There needs to be a much greater emphasis on getting the basics right in cybersecurity, according to Robert Hannigan, chairman of BlueVoyant, speaking during his Keynote address on day one of the Infosecurity Europe virtual conference, which took place from 13-15 July 2021.
The former director of the UK’s intelligence and security agency, GCHQ, began by focusing on “the tidal wave of ransomware over the last 18 months.” He noted that several ransomware incidents had a visible, real-world impact during this period, bringing the issue to the wider public’s attention. These include the attack on Colonial Pipeline in May 2021, which led to the largest fuel pipeline in the US being taken offline for five days. This attack caused enormous societal problems, and images of people queuing at gas stations were frequently displayed throughout the mainstream media.
In Europe, Hannigan highlighted a death linked to a ransomware attack. In this case, a critically ill female patient was being taken by ambulance to a hospital in Dusseldorf, Germany, hit by ransomware. The attack meant she had to be transferred to a different hospital but sadly died on the journey. The authorities subsequently launched a homicide investigation to determine if the death was caused by not receiving treatment in the hospital.
These incidents have demonstrated that ransomware gangs are increasingly targeting organizations in critical sectors that “can’t afford to stop” and are, therefore, more likely to pay a ransom demand to get their services back online.
Hannigan also outlined how ransomware tactics have become more sophisticated during the last 18 months. These include “double-extortion” attacks, in which criminals encrypt an organization’s data and steal it, offering multiple blackmail opportunities. There have also been developments in the ways ransomware is delivered from a technical point of view, “especially against the manufacturing and industrial sectors.”
In addition, Hannigan outlined the shift towards cyber-attacks becoming a “commodity,” with sophisticated groups offering their services for sale; this is something that has become particularly prevalent regarding ransomware. Therefore, the barrier to entry to launch these kinds of attacks has been lowered as “you don’t need to be brilliant anymore to mount a sophisticated cyber-attack; you can buy it as a service.”
According to Hannigan, there has been a “big change” in the past five years regarding the scale of ransom demands due to these trends. While previously these were often in the range of just $50-100, we are “regularly dealing with cases now where demands are in the tens of millions.”
All of these factors mean that ransomware attacks have become a “disorientating experience for boards,” many of whom have found themselves in uncomfortable negotiations with criminal gangs. Sadly, in many cases, the extortion demand is ultimately paid because “business interruption costs are far greater than the ransoms.”
Hannigan said that ransomware attempts would continue at scale until law enforcement can catch the criminal groups in the countries where they’re located.
Supply Chain Security
Hannigan went on to describe the changing cyber-risk for organizations, which has been exacerbated by the huge rise in supply chain attacks. Many large organizations now work with as many as 10,000 different vendors. Any of these vendors could be used as a gateway to attack them. He noted that while the most critical of these vendors are generally the focus for large businesses, the less well-known suppliers in the ecosystem are typically the most vulnerable. This fact is “because that might be a small company that has one person doing cybersecurity, if anyone.”
“As well as being dynamic, cyber-risk assessment has to be comprehensive — you can’t really leave out a chunk of your supply chain and hope for the best”
Therefore, “as well as being dynamic, cyber-risk assessment has to be comprehensive — you can’t really leave out a chunk of your supply chain and hope for the best.”
Hannigan added that in some respects, the increased targeting of supply chains demonstrates how cyber-defenses are improving, meaning threat actors are increasingly looking for softer targets. “For obvious reasons, criminals and nation-states are moving towards the supply chain as we harden our defenses,” he commented.
Going Back to Basics
In the final part of his address, Hannigan set out what he believes should be the priority of the cybersecurity industry over the coming years. While emerging technologies like AI and blockchain will have a significant role to play in cyber in the future, for the time being, the industry should focus on “getting the basics right.”
This is because, despite the growing sophistication of attackers, the vast majority of incidents could be avoided by practicing basic cyber-hygiene such as regular patching and ensuring IP ports are not open. For example, a big factor in the Colonial Pipeline incident appeared to be “poor password management.” At the same time, the notorious NotPetya malware attacks in 2017 began when the threat actors infiltrated an accounting software firm in Ukraine “that had not patched its servers for several years.”
Hannigan added, “We know that if you fix those, you’re going to massively increase your defensive posture and see off a lot of those attacks.” It is, therefore, the responsibility of the cyber industry to help promote these basic security practices throughout the entire ecosystem, “raising the threshold across supply chains.”
Future Trends
Hannigan expects to see some major developments in cloud security in the next few years, driven by big tech companies like Microsoft. He said they are “doing some amazing things in cybersecurity and providing tools and services to their customers, which I think will transform both security and this industry.”
Another major issue that needs to be tackled in the future is the cyber skills shortage, which “isn’t going to get better quickly.” While part of the solution is upskilling, he noted that “outsourcing is the only viable option for many companies below the biggest in the world.” Therefore, it is unsurprising that the number of companies looking for a managed security service has risen “exponentially” in the last five years, and Hannigan believes this trend will only continue. This trend will be “the only way to do managed detection, response and remediation in real-time” for many organizations, given the scale of attacks being mounted.
Alongside outsourcing, Hannigan said there needs to be greater use of automation to reduce the burden on security teams, “minimizing the amount of time you need very expert human eyes on the glass.”
Hannigan finished on a positive note, stating his belief “we are at a turning point” when it comes to cybersecurity. This is partly due to the actions being taken by the new US government in cybersecurity, such as an executive order mandating a drive to secure cloud services and zero trust for all federal government software suppliers and the creation of a new ransomware task force.