Cyber risk, Shark attacks and the inimitable Australian Kookaburra

“SUNBURST cyberattack shakes the United States”…. “it could take years to fully comprehend one of the biggest ever cyber-attacks”… “The recent discovery of the devastating SUNBURST hacking campaign…”

The world spends millions on understanding cyber-risk, and billions to mitigate it. Yet when an organisation is breached, very few people ask “what level was your cyber-risk at today?”. Fewer still could answer the question. There has to be (and is) a better way.

As an Australian teenager growing up near the Queensland border in the 90s, at least one afternoon a fortnight was spent at the beach. Much fun was had, and honestly, very little consideration was ever given to the risk of a shark attack. Fast forward 15 years, and my favourite sleepy beach town became famous for a spate of three fatal incidents in one year. Suffice to say, every time I’ve been back since, the thought of a dorsal fin rising out of the water, Jaws style, is very much front of mind!

Reading the Sunburst headlines in the media this week, it would be easy to believe that global cyber risk is running at 100 percent, and that hackers have already breached every company, government department and public cloud provider across the globe. SPOILER ALERT – they haven’t; but I do wonder how much our perception of cyber-risk is skewed by these events. Like the shark attacks described above, the risk of a cyber-attack tomorrow hasn’t changed dramatically since yesterday – it’s just now at the forefront of our mind and some organisations simply don’t have enough data to put the attacks into the context of “what does it mean for my risk posture right now?”.

Credible estimates suggest that cyber-crime costs the world economy around $USD 1 Trillion per year* – some estimates are as high as six times this figure. $USD1 Trillion is a lot of money, but there are around 200 million companies in the world, so the average annual cost per company is only $5,000 right…? (SPOILER ALERT – it’s not right!). 

Cyber-risk is more fluid and difficult to maintain awareness over than it might seem. What is your cyber risk right now? Journalists can sometimes overstate it (see above headlines!); but plenty of organisations under-estimate it too. The argument goes that “we’ve never been an attractive target so why would hackers invest their time to compromise us now” <insert ransomware incident here>…

Here’s the thing about cyber-risk: The equation of risk = likelihood x consequence might hold true over the long term, but over the short term it’s far more volatile than that.

Consequences are well understood – most folk have heard about high-profile attacks like Stuxnet, Triton, NotPetya, and most recently Sunburst, and know that recovering from them can cost hundreds of millions of dollars (Maersk, for example, spent over $300m on NotPetya**). In other words: supply chain attacks, malware, DDOS and the like = substantial (and growing) consequences.

The likelihood of a cyber-attack on any given day is far harder to resolve. Cyber-security is characterised by its unpredictable moving parts (on both the attacker and defender sides) and is like an ongoing game of cat and mouse. Just because the mouse gets away from the cat the first five times, doesn’t mean it will on the sixth when the cat learns how it hides. Furthermore, never forget about the opportunistic bird-of-prey (let’s call it the Kookaburra!***) that swoops in for the kill when it notices the mouse creeping behind a rock! Consider this:

• Lots of moving parts (on the attacker side): NTT mitigate billions of threats each year. These vary widely in geography, industry, tactics and technology. In 2020****, some of the threats were over a decade old and still going strong (like Conficker!), and others were brand new or had evolved significantly. Many were destructive malware, but many more were Scanners and Remote Access Trojans. Rather than looking for a particular target first, and then determining how to breach it, the MO of these threats is to look for vulnerabilities first, and work out how to monetise them once persistence is established.
• Lots of moving parts (on the defender side): 2020 has seen around 20,000 new vulnerabilities recorded. So, even if you had a perfect cyber-security posture in 2019, if you did nothing in 2020, chances are, your posture is now far from ideal. For example, Qualys identified over seven million vulnerabilities associated with the Sunburst breach***** two weeks ago. Cyber-security simply does not stand still – new vulnerabilities arise every day and security controls need to adapt just as quickly.
• The silently watching bird-of-prey: With the rise of malware-as-a-service, some groups that spend a lot of time breaching companies, establishing persistence, and then selling that access when the time is right. Emotet is known for doing this, but they are one of many in the marketplace. The key is that just because you haven’t seen a cryptolocker screen doesn’t mean that the building blocks for one aren’t already in place on your network.  

With all these rapidly changing (and hard to track) variables in mind, estimating likelihood in cybersecurity makes crystal-balling the weekly lottery results look easy. This is why our perception of risk can be skewed up or down by arguments like “it hasn’t happened yet, so it probably won’t” or “the threat has increased because of the latest high-profile hack”. 

However, unlike the lottery, cyber-defenders don’t need to know all of the numbers before the game starts. Indeed, right up until the last ball falls, we can still stop an attack; right up until the shark attacks the surfer, they can get out of the area. And, until a cyber-risk is realised, we can identify, quantify and mitigate it by doing these three things:

• Remove the noise: The great majority of cyber threats are well known. Simply doing the basics right; patching, whitelisting, limiting administrative privileges etc (i.e. the ASD Essential 8), and more (like blocking known malicious domains), does not guarantee an organisation won’t be breached. But, it does help to minimise the load on its SOC by defending against well over 85 percent****** of threats, which gives them a much better chance of blocking the last 15 percent!
• Focus on visibility and monitoring: This is critical. SOCs can’t defend what they can’t see; and to predict what is going to happen, a SOC needs to see evidence as quickly and early as possible. This is why surf life savers now use drones to monitor shark activity. The cyber-equivalent of shark-drones is establishing full visibility of the network, operating system, application and user landscape, and then correlating this, in near-real-time with enrichment like IOCs, MITRE, UEBA and other advanced capabilities. Getting this right gives an organisation valuable seconds and minutes to react when a cyber-attack begins. What used to be the “golden hour” in Incident Response is quickly the “platinum 10 minutes”, hence investments in this space will always have a good ROI.
• Know how to react (and practice doing so!): Get your playbooks right; spend time understanding each potential threat you face, and exercise against them frequently. Breach simulations are important, and automated tooling that continually scans and penetration tests your network for configuration drift, emerging vulnerabilities and holes that an attacker could slip through is also critical. All of this means that the SOC will be ready when it needs to be, but also that in the interim, its capabilities can be continually be honed.

When it comes to understanding and mitigating cyber risk, if, as an organisation, you know what could happen, get early warning (from your visibility tools) of when it might happen, and minimise false positives and workload by removing the noise, then not only can you stop an attack before it happens, but you should also have enough data to answer the question of “what is our cyber risk today?”.

References

* McAfee, 2020 McAfee Hidden Costs of CyberCrime Report - The Hidden Costs of Cybercrime (mcafee.com)

** ZDNet, 2019, Ransomware: the key lesson Maersk learned from battling the NotPetya attack Ransomware: The key lesson Maersk learned from battling the NotPetya attack | ZDNet

*** Best known for its laughter-like bird-call, the inimitable Australian Kookaburra deserves far more credit than it gets! Kookaburras are patient, lightning fast, precise and well targeted…. Check out this story of how a kookaburra patiently waits until the right moment to swoop in and collect a Brown Snake (the third most venomous snake in the world) in its beak, pick it up and take care of it (Video shows kookaburra feasting on snake in backyard, bashing its head against the wall - ABC News). So far as an analogy goes, every good cyber threat hunter should aspire to be like a Kookaburra!

**** NTT, 2020, 2020 Global Threat Intelligence Report, 2020 Global Threat Intelligence Report

***** Qualys, 2020, Qualys Blog, Qualys Researchers Identify 7+ Million Vulnerabilities Associated with SolarWinds / FireEye Breach by Analyzing Anonymized Vulnerabilities across Worldwide Customer Base

****** SANS, 2018, Practical implementation of the Australian Signals Directorate Essential Eight Maturity Model to Level Three within residential University colleges, SANS Institute: Reading Room - Critical Controls