Recent events have forced CISOs across all industries to rethink and refine their business continuity plans, write Alain Sanchez and Joe Robertson, chief information security officers at Fortinet.
Not only did the pandemic force organizations to transform their networks to accommodate moving their traditional workforce to work from home (WFH) status, it also forced cybercriminals to adjust their tactics as well.
In the months since the pandemic began, security researchers have documented a dramatic switch in both focus and tactics on the part of cybercriminals. IPS sensors, for example, reported a dramatic drop-in malicious activity aimed at traditional network devices. And at the same time, there has been a corresponding spike in attacks targeting remote workers through attacks targeting email systems, work devices, and home networks.
No plan survives first contact with the enemy
All of this happened at the same time that IT teams were scrambling to ensure that remote workers had access to critical resources. Exponentially expanding support for VPN connections was only part of the overnight battle. In the ensuing activity, some basic security controls – such as ensuring that end-user devices were secured, connections were encrypted, and encrypted traffic was inspected — fell by the wayside for some.
Even highly prepared organisations found that essential security functions were either not in place, could not scale adequately, or did not perform as expected.
As a former heavyweight boxing champion once famously said, “Everyone has a plan until they get punched in the mouth.” This sentiment succinctly describes the past several months, and there is an important lesson there for CISOs for the next phase of designing business continuity plans. And that is the need to insert agility into the traditional security trinity of confidentiality, integrity, and availability.
In addition to building systems and strategies designed to keep things private, detect and prevent changes to systems, and ensure networks and devices perform at the required level of service, those systems also need to be able to quickly and automatically adapt to change.
Cybercriminals understand the need for agility
The cybercriminal community has already embraced agility as critical to their operations, moving as fast as the news does. Plus, as the technology used to track them has improved over time, it has forced cyber attackers to adapt and switch tactics faster than before. The most effective cybercriminals run exceptionally agile operations.
Literally within hours of the global pandemic’s first impact, the Dark Web was filled with bogus offers for medical equipment and medicines, and new attacks, such as ransomware-as-a-service offerings, that could be easily coupled with phishing campaigns. There was also a spike in the prevalence of older exploits targeting consumer-grade networking gear, gaming devices, and entertainment systems connected to remote workers’ home networks.
This tactic was successful. 60% of organizations revealed an increase in cybersecurity breach attempts following their transition to telework, and 34% reported actual network breaches. Attackers also rely on agility to quickly exploit new unpatched vulnerabilities, ‘live off the land’ after a successful breach, and evade detection.
Three areas to augment with agility
In response, defenders need to elevate agility beyond a design principle and make it a true end goal, whereby agility is woven into every corner of their security fabric. Following are three areas where agility needs to be aggressively developed and integrated into the broader security strategy.
* Network access agility – BYOD, mobility, and IoT have changed the game in terms of network access – and, as trends, will defeat any CISO who doesn’t have agile network access controls, device visibility, and management solutions in place. Long before the pandemic, an astounding 60% of employees used their personal devices for work purposes. That number has not only risen dramatically since the recent transition to a remote workforce, but those devices are also accessing more critical data and resources than ever before. Even more alarming, but not surprising, is that more than 80% of employees admitted to using unsanctioned web apps for work. Microsoft’s prediction that 25% of all attacks will target IoT devices this year is now looking to have been a low estimate, given the spike in detected botnets – especially the recent growth in the use of older botnet malware, including Mirai and Gh0st. Mirai, first seen in 2016, had moved back into first place among global botnet use by early May, suggesting cybercriminals sought to gain a foothold in enterprise networks by exploiting unpatched devices in home networks. Coming in second was Gh0st, a malware-botnet family originally from 2014, that also targeted WFH users and applications. Gh0st is a remote access botnet that allows an attacker to take full control of an infected system, log keystrokes, hijack live webcam and microphone feeds, download and upload files, and engage in other nefarious activities. A flexible cybersecurity architecture helps organizations not only deploy appropriate controls but automatically keep them updated as new device types are introduced continuously, regardless of whether or not they’ve been seen before. And new technologies like SASE enable users to connect from their new “home office” in the kitchen, basement, or spare room using any device, through any means, to anywhere, securely.
* Multi-Cloud agility – The cloud’s original appeal was that it would be a cheaper place to host data and network infrastructure. But its foremost attribute has turned out to be flexibility. An effective multi-cloud strategy enables the fast establishment of – and changes to – data stewardship and infrastructure. CISOs can likewise leverage the cloud to enhance the availability and survivability of their networks. They can do so by agilely acquiring or dropping cloud security services and capacity in response to, or even in anticipation of, operational needs. This requires a combination of hardware and virtual-based firewall and other security capabilities that can be agilely deployed, configured, and centrally managed. It also needs to be coupled with a secure means to reach cloud-based resources (for example, through SD-WAN). This not only enables remote workers to access critical applications and services but also becomes the conduit whereby cloud and on-prem security systems can dynamically complement one another.
* Cryptographic agility – Today, all Internet security – especially in WFH environments – is utterly dependent on cryptography for authentication, confidentiality, and integrity (and more). If an adversary can compromise your cryptography, they completely own your company’s data and infrastructure. But that’s not all. Cybercriminals are also leveraging encrypted tunnels to move malware into and data out of corporate networks. They are counting on the fact that companies do not have adequate horsepower built into their edge security to inspect encrypted traffic.
Addressing these challenges requires two strategies. The first is to establish crypto agility. The good news is that strong cryptographic algorithms, correctly implemented and configured, are unbreakable. But with the stakes so high, organizations need the ability to change to a new cryptographic key and algorithm if an existing one is compromised. CISOs need to ensure that their equipment is ‘crypto agile’ so they can move from asymmetric algorithms to quantum-resistant algorithms.
The second is scalable performance for edge security devices. The security tools tasked with decrypting and inspecting traffic are notoriously underpowered. This became a critical issue during the transition to WFH, leaving critical traffic either unencrypted or uninspected. Security devices need to be powered by purpose-built processors that enable massive scalability of services without compromising performance or user experience.
Expanding agility to your entire security strategy
Moving to an agility-centric strategy for business continuity planning complements and completes the traditional CIA security hierarchy, enabling a CISO to leverage additional capabilities based on agility. For example, deception technologies can change security configurations to become less predictable (unpredictability being the nemesis of attack planners). ML (machine learning) and AI-based tools can similarly leverage speed and data correlation to out-maneuver an adversary whose attack strategy relies on “land and expand” techniques.
Conventional wisdom says that success is the result of combining opportunity with preparation. An agile cybersecurity foundation embraces that approach. By acknowledging and addressing the unpredictable nature of defending dynamic systems, organisations can withstand the inevitable cyber equivalent of ‘getting punched in the mouth.