Guest-blog: Simon Rycroft discusses the importance of basic cyber security hygiene and the 5 inalienable truths

Simon Rycroft

In today’s ever-changing threat landscape, it is more important than ever to use a cyber hygiene routine to help prevent hackers, intelligent malware, and advanced viruses from accessing and corrupting your company’s data.

Cyberattacks are growing in both frequency and impact. The repercussions of security mistakes often end up being headline news and can cause significant harm to the victim organisation.

However, there is a perception that only big, global, corporations are at risk and, as a result, thousands of attacks against the Small-Medium business sector go largely unreported. Most successful attacks leverage well-known security problems.

Reporting from the UK Government’s CESG (the part of GCHQ tasked with protecting the nation) indicates that around 80% of cyber attacks4 are the result of poor cyber habits within the victim organisations. To address this, a cyber hygiene strategy should be implemented which emphasises the importance of carrying out regular, low impact security measures.

James Comey – Former Director of the Federal Bureau of Investigation once said ‘We face cyber threats from state-sponsored hackers, hackers for hire, global cyber syndicates, and terrorists. They seek our state secrets, our trade secrets, our technology, and our ideas – things of incredible value to all of us. They seek to strike our critical infrastructure and to harm our economy.’

This will minimise the risks of becoming a victim of a cyberattack or spreading the impact of a cyberattack to other organisations. In this context, cyber hygiene should be viewed in the same manner as personal hygiene and, once properly integrated into an organisation will be simple daily routines, good behaviours and occasional check-ups to make sure the organisations online health is in optimum condition.

Today I have the distinct pleasure of introducing another Guest Blogger, Simon Rycroft, who is the CEO and CoFounder of CRMG (Cyber Risk Management Group), an expert company in the field of providing cybersecurity and information risk consultancy services.

Simon is passionate about cybersecurity, his career spans over 23 years. Most recently Simon held leadership roles at the Information Security Forum (ISF) as Head of Consulting and Global Account Director. In particular, Simon played a leading role in growing the ISF’s Consultancy business, steering it from its inception to become a multiple award-winning cybersecurity practice. Simon’s expertise spans both subject matter and operational management. Core areas of specialism include cyber risk management and assessment, information security governance and benchmarking.

Simon is going to talk to us across the importance of basic cybersecurity hygiene and the 5 inalienable truths

At CRMG we don’t have an aversion to the array of highly impressive products and services that compete for the modern CISO’s budget. As an example, the role that artificial intelligence (AI) can play in speeding up an organisation’s targeted response to a new breach is exciting. Where once a team of analysts might scramble to understand the implications of a piece of malware found on the corporate network – and err on the cautious side when deciding whether to advise pulling the plug on critical business systems – increasingly sophisticated tools can now instantly determine (and execute) exactly what containment measures are needed without bringing the organisation’s operations to a screeching halt.

However, irrespective of the pace of technological advances that increase our firepower in combatting the cyber threat, there remain a number of inalienable truths that mean we can’t ignore the importance of ‘basic cybersecurity hygiene’. Here are ‘5 truths’ that explain the point.

Truth #1: Don’t forget it’s still all about the information

There’s a reason why those of us who’ve been kicking about for a while in the cybersecurity industry used to call it ‘information security’. ‘Cybersecurity’ is no more than ‘information security’ on the steroid we know as the Internet.

Just because the Internet introduced new threats, attack surfaces, and accelerated the ability of nefarious entities (individual, corporate or nation-state) to cause untold mayhem, the underlying principle hasn’t changed. IT’S STILL ALL ABOUT THE INFORMATION.

Since the dawn of mankind, information has accrued value for its owner. Information is a competitive advantage. Information is intelligence about our customers that enables us to sell services to them without incurring undue risk. Information is the blueprint for the self-driving car that can tell the difference between an elderly lady about to cross the road and a traffic bollard.

Information is the finer detail of the due diligence activity on which our next investment round is predicated. Information is a commodity no less valuable than hard currency, and in many cases, it’s way more valuable.

Truth #2: Not all information is created equal

Assuming you accept Truth #1, it follows that it’s only worth getting out of bed to protect the information that you’re really bothered about. If you have no means by which you can value the information on which your organisation thrives (assuming you don’t have an infinite information protection budget), you might as well pack up and go home.

The information you’re really bothered about is entirely a subjective matter of course. That’s why purchasing off the shelf cyber products and services – without understanding whether you’re genuinely focusing on what matters – runs the risk of being the equivalent of buying up the entire stock of Fortnum’s ground floor on 22 December just because the in-laws are popping round for a mince pie and a sherry on Christmas Eve.

Truth #3: Sometimes what YOU think doesn’t matter

Sometimes, the decisions you make as to whether it’s worth protecting (or not) the information your business holds might just not be up to you. Something as simple as building a database of phone numbers and e-mail addresses of those you think might be interested in your services will, of course, incur the wrath of regulatory bodies if said database doesn’t meet the requirements of data protection regulations.

Depending on your native industry and target market, you may be subject to regulatory requirements that are completely beyond your control, irrespective of the information you hold or the value you attach to it. And more often than not, these regulations will require baseline information security measures to be in place. No ifs, no buts. That’s the nature of compliance.

Truth #4: Information has a nasty habit of seeping all over the place

Think of information as water that trickles throughout the arterial canals and rivulets of your organisation. Well channelled and protected, it enables the business to thrive. Leave a sluice gate open inadvertently and – to mix metaphors – you’re toast.

Pinning down exactly where information resides, and protecting it only in the locations in which you THINK it SHOULD reside, is a very tricky business. Even more so when you take today’s complex ecosystems of supplier relationships into account – introducing the possibility that your network of arterial canals and rivulets extends into places way beyond your control.

If you fail to apply a baseline level of protection throughout the entirety of your organisation (and its sphere of influence), you’ll run a significant risk that information seeps out via channels you just didn’t envisage and didn’t protect.

Moving on to another analogy, ghosts really DO exist in the information world. Even if you think you’ve disposed of information at the end of its useful life, the chances are that traces of it will still exist in multiple locations throughout the organisation. How can you be completely sure that staff haven’t created copies of information that you just don’t know about, and that these copies still don’t exist? Without the consistent implementation of baseline information security practices throughout the entirety of your organisation, you’ll likely be exposed.

Truth #5: The Robots ain’t taking over any time soon

The cyber workforce is still some way off. While AI is showing massive potential in all sorts of contexts, the human being as the ultimate decision-maker in our businesses isn’t going anywhere fast. For the most part, this is reassuring, not least because most of us aren’t likely to be put out to pasture just yet by a new workforce of indefatigable, infallible robo-colleagues.

The implication? Fallibility. Glorious, old-fashioned, human nature. Business decision-making tempered by human conscience. All good, until someone makes a glorious old-fashioned mistake, at which point you might wish that a robot had been in charge.

Did that procurement manager really mean to share a dump of the entire customer database with that unvetted supplier? Ouch. The point here is that, along with information, PEOPLE still represent most organisations’ greatest asset. The problem is that, on the flip side, people also represent most organisations’ greatest weakness.

Given that we’re not yet able to implant chips behind the ears of employees to regulate reckless decision-making, we come back to the importance of basic security awareness.

The articulation of meaningful, responsibility-riddled messages that resonate with staff, resulting in people refraining from doing bad things. It’s not rocket science, but it’s not easy either.

As your business matures you will inevitably turn to technologies to assist you in keeping your information safe and away from prying eyes. Data Loss Prevention (DLP) technology is a great example. Well implemented, DLP can prove a great asset in preventing important information from filtering outside the organisation without you knowing about it.

BUT – unless such solutions are supported by a consistent foundation of straightforward, well-understood, information security good practices – you’re taking a huge risk. This is why no CISO can afford to ignore basic cybersecurity hygiene. And if this argument doesn’t persuade you, your regulators most probably will.

So, what specifically are we referring to when we talk about basic cybersecurity hygiene? Here are just some baseline good practices. Just to add context, they are related back to the 5 truths:

Truth #1 (Don’t forget it’s still all about the information)

If you haven’t done so recently, embark on an information discovery exercise. At its simplest, this might start with a simple map of your key business processes and information systems that support them. Don’t forget to explore instances where information is shared between systems/functions and – just as importantly – to identify where information is shared outside the organisation.

This activity doesn’t have to be sophisticated (at least at first). You just need to come away from it with a high level of confidence that you understand what information lives in your organisation, where it lives, and who interacts with it.

As a tip, it can be really useful to run this exercise as a workshop that includes both technical and business people (or a series of workshops if your organisation is large or dispersed).

You’ll be surprised at what can get unearthed… did you have any inkling that Mervyn in Accounts routinely does a monthly .csv export of all employee data and shares it with your outsourced benefits management provider via a cloud drive that goes nowhere near your protected corporate network?

Truth #2 (not all information is created equal)

Once you have your basic map of what information lives where in your organisation, it’s a good idea to have a crack at valuing it in some way. This might be as simple as identifying what information your business can’t function without.

By implication, everything else will be slightly less important. Once you understand the relative value of different information types or systems, you’ll then know where information protection efforts should be focused – because the realities of business economics tell us that in most cases it just isn’t possible to apply the same level of protection to absolutely everything throughout the organisation.

By the way, possibly without knowing it, by this stage, you’ll have worked through the first steps of a basic information risk assessment (but we’ll save that for another day).

Truth #3 (sometimes what YOU think doesn’t matter)

This is all about regulatory compliance. All sorts of businesses face all sorts of compliance requirements. The point here is that you must take the time to understand exactly which laws and regulations you’re required to comply with by virtue of your business activities and the information you hold.

While highly regulated sectors (such as Finance, Insurance and Healthcare) have been used to managing compliance requirements for many years, there’s a whole new generation of businesses that have only really been forced to start taking notice of compliance because of GDPR. Once you know what regulations you’re required to comply with, you’ll then need to understand EXACTLY what measures you’re required to have in place to comply with them.

If you don’t spend money on consultancy anywhere else, this is one area where it’s probably a good idea to call in an expert to help you.

Truth #4 (information has a nasty habit of seeping all over the place)

Notwithstanding any beefed-up protection you apply to your most important information, you still need to implement a baseline set of security measures throughout the entirety of the organisation. This includes things such as:

• Developing a straightforward information security policy that is accessible by every employee and which clearly states exactly what is required by staff to protect the information handled throughout the business
• Making sure that all employees are aware of their information security responsibilities (more on that below)
• Liaising with key suppliers/partners to ensure they are operating to a minimum, defined, information security standard
• Keeping all systems patched and up-to-date, and checking this routinely
• Ensuring all systems and end devices are installed with up-to-date anti-malware software
• Only providing staff with access to systems if they really need it (when you do provide access, make sure that access rights aren’t excessive – and don’t forget to revoke them once they’ve moved to a different function or left!)
• Encrypting particularly sensitive information (remember that even if personal data isn’t critical to your business’ success, you’re still required by law to apply strict controls when storing or handling it)
• Maintaining backups – and testing them periodically
• Implementing business continuity and disaster recovery procedures (even if they’re basic) that support ‘business as usual’ as far as possible in the event of an incident
• Working with a credible third party to undertake a periodic penetration test of your systems – and making sure any recommendations are applied
• Having specialist support available on speed dial if something does happen that you can’t manage yourself!

Truth #5 (the Robots ain’t taking over any time soon)

Good information security awareness is critical to any business these days, and you just can’t afford to skimp on it. So, think about the basic information security good practices you want ALL staff to be aware of, and come up with an engaging way of ramming the message home. Be creative. Incentivise. Draw a picture. Make a video. There’s a reason why those opting to attend a driver awareness course instead of getting slapped with extra points on their license get shown the horrific aftermath of traffic accidents.

Whatever approach you choose (and remember it doesn’t need to cost a fortune and it doesn’t have to be cast in stone… you can try different methods over time), just make sure you do it. And do it again.

Also, have a think about whether there are specific roles in the business that require an additional level of training – particularly those handling sensitive information.

Lastly, remember that people – just like information – have a habit of moving about. Don’t forget that when new people join, staff move to new roles in the business, or when they leave, you’ll need to have a clear process to make sure they’re getting the right security awareness training at the right time.

None of what is outlined above should be considered to be advanced if your organisation conducts its business using the Internet (and whose business doesn’t?). There’s plenty more you’ll need to do as your business matures. We haven’t even mentioned cybersecurity strategy, threat profiling, and so on….

If you choose to skip any of the basic hygiene measures outlined relative to Truths #3, #4 and #5, have a long hard think, because you might not have a business left to mature if you ignore them. Choose to ignore the guidance related to Truths #1 and #2, and you’ll have to protect everything to the highest level just to be sure – which in an extreme case might just amount to the same thing.

Thank you Simon, for your incredible insights on a terribly important subject, cybersecurity threats I fear will not be removed any time soon.

You can contact Simon Rycroft:
LinkedIn – profile
email – simon dot rycroft AT crmg DASH consult dot com (removing all the spaces)
web – www.crmg-consult.com

Predictions for the start of 2020

2019 was definitely an interesting year!

As Abraham Lincoln once said: “The best way to predict your future is to create it.”

It’s hard to imagine that we’re living in the year 2020. Though we’ve seen plenty of impressive technological advances, like artificial intelligence and phones that unlock by scanning our faces, it’s not quite the world of flying cars and robot butlers people once imagined we’d have by now.

As crazy as these all seem, the world is on track for some spectacular innovations in 2020. Privately operated space flights, self-driving taxis and increases in cyberwarfare would have all seemed like science fiction a few decades ago, but now they’re very real possibilities.

So, let’s have a look at some of the expectations for 2020:

Space Travel
Humans living on other planets is a staple in sci-fi, but it’s growing closer to reality thanks to private space travel initiatives.

As greater advances in space travel are made, the media’s interest will be revitalised. Those private companies will likely capitalise on that attention, which could lead to opportunities to bid on government contracts. Jobs will be created. Auxiliary innovations will be developed. And our chance to become a multiplanet species will (infinitesimally) increase.

Self-Driving Cars

Ride-hailing services are already part of everyday life, but self-driving cars are set to cause seismic changes to the industry. Once safety concerns are addressed, many passengers might find that they prefer being driven by a computer rather than a nosy human. And implementing a network of self-driving cars will be crucial in order for these platforms to finally make a profit.

Companies may adapt to self-driving cars as well. Autonomous transport obviates the need for large fleets of corporate cars. Transportation costs for employees could be drastically reduced. The company could get depreciating assets off the books. And energy efficiency would increase. It’s a win-win-win.

Cybersecurity

Cybersecurity continues to grow in importance as more of our information moves online. Unfortunately, we’ve seen how woefully unprepared even trusted sectors like finance and government can be when it comes to keeping data safe.

No one wants their credit card information appearing on a hacker’s forum, so cybersecurity is crucial for any company doing business online. Cyberattacks are becoming more sophisticated, but fortunately, innovation in countermeasures has surged forward as well. Going into the next year, the cybersecurity industry will likely grow, assisted by cutting-edge technology like artificial intelligence (AI) and machine learning.

We are amidst the 4th Industrial Revolution, and technology is evolving faster than ever. Companies and individuals that don’t keep up with some of the major tech trends run the risk of being left behind. Understanding the key trends will allow people and businesses to prepare and grasp opportunities.

Artificial Intelligence (AI) is one of the most transformative tech evolutions of our times. Most companies have started to explore how they can use AI to improve the customer experience and to streamline their business operations. This will continue in 2020, and while people will increasingly become used to working alongside AIs, designing and deploying our own AI-based systems will remain an expensive proposition for most businesses.

For this reason, much of the AI applications will continue to be done through providers of as-a-service platforms, which allow us to simply feed in our own data and pay for the algorithms or compute resources as we use them.

Currently, these platforms, provided by the likes of Amazon, Google, and Microsoft, tend to be somewhat broad in scope, with (often expensive) custom-engineering required to apply them to the specific tasks an organization may require. During 2020, we will see wider adoption and a growing pool of providers that are likely to start offering more tailored applications and services for specific or specialized tasks. This will mean no company will have any excuses left not to use AI.

The 5th generation of mobile internet connectivity is going to give us super-fast download and upload speeds as well as more stable connections. While 5G mobile data networks became available for the first time in 2019, they were mostly still expensive and limited to functioning in confined areas or major cities. 2020 is likely to be the year when 5G really starts to fly, with more affordable data plans as well as greatly improved coverage, meaning that everyone can join in the fun.

Super-fast data networks will not only give us the ability to stream movies and music at higher quality when we’re on the move. The greatly increased speeds mean that mobile networks will become more usable even than the wired networks running into our homes and businesses.

Companies must consider the business implications of having super-fast and stable internet access anywhere. The increased bandwidth will enable machines, robots, and autonomous vehicles to collect and transfer more data than ever, leading to advances in the area of the Internet of Things (IoT) and smart machinery.

Extended Reality (XR) is a catch-all term that covers several new and emerging technologies being used to create more immersive digital experiences. More specifically, it refers to virtual, augmented, and mixed reality. Virtual reality (VR) provides a fully digitally immersive experience where you enter a computer-generated world using headsets that blend out the real world.

Augmented reality (AR) overlays digital objects onto the real world via smartphone screens or displays (think Snapchat filters). Mixed reality (MR) is an extension of AR, that means users can interact with digital objects placed in the real world (think playing a holographic piano that you have placed into your room via an AR headset).

These technologies have been around for a few years now but have largely been confined to the world of entertainment – with Oculus Rift and Vive headsets providing the current state-of-the-art in videogames, and smartphone features such as camera filters and Pokemon Go-style games providing the most visible examples of AR.

With so many changes to our technology coming so fast, it can be hard to grasp the sheer scale of innovation underway. The list above highlights some of the more interesting developments, but is far from exhaustive. Whatever happens, 2020 will be an interesting year for major tech companies and budding entrepreneurs alike.

2020 will be a year of reckoning for those that have held on too long or tried to bootstrap their way through transforming their business.

Simply put, the distance between customer expectations and the reality on the ground is becoming so great that a slow and gradual transition is no longer possible. Incrementalism may feel good, but it masks the quiet deterioration of the business.

Whether CEOs in these companies start to use their balance sheet wisely, find new leaders, develop aggressive turnaround plans, or do all of the above, they and their leadership teams must aggressively get on track to preserve market share and market standing.

Purposeful Discussions cover

Finally, 2020 brings ‘Purposeful Discussions’ which is now my fifth book in a series of books that provide purpose driven outcomes in support of some of the most talked-about subjects in life today. This book demonstrates the relationship between communications (human 2 human), strategy and business development and life growth. It is important to understand that a number of the ideas, developments and techniques employed at the beginning as well as the top of business can be successfully made flexible to apply.

As Swami Vivekananda once said:

“Take up one idea. Make that one idea your life – think of it, dream of it, live on that idea. Let the brain, muscles, nerves, every part of your body, be full of that idea, and just leave every other idea alone. This is the way to success.”

What can we all learn from the cyber threat landscape of 2018?

Every year, as a co-founder and member of the Neustar International Security Council, I attend The Neustar Cyber Summit, this year the summit was held at the OXO Tower in London and there really were some very interesting findings from the summit which I would like to share.

Rodney Joffe, Chairman of NISC, started to discuss where the Internet of Things fits into the equation.

‘The first thing to recognize is that the Internet of Things is a new phrase for something that’s existed for years. The only difference is scale.
Sometime in the late 1970s or early 1980s, some computer science students wired a Coca-Cola vending machine to the Internet. The students wanted to solve the problem of walking down three flights of stairs to the lobby only to discover there weren’t any cold Cokes in the machine.
It was one of the first devices wired to the Internet, and anyone could connect to it and ask for the status of the Cokes. So IoT isn’t really new. It’s probably best defined as all of the devices that can be connected to the Internet that don’t necessarily look like traditional computers. Items like smart power meters, smart lightbulbs and modern home thermostats, all the way to critical medical appliances and devices, jet engines and power turbines.

Because everyone is now focused on the IoT, we’re trying to develop rules around how all people, places and things interconnect. But millions of devices and things that are out there already are not secure, so we have to find ways of securing them and making sure that everything that gets added in the future is secure.
It’s no big deal if the Coke machine is wrong, but what if a nuclear-generating turbine goes down or if all the air-conditioning systems in a city go on at the same time because the smart meters that control the smart homes were compromised?

The other thing to recognize is that the industrial IoT is much larger than the consumer IoT. The breach of Target customer credit cards started when network credentials were stolen from an air-conditioning filtration vendor that had serviced various Target stores. Those credentials were used to hack into Target’s system, then install malware on a large number of the chain’s point-of-sale devices. The end result was brand damage for Target that has reverberations today.

The facts are, in 2016, we saw a number of huge attacks — many that exceeded 1Tbps. In 2017, by contrast, we saw fewer large distributed denial-of-service (DDoS) attacks, possibly because hackers were finding little advantage in taking a company completely offline. Another explanation is that hackers were simply enjoying the success of the previous year’s myriad of extortion and ransomware-oriented attacks, as well as the many DDoS associated data breaches.

So far in 2018, however, the big attacks are back with a vengeance. Earlier this year we saw the largest DDoS attack ever recorded — 1.35Tbps — using a new type of attack called Memcached, which will be discussed later. Then, a 1.7Tbps DDoS attack was recorded. Previous amplification attacks, such as DNSSEC, returned a multiplication factor of 217 times, but Memcached attacks returned amplification records exceeding 51,000 times! In fact, the potential return from Memcached attacks is so large that they do not require the use of botnets, making them a new and dangerous risk vector.

We are hoping that these attacks will go the way of the Simple Service Discovery Protocol (SSDP) amplification attacks, which used the protocol designed to advertise and find plug-and-play devices as a vector. SSDP amplification attacks are easily mitigated with a few simple steps, including blocking inbound UDP port 1900 on the firewall. There are similar steps that organizations can take to mitigate Memcached attacks, including not exposing servers and closing off ports, but until then, Neustar is prepared.

This year we are also seeing different uses for DDoS beyond simple volumetric attacks, including what we call quantum attacks. Quantum attacks are relatively small and designed to bypass endpoint security and avoid triggering cloud failover mitigation. These attacks are being used for scouting and reconnaissance. In a recent incident, Neustar stopped a quantum attack that never peaked over 300 Mbps, but it featured 15 different attack vectors, went on for 90 minutes, and involved all of Neustar’s globally distributed scrubbing centers.
This attack came from all over the world and was designed to bypass perimeter hardware, using protocols to circumvent their defenses. The attackers behind such campaigns may start small, but they can quickly add botnets, attack vectors, and ports to get what they want.

Neustar recently thwarted what is believed to be the first IPv6 attack. This attack presented a new direction that attackers are likely to pursue as more and more companies adopt IPv6 and run dual IPv4/IPv6 stacks. We believe that IPv6 vectors will continue to emerge as organizations around the world move to adopt the new standard.

You can also expect to see more Layer 7 (application layer) attacks, including those targeting DNS services with HTTP and HTTPS requests. These attacks are often designed to target applications in a way that mimics actual requests, which can make them particularly difficult to detect. It is important to note, however, that Layer 7 attacks are typically only part of a multi-vector DDoS attack. The other parts are aimed at the network and overall bandwidth.

DDoS attacks can be found in a multitude of sizes and for any reason imaginable. They can now be used to find vulnerabilities, to locate backdoors for exfiltration, and as a smokescreen-like distraction for other activities. Today’s organized criminals are able to focus on the results that they want and simply buy or rent the malware or botnets they need to get there. Some have gone so far as to comment that criminals are getting more and more like corporations, each with their own specialization.

The simple fact is that if you’re online, you’re susceptible to an attack. Whether you are vulnerable or not is entirely up to you.

The summit and Rodney Joffe’s keynote was incredibly insightful, but where does that leave us today and how can we guard against such threats in our business and personal lives?

A New York Times report reveals another cyberattack using stolen NSA hacking tools, and experts warn computer systems are not prepared for even more widespread attacks likely in the future. Max Everett, the managing director at Fortalice Solutions, joins CBSN to discuss the threat.

Cybersecurity expert warns the world is not ready.

We can all agree over the course of 2018, global cyber threats have continued to evolve at speed, resulting in a dramatic reshaping of the cyber security landscape. Traditional threats such as generic trojans, ransomware and spam bots were transformed.

After years of focusing on individuals, malware authors will increasingly target enterprises and networks of computers.
Powered by military-grade code allegedly leaked from the NSA, threats such as WannaCry and GoldenEye wrought havoc throughout, shutting down businesses and causing unprecedented operating losses.

The effectiveness of these threats has been compounded by novel lateral movement vectors that augment zero-day exploits such as EternalBlue and EternalRomance, allowing malware to ‘hop’ from one network to another, from organisation to organisation. These targeted attacks are reshaping corporate and government digital security, whilst simultaneously causing fallout in the consumer space.

Ransomware specifically aimed at companies has also become far more prevalent. Since the re-emergence this March of Troldesh, companies have faced extremely targeted attacks that abuse the Remote Desktop Protocol to connect to infrastructure, then manually infect computers.

Certain strains of ransomware such as Troldesh and GlobeImposter come equipped with lateral movement tools (such as Mimikatz), allowing malware to infect an organisation and log clean-up mechanisms to cover their tracks.

Following a surge of market interest around cryptocurrencies that has continued through 2018 and into 2019, miners have diversified and proliferated. Traditional illicit coin miners have rushed to adopt lateral movement tactics such as the EternalBlue and EternalRomance exploits, allowing cybercriminals to infect computers in organisations and increase mining efforts.

Based on threat developments in 2018, organisations should essentially prepare for more sophisticated iterations of malware based on the same theme in 2019.

After years of focusing on individuals, malware authors will increasingly target enterprises and networks of computers. Lateral movement will become standard in most malware samples, either via password-grabbing utilities like Mimikatz, or by exploiting wormable vulnerabilities. In addition, the number of malicious attachments in SPAM emails will increase, particularly those written in scripting languages such as PERL or Python.

“All the world’s a stage/ And all the men and women merely players”; Shakespeare’s famous line makes us consider each person an ‘actor’ in their own right, with their own individual role to play. And when looking across the cyber threat landscape, this rings especially true – each actor has their own motivations and distinct part to play.
When the proverbial hits the fan, it’s typical for the victim – a business or government entity – to focus on the indicators of compromise (IoC) rather than what led to the attack in the first place.

Looking at IoCs is an essential part of a cyber defence strategy and can help victims identify who is targeting them. But it’s a reactive approach, which doesn’t help once your organisation has been breached.

This rear-facing view is also reflected in the cyber sensationalist news narrative. The media tend to focus on the number of attacks – a vanity metric – but rarely on its complexity, length, or who was behind it, and what their motivations were for attacking the organisation in the first place.

IoCs tend to change very quickly, the actor behind does not, nor their objectives and tactics, techniques and procedures (TTPs). For example, US-CERT’s release of the Grizzly Steppe malicious Russian activity was complex in that many of the IoCs that were provided were false positives or TOR exit nodes, making it difficult for companies to make sense of them and ingest.

As such, it’s vital that organisations look to understand the actor – their motive, opportunity and means – and not merely read into the IoCs if they are to protect themselves from potential attack.

Threat intelligence highlights IoCs around an attack, such as that the actor was using cheap outsourced labour to perpetuate the attack, was using a particular hosting platform, or shared infrastructure.

IP addresses and domain names change very quickly, but the adversary’s motive does not. Knowing this is the first step towards changing an organisations’ security stance to mitigate the threat, identifying the indicators of attack (IoAs) rather than just the IoCs. Without intelligence, this would be impossible.

The type of malicious actor organisations must deal with will differ. Some may be state-sponsored, for example, carrying out cyber espionage on behalf of a nation. Others may be hacktivists, looking to incite political change, or cyber criminals looking to make a profit.
Understanding the bigger picture beyond the impact of the attack itself is critical if the good guys are going to triumph over the bad. Intelligence plays a key role in getting to the core of that bad apple.

STIX, the standardised language to represent structured information about cyber threats, helps to store and share information on actors and TTPs. It has become the de facto standard for information sharing in cyber threat intelligence as it facilitates automation and human assisted analysis.

Finally, it’s worth remembering that intelligence is not a silver bullet. It’s a part of a wider puzzle that enterprises need to put together in order to give themselves the best chance of defence against a cyber attack.

Security needs to be seen as an architecture, embedded in the foundation of an organisation. Hygiene factors such as ongoing patch management and end-user training also need to be considered.

The human element behind an attack is often forgotten. However, analysts can create a ‘big picture’ of the lifecycle and ecosystem of hackers by adding in the more specific details.

Enterprises and governments are under a constant barrage of cyber attacks. With the threat landscape evolving and attacks becoming ever-more sophisticated, having time to stop and think about the actor behind the malicious intent may seem like a luxury.
However, businesses need to start looking at cyberattacks from the adversary’s perspective to understand what is most attractive to an attacker. Without this understanding, the problem will persist and the next newspaper headline will feature their name.

In summary, the question is not whether you will be attacked. It is when, by what, and how badly your company’s reputation or finances will be damaged. And one thing is sure in the uncertain world of cybersecurity – the wrong time to consider defence is after the attack has occurred.

James Comey once said:
“We face cyber threats from state-sponsored hackers, hackers for hire, global cyber syndicates, and terrorists. They seek our state secrets, our trade secrets, our technology, and our ideas – things of incredible value to all of us. They seek to strike our critical infrastructure and to harm our economy. “