Cyberresilience

Enterprises need outcomes and will not get them by simply relying on another shiny box of cybersecurity software. They will not be saved by alerts that lack validation and are often disregarded. The responsibility of cybersecurity for enterprises is a collaborative approach that requires organizations to:

• Understand the environment—Organizations need to understand their data and how they are used. This includes where data are stored (data at rest), how data move through the organization (data in transit), what applications and systems the data touch and who can access the data. Not all data are created equal. The more sensitive the data, the better equipped the systems that access the data need to be to ensure protection. Conducting an asset inventory and following up with security classifications for systems allows an organization to focus its efforts on safeguarding the most critical data.
• Establish a cybersecurity model—After gaining an understanding of their environment, organizations need to consider their business and the associated risk within their industry and operations. This information can be used to identify a cybersecurity framework to address risk. Common frameworks include the US National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF),⁸ the Center for Internet Security (CIS) CIS Controls framework,⁹ and the International Organization for Standardization (ISO) standard ISO 27001.¹⁰ These can provide a model to support the US Health Insurance Portability and Accountability Act (HIPAA),¹¹ the Payment Card Industry Data Security Standard (PCI-DSS)¹² and other regulatory models.
  Using the right framework establishes a baseline for cybersecurity maturity and readiness. But choosing a framework is the beginning of the cybersecurity journey, not the end. Many frameworks focus on prevention and require integration with other tactics to provide effective detection and response.
• Develop and test incident response—Regardless of the framework selected, breaches will happen. While prevention is always the preferred option, the success of incident response indicates how well the organization is prepared for and responds to the attack. Enterprises must ensure that their incident response plans are current and reviewed annually. Testing the plan is also critical. Conducting well-planned tabletop exercises of a simulated attack with stakeholders can help mitigate the impact of a breach.
• Build a culture of security awareness—Security is everyone’s responsibility. Organizations should develop security awareness programs that remind employees of their roles in improving and maintaining security. Conducting training on current and relevant attack methods helps improve an organization’s cybersecurity posture.
• Conduct periodic security assessments—Using the established framework, organizations can assess where they are in their cybersecurity maturity and readiness journeys. Conducting periodic audits and assessments provides a measure of progress in terms of improving the organization’s cybersecurity maturity and minimizing the impact of an attack.
• Choose a trusted partner—Organizations do not need to approach cybersecurity on their own. Most organizations are in the business of something other than cybersecurity. Finding a valued, trusted partner to serve as an unbiased advisor can assist with determining cyberstrategies and initiatives—and a partner may have connections with other solutions providers.

Successful Cybersecurity Is a Mindset

The described tactics cannot stop a breach from occurring. Effective cybersecurity is about risk management. For example, when banks lend money or issue credit cards, the chief risk officer (CRO) has created a model based on profiles that assume there will be a default rate, meaning certain borrowers may not ever repay their obligations. This is communicated to the chief executive officer (CEO) so that the entire management team understands that it will incur losses from certain customers. Banks are then able to plan and reserve for these losses before they happen.

Enterprises must think of cybersecurity in the same manner in which banks lend money. It is only a matter of time before a breach occurs. If the right controls are in place, these breaches are nothing more than a simple incident of 1 machine being compromised vs. an entire network’s worth of data being compromised.

Each new attack has the potential to change the threat model. This may not be the first thing on cybersecurity team members’ minds after an attack, but changes could be required immediately. With massive financial and/or political benefits available to threat actors, they continue to change their tactics. It is now more important than ever to constantly develop and mature cybersecurity readiness. A holistic and integrated approach with the right tools can provide a better chance of surviving a cyberattack.

Endnotes

¹ Margolin, J.; S. Sweeney; Q. Owen; “Cyberattacks Reported at US Airports,” ABC News, USA, 10 October 2022
² Passeri, P.; “August 2022 Cyber Attack Statistics,” Hackmageddon, 22 September 2022
³ Deloitte, Reshaping the Cybersecurity Landscape, United Kingdom, 2020
⁴ Seclude, “10 Data Leaks That Have Cost Even Fortune 500 Companies a Fortune,” 2020
⁵ Vinar, K.; “MFA Fatigue Leads to Breach of Uber’s Corporate Systems,” Verus Corporation, 27 September 2022
⁶ Stieb, M.; “Amazon’s War on Fake Reviews,” Intelligencer, 26 July 2022
⁷ IBM, Cost of a Data Breach Report 2022, USA, 2022
⁸ National Institute of Standards and Technology, Cybersecurity Framework, USA
⁹ Center for Internet Security, CIS Critical Security Controls, USA
¹⁰ International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC), “ISO/IEC 27001 and Related Standards,” Switzerland
¹¹ US Department of Health and Human Services, “Summary of the HIPAA Privacy Rule,” USA
¹² Parker, A. M.; “An Introduction to PCI-DSS,” Cryptomathic, 23 March 2018

Editor’s Note

Hear more about what the author has to say on this topic by listening to the “Improving Cyberresilience in an Age of Continuous Attacks” episode of the ISACA^® Podcast.

Rex Johnson, CISA, CIPT, CISSP, PCIP, PMP, Lieutenant Colonel, United States Army (ret.)

Is an executive director and cybersecurity practice lead for CAI. He has more than 30 years of senior-level management experience encompassing IT, cybersecurity, privacy, digital forensics and analysis, and enterprise risk management. He has assisted numerous organizations in assessing and reducing risk, leading to improved operations and security maturity. He has provided both technical and advisory services for a variety of industries, including a cyberrisk assessment of a major entertainment and resorts enterprise. Prior to joining CAI, he held similar roles with Computer Science Corporation, Deloitte and Cap Gemini. Johnson is a frequent speaker on cybersecurity and has addressed US and international audiences with ISACA^®, Gartner, Secure World and others.

Hamlet Khodaverdian

Is the co-founder and vice president for the Americas at LMNTRIX, which produces a fully managed cybersecurity platform that provides a holistic and multivector approach to enterprise, cloud, hybrid, and industrial controls networks. He is an experienced business technology executive with more than 20 years of experience. Khodaverdian has held various roles at multiple organizations, leading software engineering, IT infrastructure, business intelligence and data science teams. In the past, he has worked for Canon Research & Development, Quick Bridge Funding, Western Mutual Insurance Group, Alliance Funding Group and has been involved in several start-ups. Through his various leadership roles, Khodaverdian has gained extensive experience in enterprise risk management, security architecture (both infrastructure related and software engineering related), governance and compliance.