The exodus to remote work that occurred more than a year ago, created enormous challenges for the world’s cybersecurity professionals. The number of cyberattacks increased, industry trends shifted, and the digital landscape transformed itself. People responsible for securing our companies and systems simply had to adapt.
“We know that our employees, just by having 30 extra minutes on a mobile device, created 20% more vulnerability than you would have in a normal time,” explained Cisco’s Chuck Robbins, CEO and chairman of the California-based networking giant.
Robbins painted a worrying picture of the mounting dimensions of digital vulnerability during his keynote address for this year’s all-virtual RSA conference, the largest annual cybersecurity industry event in the world.
He clearly had some positive takeaways from the intense operations demanded during the pandemic.
Executives are beginning to hear the messages that their security professionals have been saying. Two thirds of them, according to Robbins, have said that they will spend more on their cybersecurity going forward.
Additionally, just as we have seen in the development of vaccines, the cybersecurity industry tackled challenges in weeks and months that might have previously taken years. This was to be applauded, Robbins said.
The most striking message from the CEO, however, was the scale and depth of the challenges ahead. Cybercrime is growing, it is becoming more lucrative for criminals, and it has more damaging consequences for society than ever before.
“If we think about cybercrime the way we think about the GDP of countries, it would be the third largest economy in the world, after the US and China — with $6 trillion in global damages,” Robbins said.
And there are non-monetary costs of not being able to run businesses, such as the reputational damage that companies suffer as a consequence of disruption, the CEO added.
These problems are not going away.
New generations of network technology, such as 5G and Wi-Fi 6, are allowing ever higher numbers of devices to come online. Robbins also highlighted another acute issue, one faced increasingly in many highly technical industries:
“Seventy percent of cybersecurity professionals […] have said that their organisation is impacted by the skills shortage right now,” he explained, adding that there are 2.8 million cyber professionals in the world, but there are 4 million unfilled jobs.
“We have more unfilled opportunities than we have active cyber professionals,” Robbins emphasised.
One answer to this problem is to find talent in unconventional places, reskilling workers from other industries, he suggested. Most of all, with only 24% of cyber professionals being women, there is a wealth of available female talent waiting for any company with an inclusive approach, Robbins concluded.
Zero trust and purple teams
Massive industry episodes like the SolarWinds supply chain attack are clearly demonstrating the true vulnerability of software companies. Many of the issues stem from software development and distribution processes, according to Ed Skoudis, who is a cybersecurity expert, professional educator, and founder of the SANS Institute.
Industry focus is placed on speed, with the aim of releasing features as quickly as possible — but not enough focus is placed on trust and cybersecurity, Skoudis said during an RSA expert panel discussion.
One idea gaining traction is the zero-trust network.
The idea is that every user, system, device, and every transaction that an organization processes — needs to be authenticated, authorized, and validated.
“It’s a great architecture, but how do you implement that? You do it via software,” Skoudis explained.
One way this approach is vulnerable is when people update software using mechanisms that do not ensure integrity, Skoudis said: “Your zero-trust architecture is trusting software that’s not trustworthy.”
The industry has seen many attacks based on this method, such as the above-mentioned supply chain attack. And Skoudis believes we will see many more in the coming years.
Crucial tools that companies can use to protect themselves include software indexing, maintaining lists of ingredients for software packages — software bills of materials — and regular threat hunting exercises.
Companies need to do a better job of testing their resilience to cyber threats, especially when their blue team security professionals do not find active threats in the environment.
In such cases, Skoudis recommended that teams bring their own threat.
Red team operators, those playing the role of criminal hackers, should be given access to systems within the environment in what is known as an assumed breach exercise. Then the blue team, those responsible for protecting the organisation, should assess how quickly they can detect the intrusion and stop it.
“This essentially gives rise to purple team, where blue is helping red get better, and red is helping blue,” Skoudis explained.
Novel threats and trends
If companies needed greater incentive to follow these kinds of industry best practices, emerging threats serve as a stark reminder.
In late 2019, a group called Maze “started the trend of exfiltrating data from victims and then using that to extort them,” explained another RSA speaker, Katie Nickels, who is director of intelligence at Red Canary and also an instructor at the SANS Institute.
Unfortunately, this approach caught on in criminal circles. By 2020, “over 70% of ransomware cases involved a form of exfiltration and extortion,” Nickels said.
Companies need to understand thatadversaries are very likely to exfiltrate and encrypt their data, before then extorting them, she said. One issue is that people think that if they pay an adversary they will receive the decryption key — and this will return their data.
Unfortunately, even if the adversary follows through on the promise to unscramble the victim’s systems, which is certainly not guaranteed, the threat of a data leak can be reused in the future. There have been numerous examples of extorters returning months later to demand more money or else confidential data would be released, Nickels explained.
Following this advice might be easier said than done, as underlined by the recent ransomware attack on the Colonial pipeline in the United States.
Another potential Pandora’s box is the use of machine learning algorithms in threat detection automation. The problem rests in the way the algorithms are trained.
In cybersecurity, if an algorithm is to be used for malware detection, it must be trained on genuine malware.
“I have bad news for you […] malware, by definition, comes from the attacker,” said Johannes Ullrich, dean of research at the SANS Institute.
This means that adversaries can influence what your algorithms learn; therefore, an algorithm’s detection criteria can be undermined, Ullrich said.
A sophisticated attacker could have two tracks of malware. One would be low-level common threats, genuine malware that would flood the organisation’s emails and influence the detection specifications of its algorithm.
The second would be far more targeted and would aim to be of a completely different nature to the first. As a result, it could potentially glide through detection due to its less familiar characteristics.
Another attack could involve an adversary using machine learning themselves. They could train an algorithm to understand which characteristics are being used to classify something as malware, and then they could develop threats that evade detection by avoiding these traits, Ullrich explained.
“Your training data matters, and you need to understand these models,” he said.