Security programs never operate in a vacuum, nor are they isolated from external or internal events. Too frequently, however, security leaders are blindsided by events that are fundamentally out of their control. Their organization acquires a new company, and security is asked to provide due diligence after the fact. Marketing launches a new program that collects sensitive information that is stored in a third-party application that has not been reviewed from a security or privacy perspective before the program launched. Tensions escalate with Iran and your executive leadership team or the board ask, ‘are we secure?’ These are just some of the scenarios that can frequently catch security leaders off guard. I think it’s important to put this dynamic in perspective and offer some context on how we, as security leaders, can be better prepared for the unknown unknowns that are inherent with our profession.
First things first. Let’s touch base on the recent increase in tensions with Iran. Iran brings strong offensive cyber skills to play and has used them aggressively and frequently (just ask the security teams at Saudi Aramco for their perspective). As my colleague at EVOTEK, Richard Sower, notes, Iran has multiple advanced persistent threat (APT) groups that focus on key sectors including defense, oil & gas, financial services, government (federal, state, and local), aerospace, telecommunications, and other areas that can be described as critical infrastructure for our economy. Each of these APT groups has proven to be adaptive, frequently changing their tactics, techniques and procedures (TTPs) as their activities are discovered. Confronting a state-sponsored adversary such as the Iranian backed APTs – 33 (Elfin), 34 (OilRig), and 39 (Chafer) effectively all groups ‘kitten’ – requires extra diligence and for organizations that are in the cross-hairs of these adversaries, collaboration with Federal law enforcement, notably the FBI. Similar to other APTs, these threat actors are experts at living off the land and frequently exploit legitimate processes and credentials to compromise targeted organizations.
If you work for an organization that provides critical infrastructure and services, it’s only prudent to assume that you are in the cross-hairs of state-sponsored actors that either seek to acquire intellectual property and/or disrupt vital services and infrastructure in times of conflict. Confronting these adversaries requires consensus not just within the security team but also with the extended leadership team that the risk landscape that the organization faces presents important challenges and requires dedicated attention and resources. Cyber threat intelligence (CTI) programs are in order – ideally one informed by your industry and sector and with context and insights offered by the FBI or other applicable agencies. EVOTEK’s Chief Security Officer, Macy Dennis, is the co-author of an upcoming book on building a successful CTI program. Successful CTI programs help inform cybersecurity practices and increase preparedness for the organization. Minimally, know your local Fusion center and ensure that you have met with your counterparts at the FBI.
In spite of the many specialized TTPs and the malware and assorted tools used by Iran and other state-sponsored actors, their actions almost invariably begin with exploiting every organization’s weakest link – email. Phishing and spear-phishing attacks are almost invariably the precursor to a successful compromise. Ensure that your organization is focused on email security (including hardening instances of Exchange or Office 365) as well as educating users about the risks associated with email. Similarly, ensure that your security operations are monitoring credential use internally. Privilege escalation is a common technique. As the MITRE ATT&CK framework highlights, once an end user has fallen victim to a phishing email, the threat actor is off to the races, typically exploiting overly elevated privileges on the host, overly promiscuous internal networks, and a general lack of monitoring associated with lateral (East-West) traffic in most corporate networks.
Security leaders should be strong proponents for security hygiene that includes multi-factor authentication (MFA) – minimally for admin accounts, network segmentation, and enhanced network & credential-use monitoring. The use of deception technologies is another important tool in our arsenal. Decoys (be they documents, credentials, applications, or servers) in the environment require the adversary to be extra diligent in their efforts. With deception in place, the adversary must be right 100% of the time or risk being detected. Deception frequently gets the adversary to disclose their TTPs which offers higher fidelity indicators of compromise (IOCs) for the security team to pursue. Traditional AV applications are likely not sufficient to detect and respond to APTs and their more sophisticated tooling. Endpoint detection and response (EDR) capabilities are generally warranted in that they look for process hijacking, nefarious uses of PowerShell, privilege escalation and the like. Don’t let the ‘endpoint’ name create confusion, EDR should be placed on servers and workstations alike and be adequately tuned and monitored. In that same vein, network detection and response (NDR) and network traffic analysis (NTA) capabilities help detect lateral movement and egress activity associated with exfiltration. Breach and attack simulation (BAS) tools can help validate that the current security architecture and the associated security application configurations are operating properly. Gone are the days of annual assessment and penetration testing. Continuous assessment and near real-time monitoring are integral to a modern security architecture.
Clearly, CISOs and other security leaders cannot control geopolitical conflicts such as the tension with Iran (or others using this current tension to spoof Iranian actors – think Russia, North Korea and China to name a few). We can make our organizations significantly more resilient by implementing security programs that provide reasonable security – one that emphasizes good security hygiene practices, one that follows a recognized and respected security standard or framework (cases in point include the NIST Cybersecurity Framework, ISO 27001, the Center for Internet Security’s Critical Security Controls (CIS CSC), or COBIT), and one that aligns security risk to the organization’s broader risk tolerances and organizational strategy and initiatives. As my friend and co-author of the CISO Desk Reference Guide, Gary Hayslip, notes frequently, it’s important for security leaders to get out from behind the desk and spend time speaking with other organizational stakeholders. These discussions yield important organizational context and help prevent the CISO and the broader security team from being blindsided by initiatives that have important security context. Today more than ever, proactive engagement across the organization is every bit as important for a CISO as are their traditional skills in security technology and administration. As security leaders, we have to be engaged and visible, seen by our counterparts in HR, sales & marketing, legal, finance & accounting, operations, R&D, and, of course, the C-suite and the board. Engagement enhances and improves security.
The current tensions with Iran and the potential for cyber-related attacks from state sponsored APTs serves to further highlight that security leaders must prepare for the unknown unknowns. This requires diligence, engagement, risk assessment, threat intelligence, and a dedication to reasonable security practices – those that make the organization more resilient in the face of cyber risks. These efforts will reduce the likelihood that we’re blindsided by events and ensure that we are proactively managing our security programs and making our organizations more secure and ultimately more resilient.