Enterprises need to be alert not just to new malware threat types but risks arising from M&A, and lures being extended by cybercriminals to insiders in return for a slice of a ransom payment — as attacks continue to drive huge revenues for cybercriminals. (One company paid a record $40 million ransom in March 2021).
That was according to a panel of experienced CISOs — with Kurt John, CSO at Siemens USA, Deneen DeFiore, CISO at United Airlines, Joanna Burkey, CISO at HP, and Ian Pratt, Global Head of Security for Personal Systems at HP joining the HP Wolf Security panel last week to discuss cybersecurity trends and themes in 2022.
Yet as United Airlines CISO Deneen DeFiore emphasised, an organisation shift away from a historical focus on cybersecurity as a pure data protection function towards operational resilience was sharpening minds across the business.
She told the panel: “Historically I think people thought about cybersecurity in terms of data protection; ‘let’s protect PCI data or PII data’. Shifting to what’s happening around threat evolution and impact [the focus is now] really around cyber-resilience: because something that can cause operational disruption has a cascading effect across the aviation ecosystem…
“That shift in mindset [has been] from thinking about cybersecurity in terms of data protection to having a cyber-resiliency strategy — because it does take everyone in the operation to understand the impact, recover and reduce the ‘blast surface’.
“We operate at airports around the world. Our assets are mobile… that makes it imperative that we understand the impact [of a cyber-incident] and have a resilience approach”, she added.
Siemens’ Kurt John meanwhile emphasised M&A risk — globally mergers and acquisitions hit a record $5 trillion in 2021, with activity highest across technology and healthcare — calling it “a variant of the supply chain attack”.
He told the panel that “We’re seeing hints that the smaller companies may be compromised… And [attackers] are just hedging their bets for when an acquisition happens, so that they get a foothold into a larger organisation.”
He also referenced a variant of an insider-enabled attack, targeting badly-paid IT professionals: “The threat actor calls up, let’s say your IT admin, and says: ‘You must be paid horribly… How about I shoot you an email, you just copy the file, you deploy, it wipes your tracks, right? So no one knows you did it. And you deploy some ransomware in your organisation, we’re going to ask for $6m, and you get 35% of that $6m. What do you think?’”
“It’s a fascinating insider-threat scenario, which is very forward leaning…”
HP’s CISO Joanna Burkey added: “We’ve seen a different type of sophistication in the last 18 months… For years, we’ve gotten used to a paradigm where there’s an attacker and there’s a victim, And it’s generally a very one-to-one; attacker targets a victim that either succeeds or it doesn’t. “SolarWinds was the first large-scale version of a [one-to-many approach]. And it certainly happened since with Kaseya, for example… where the attacker got efficient, and they realised we don’t need to go one to one all the time, we can find a commonality between hundreds or even 1000s of victims, let’s compromise that commonality.”
She noted this had “changed the calculus” not only for IT security practitioners, but also for suppliers.
Organisations are also under greater pressure to keep things running amid this hostile environment, United Airlines’ CISO DeFiore said: “Because of that sophistication, the velocity, the sophistication, the velocity and the evolution of the threat, it’s just becoming commonplace now for organisations to have to be able to have vulnerability responses, and concurrently run their operations. It’s not ‘stop everything, and let’s fix the cyber issue’.
“It’s how do we get to a place where we understand what the risk and impact is to our organisation?”
Dr Ian Pratt, Global Head of Security for Personal Systems at HP, who spoke at the HP CISO roundtable noted in later communications with The Stack that cybercriminals are using increasingly sophisticated techniques like machine learning to hijack email threads in phishing, meaning organisations need to be focusing on eliminating attack vectors entirely, using technology like isolation and segmentation as opposed to chasing the latest single technique. As he put it: “If you’re trying to focus on the individual techniques and procedures that people are currently exploiting, you’re always going to be behind the curve. There are so many vulnerabilities out there ready to be found and exploited, so operating at that level is going to be a case of trying to detect what’s happening and then catching up.“For example, we’re increasingly seeing machine learning being used by the bad guys.
“I’ve seen some fantastic machine-generated lure emails encouraging people to click that actually have context in, which they’ve pulled out of the inbox, to craft an email into an existing email thread that could possibly have come from somebody they’ve been communicating with – which get much higher click-through rates.
“You really need to look at approaches that deal with entire classes of issues. If you can deal with a whole vector of attack, you know about a hundred issues in this category today. There may be another hundred and a month’s time, and it won’t matter because you’re dealing with them as a category. Isolation and segmentation are enabling organisations to contain failure and have that resilience, so targets are able to get back to an operational state. It’s not relying on detecting everything that’s going wrong; you’re going to be safe regardless.”