I am starting to sense a shift in how we talk about cybersecurity threats. In the wake of significant breaches like Target and Equifax, the recent revelations related to the SUNBURST (SolarWinds) supply chain and Microsoft Exchange Server Hafnium attacks, we have an opportunity to be better.
Much of the historical focus has been around defensive technologies to stop an attack before it penetrates the network. Then came email phishing and ransomware. The threats seem to multiply at a dizzying rate, yet our response has hardly kept pace. This may finally be changing.
As we learn more about these various attacks, we learn more about the tactics, techniques, and procedures (TTPs) that the bad actors use to successfully penetrate systems. As I have written about previously, the hacker community does a very good job of sharing information about which TTPs work and which do not. They also reveal which attack vectors and vulnerabilities remain available to exploit and which ones have been secured by the intended victims of attack. Whether it be nation states or organized criminal enterprises, the sharing of successful attack TTPs has been a key factor in the explosion of attacks. Fortunately, ISACs and ISAOs have been making headway in countering the sharing of information for good, not bad.
Reframing the Discussion to Focus on Response
The conversation around cybersecurity, in general, remains far too defensive. One analogy I like to use is that we need to think more in terms of assuming that we will be attacked and likely breached. That does not necessarily mean that we will have data stolen and exposed publicly or on the Dark Web, but we should always come at the cybersecurity discussion from the perspective that this is highly likely. Only then can we change the conversation to focus more on detection and response and not solely on defensive prevention. This is not to say that defensive preventative measures are not important. They are critically important, but you also have to be realistic.
When a nation state or organized crime syndicate targets your business, and they will if they have not already, they are likely to win the initial battle and gain entry. You need the right resources ready to answer the questions that follow a successful attack in order to have any hope of protecting your business and its electronic assets.
I view cyber incidents almost like a common home break-in. How did the criminal gain entrance? Did they break a window, pick a lock, or otherwise gain entrance. Once in, where did they go? Did they just go to the dining room, or did they also go into each bedroom and the basement? What did they do in each room they entered? Did they just look around or did they open drawers and closets and what did they see? Did they take anything (one of the most critical questions to always ask)? Perhaps most importantly, are they still there or have they left? If they are still there, where are they? Are they still just in the dining room, or have they started to move throughout the house (or laterally move across your network and possibly even other connected networks)? Finally, how did they leave? Did they go out the same way they came in, or did they open up another breach point as they exited, and did they clone the keys to the locks so they can easily re-enter whenever they wish?
While so simple in concept, I don’t believe that we, as an industry, have truly thought about cybersecurity in quite so specific a way. While it is important to know that someone is knocking on your door and trying to gain entry to your networks, it is not less important to understand that they have successfully entered your network and what they have been doing while they are there.
We Need to be Better Cyber Detectives
As more information comes to light on various successful attacks, we learn whether data was exfiltrated or changed, how long the attackers have been in the systems and more. This information, which has historically been the realm of forensic investigators who come in after a successful attack has been confirmed, needs to become a part of our routine cybersecurity discourse.
Only when we have a reliable way to detect and track unauthorized activity on our networks will we be able to shift the scales in favor of the organizations being targeted. I sense this change is coming, the question is how quickly we will get there.
An Executive Order from the Biden Administration is expected to be released shortly on cybersecurity. This should be the most comprehensive policy statement around cybersecurity that we have ever seen from the U.S. government. Many observers hope this will spur a significant increase in dialog, cooperation, funding and more, to help secure not just the U.S. government and economy, but the world. It is expected to place renewed focus on public-private partnerships to help secure the nation’s critical infrastructure, government, and commercial systems.
I am hopeful that this upcoming announcement will be all that and more. If early indications are correct, it should be. However, private industry should not wait for a government order. There is no reason not to advance the discussion now, to show how the ingenuity of private enterprise can address any challenge it confronts.
It’s Time to Step Up and Speak Out
As I have also written about previously, part of this includes moving away from the culture of cyber-shaming. We must encourage all organizations, public and private, to come forward and share concerns for any unusual activity they may be seeing. This is not an admission of failure or something that should reflect poorly on the reporting organization. Quite the opposite. We should be praising and setting examples of those organizations that share early indicators of what may be malicious activity that could lead to a successful attack.
The best-case scenario is that this information is shared widely enough that organizations detect similar activity and make it very difficult for the hacker to succeed. The worst-case scenario is that the report turns out to be benign and the reporting organization receives validation that what they detected is not an active attack. That’s not a terrible worst-case scenario. However, not moving in this direction really could foreshadow a worst-case scenario where the hackers continue to succeed at unprecedented rates, destabilizing the world economy and driving inflation due to the increased costs associated with successful attacks.
Will you be part of the solution? You have an opportunity to change the cybersecurity conversation within your organization and I encourage you to aggressively do so. CompTIA has numerous initiatives underway to help. The CompTIA ISAO, Cybersecurity Community, Cybersecurity Advisory Council and Federal Cybersecurity Committee are just a few such examples. Engage with us and let us help you advance the cybersecurity conversation in your organization.
MJ Shoer is Senior Vice President at CompTIA and Executive Director of the CompTIA ISAO.