Rapidly reducing cyber risk in response to rising geopolitical tensions and threats

Background

At the start of this week, US-CERT published an alert on the potential for a cyber response to recent global events. Any organisations concerned about the risk of being impacted by this or other cyber threats should first understand the actors likely to be involved, their vulnerability to the types of attacks these actors are likely to carry out, and then rapidly mobilise targeted activities to uplift relevant security capabilities.

Key activities to rapidly reduce cyber risk

We have seen many organisations significantly improve their ability to defend against and detect such attacks with sustained effort over a short period of time, by delivering Agile and attacker-focused rapid security uplift programmes.

While the specific improvements delivered in any rapid security uplift programme must be specific to the organisation and its risk profile, our experience has identified common actions which nearly any organisation can take in order to rapidly reduce enterprise-wide cyber risk within three months (with some quick-win improvements achievable in days).

These actions are likely to increase an organisation’s ability to defend against a wide variety of cyber crime actors, including the threat actors referenced by US-CERT and those involved in the recent wave of often catastrophic Ryuk ransomware attacks leveraging access gained by untargeted Emotet and Trickbot malware infections. This is as a result of the significant convergence between the tools and techniques being used across multiple categories of cyber threat actors.

Examples of these common actions include:

Preventing malicious files being delivered via phishing emails by restricting the file-types permitted by email and web filtering tools;

Restricting what can be executed on workstations, including scripts (e.g., PowerShell, HTA, and CHM files) and untrusted macros in Microsoft Office files;

Preventing the abuse of compromised credentials by deploying multi-factor authentication on all externally accessible services, critical internal services and services used by managed service providers to access internal systems;

Protecting domain administrator accounts by onboarding them onto privileged access management solutions and limiting their use;

Limiting the ability of attackers to gain administrative access to systems by restricting membership of local administrator groups and setting unique random passwords on default local administrator accounts;

Protecting (typically highly privileged) service accounts by ensuring these have strong passwords and are prevented from logging in interactively;

Limiting the ability for attackers gaining access to sensitive data by restricting access to open network shares and other potentially sensitive data stores (e.g., Intranet, internal wikis, and file servers);

Limiting the ability for attackers to exploit vulnerable systems by patching remote code execution vulnerabilities, and segmenting systems that can not be patched;

Improving the ability to detect and respond to attacker activity by deploying additional security tooling, notably, Endpoint Detection and Response technology and anti-virus products with support for the Windows Antimalware Scan Interface (AMSI); and,

Building the capability to detect the tools and techniques commonly used by the attackers by writing custom detection use cases and rules for detection tooling.

These improvements should be carried out alongside other activities to increase the organisation's readiness to respond to cyber security attacks, for example, testing and securing backups, and exercising cyber incident response plans.

Successfully delivering rapid cyber risk reduction

While achievable, these quick-win improvements are often very challenging to rapidly deliver in large enterprises. Our experience delivering such programmes in a range of large financial services organisations and retail companies has shown that chances of success can be significantly increased with senior leadership commitment to drive this rapid change across the IT environment, and to resolve delivery blockers, onboard additional resources and encourage collaboration between teams who may have not previously worked together.

In addition to this, we have found the following five step methodology highly effective at planning and mobilising programmes to deliver such rapid risk reduction in response to new or escalating cyber threats.

Step 1: Understand the organisation’s vulnerability to the threat

Identify the types of attacks the threat actors are likely to carry out, and map out the attack paths, highlighting the offensive techniques likely to be used. This analysis should exploit the significant amount of open source threat intelligence reporting available on techniques used by specific state-sponsored threat actors (including those threat actors referenced by US-CERT). The MITRE ATT&CK framework should be used to structure this analysis and provide a common language to discuss the attack techniques.

The organisation's ability to defend and detect against these specific techniques should then be evaluated. We have found this is best conducted using a combination of:

Technical knowledge about the environment and the security controls applied; and,
Purple teaming to simulate attacker techniques, determine the effectiveness of security controls and capabilities, and test assumptions held about the environment.

Step 2: Identify pragmatic and threat-focused actions to remediate vulnerabilities

The success of security improvement programmes often depends on whether pragmatic fixes and improvements have been identified to remediate vulnerabilities, and directly improve protection, detection and response capabilities to make it more difficult for an attacker to successfully compromise the organisation.

We have seen organisations have the most success identifying these when they:

Gather expertise from across the organisation including IT and security teams (covering both red and blue teams) into a single location to workshop the problem with a whiteboard;
Bring in independent security expertise to understand previous attacks in-depth, challenge stakeholders on analysis and decision making, and drive discussions towards actionable outcomes with assigned owners;
Use a red team to help prioritise improvement activities by providing an attacker-centric view of the environment and its vulnerabilities; and, most importantly,
Unswayingly focus on identifying achievable quick-win improvements.

We have found using a purple team approach to simulate attack techniques to be a highly effective way of identifying both vulnerabilities and improvements to resolve these. At a large financial services organisation, we were recently able to help them identify over 400 pragmatic fixes and improvements, by simulating the activity of several cyber crime threat actors they were concerned about.

Step 3: Develop and deliver a programme focused on rapid risk reduction

These identified actions should then be used to form a plan of what can be achieved over the next 30, 60, or 90 days; dedicated resource should then deliver this at pace using focused governance to drive accountability.

We have seen organisations (including those who have struggled for years to implement meaningful cyber security improvements) to be most successful at this when they have:

Used Agile project management techniques and tools (for example, Atlassian’s Jira) to allow them to be reactive to new risks identified and flexible to changing requirements;
Brought together teams from across the organisation to surge efforts to overcome complex challenges; and,
Created a sense of pace and urgency by educating employees on the cyber threat and resulting risk to the business.

Step 4: Validate and measure progress at reducing risk

All completed improvement activities should be validated, for example, by using a red team. We have found this is crucial to ensuring that IT changes implemented have effectively remediated the vulnerabilities identified and that there are no adjacent vulnerabilities present that an attacker could exploit.

Progress should also be tracked and reported. This can be done using a broad range of metrics, however, we have found that “cost to the attacker” is highly effective at clearly articulating and demonstrating the risk reduction benefits of security improvement programmes. Typically generated by the red team as a measure of how difficult it is to execute (without detection) techniques likely used by attackers, this provides a higher cadence view of risk exposure, and a pragmatic means to set risk appetite.

Step 5: Address root-causes of vulnerabilities with strategic transformation programmes

Strategic projects should be mobilised to build sustainable security capabilities that address the root-causes of the vulnerabilities identified. We have seen this as key to ensuring vulnerabilities are not re-introduced as a result of IT business-as-usual activities, or by the deployment of new applications and infrastructure. Immediate risk reduction provided by rapid security uplift programmes also provides cover for strategic transformation programmes to design and develop these capabilities, by ensuring that the immediate threat is addressed and that there is an acceptable level of cyber risk exposure in the short-term.

It is also key to ensure that all teams involved are discussing and tracking the same issues when addressing the root-causes of the vulnerabilities identified. Root-cause issues should also be mapped to a common control framework, to allow teams to communicate in a consistent and clear manner.