As a cybersecurity practitioner of over 30 years, I often ask myself, how come we suck so badly at cybersecurity? We spend more money than ever before, but the compromises keep growing, and the cost of these compromises keep increasing. It’s imperative that companies, especially law firms that hold such sensitive client data, stay ahead of these emerging threats.
The first step in this process is to understand our own approach to security, as well as our adversaries and their motivations. One analogy I love using when I talk about cybersecurity is that of the bull run in Pamplona, where you’ll find a whole load of bulls and runners all sharing the same chaotic space. Let’s think of the bulls as attackers and the runners as companies trying to defend their network.
Company approaches to cybersecurity
Now of course you have different kinds of companies and different kinds of runners. First of all, we have the naive and denying who are often of the attitude ‘who on earth is going to hack me? I don’t have anything of value?’, and don’t see themselves as a target.
Then there’s the slow and lazy, who know cybersecurity is an issue, but just don’t have the time, motivation or resources to address it.
Then we have the methodical and conventional, who tend to follow a lot of ‘frameworks.’ You’ll often hear them saying ‘we follow all these frameworks, so it’s not our fault if we get compromised’.
Next up we have the panicked and disorganised. You would have seen a lot of these in the legal space during the NotPetya attack in 2017, which massively affected some multinational law firmsl These runners tend to make a mad dash and panic to deploy technology, to try and stop themselves from becoming the next victim.
Finally, we have the fast and professional. These companies know what they are doing and have it mostly under control. This is what every company should be aiming for.
Attackers and their motivations
Now let’s look at the attackers, or the ‘bulls’. Firstly, we have the young and enthusiastic bull. This bull has learned most of what they know on YouTube and is already managing to compromise companies.
Then we have the opportunistic bull, someone that stumbles across an easy victory , such as a username and password in a well-known organisation, and uses this to gain access. This happens more often than you may think.
Next, we have the gang of bulls, who are hacking professionally and working together. We’ve seen this with a lot of the leaks around Conti, one of the most prolific ransomware groups. These leaks exposed the whole organisation of criminality and how the different hacking groups work together to keep the business model protected.
Lastly, we have the state sponsored super bull. This one has been bench pressing his own weight in bulls since he was two years old. If he’s out to get you, you’ve had it. Even if you’re fast and professional, that’s it. This bull acutely targets its victims, as we’ve seen with some very targeted attacked against law firms in recent years.
The threat landscape
Now we know the types of adversaries we’re up against, it’s important to understand the wider threat landscape and how to decide which threats to prioritise and which threats to spend money defending.
Firstly, we have geopolitical forces, or put simply, governments using cyber to project power. They do this by developing cyber tools to achieve their politic objectives. The problem is that these tools often leak on to the civilian internet and get used by hacking groups and professional running bulls to gain monetary advantage. In reality, there isn’t much you can do to protect yourself from these threats, apart from being aware of any particular tools being used so you can defend against them specifically.
Then we have structural factors, which are the bigger picture issues that affect the landscape that we operate within. A good example here is the rise of cryptocurrency which has allowed hackers the ability to monetise their craft. Other structural factors include regulation, and of course insurance. Unfortunately, the unintended consequence of cyber insurance is that it now tells the professional bulls that there is almost a guaranteed pay-out and has allowed a lot of money to come into the criminal ecosystem.
Evolution of technology
Lastly, we have the evolution of technology, which is rapidly changing the way we consume and work with IT. The best example here is around Covid, where everyone started working remotely and the adoption of cloud technology accelerated rapidly. So instead of all computing resources sitting in the office behind well designed security, all of a sudden, these devices needed to fend for themselves. This has been very successfully exploited by threat actors.
Understanding our advantages (and disadvantages)
There is a notion that as a defender we must get it right all of the time, and the attacker only has to get it right once. However, in reality, this is almost impossible, and so it’s imperative that we understand the advantages we have, and how to use them.
Attackers have no knowledge of our environment, they must stumble around blindly and that’s one of the key advantages we have as defenders. It’s important not to cede this home-ground advantage by not understanding your own environment, or by having a environment that is too complex, which even you don’t understand, essentially putting you at the same disadvantage as the attacker.
How we try to defend ourselves
When we try to defend ourselves, companies tend to focus just on protection. Why? Because it’s a young industry and it’s all about exciting new technology. Instead, companies should be of the mindset that ‘you can outrun some of the bulls some of the time, but you can’t outrun all of the bulls all of the time’. You need to have the ability to detect an attacker roaming around your network, to respond to it and to recover from it with the least possible effect. No technology will completely stop the threat of attackers and we shouldn’t expect to never to be a victim of cyber-crime – we must insure ourselves and take appropriate measures to minimise the impact.
Measuring our success
So, how do you communicate these threats and protection measures to the board? It’s important to have a structured way of reporting on cybersecurity maturity to enable you to understand if you are taking the appropriate measures around identifying risks, detecting attackers, protecting assets and have the ability to respond and recover from attacks.
At Flow, we’ve created a cybersecurity maturity assessment tool, which is based on the NIST framework, a well-regarded international framework that takes a holistic view of security. More importantly, it gives you a view to measure your progress towards having a comprehensive strategy, and it allows you to communicate to the board if there are any potential gaps that might cause you issues.
- Take a holistic approach to security. Assume that there will be a breach and one of those bulls will get you.
- Bake security into your digital transformation initiatives and use the power of the built in security tools.
- Realise that even the state sponsored super bulls use legacy techniques ie. Spear phishing, attacking your suppliers etc, so don’t focus just focus on the new and shiny technology that doesn’t protect from these old-school tactics.
- Simulate a determined threat attacker. You need more than just a vulnerability scan, to really assess your vulnerabilities
- Be critical about your cybersecurity maturity. You want to employ the technology that costs the least but causes the most difficulty for your attacker, instead of expensive, complicated tech that doesn’t really raise the bar.
- Speak to Flow about our Security Maturity Assessment and Technology Effective Review – the ‘SMArTER’ approach to cyber security.”