Cyber Security Awareness Month: It’s Time to Get Realistic About Cyber Risk

I've spent my career looking at some of the biggest and most impactful cyber-attacks of the last 20 years: from developing the threat intelligence that discovers the intrusion to taking the call from the CISO of the victim organisation in panic over what to do next.

These major incidents are often attributed to Advanced Persistent Threat (APT) groups, historically a synonym for Nation State but now less strictly defined and almost always labelled as ‘sophisticated’, with further phrases such as ‘zero day’ and ‘unprecedented’ often used in public press statements to define or even excuse the situation.

The reality of the incident may be somewhat far from ‘sophisticated’ – but as an industry, we tend to be obsessed with the boogie man of the internet, the threat actor who is so highly capable that the mere mention of them in an incident or a threat intel report is instantly headline-grabbing. This focus can sometimes skew our assessment of risk and cause security professionals to fixate on the potential doomsday scenarios.

Unconscious bias can have a significant effect on our ability to calculate cyber risk, causing us to overplay catastrophic outcomes and downplay the near misses that happen every day. If headlines are dominated by phrases like ‘super stealthy’, ‘undetectable’ or ‘cyber spies’, then that is the risk that turns heads. In my career, I've handled countless major incidents that never made it into the public domain – and watched as minor near misses that make into the mainstream media become the story that business leaders are berating their CISOs on.

For the financially motivated - and even some state actors - cyber activity is a numbers game. These attackers are trading off sophistication for automation and scale, because not every target out there is the cyber equivalent of Fort Knox. If it’s stupid but it works, then it's not stupid. Fundamentally, this requires cyber professionals to step away from the headlines and focus efforts on getting the basics right and continuously raising the bar for both sophisticated threat actors and more run-of-the-mill attackers – who often end up getting their hands on attack tools developed by the former anyway. It’s about preparing for the unknown and striving for business continuity in the face of whatever may come.

I look at the infrastructures of companies across the world every day. A good barometer for me is the presence of crypto-mining software. Crypto-jacking is one of the fastest growing attacks in pretty much every industry and region - attacks that are entirely opportunistic, at massive scale and as such, almost entirely automated. The evidence of which is often just the presence of unauthorised crypto-mining software generating revenue for unknown criminals. When I speak to CISOs and other security leaders, this unconscious bias and a tendency to downplay the minor things is often an ambivalence towards what is largely seen as the background noise of the internet.

Financial and environmental impact aside, I'm somewhat inclined to agree on the immediate security concerns - but my challenge always drifts to how it got there in the first place. To achieve the scale of deployment that crypto-jackers are looking for, this illegitimate network access must have been enabled by something relatively low-cost: a pervasive software vulnerability or default, weak or otherwise compromised credentials. This means that if crypto-mining software could be installed, the basics aren't being done right somewhere. And if a crypto-jacker could do it, what's stopping a ransomware actor from following the same path? Crypto-mining is, in some respects, the ‘gateway drug’ for more impactful cybercrime attacks.?

Cyber security is a risk management exercise – you can never completely eliminate risk, but through appropriate risk treatment, you can reduce it to a tolerable level. The challenge is remembering that risks are often rarely in insolation, with overlap of techniques and tradecraft and even hand-off between different threat groups through the criminal marketplace.

CISOs don’t lack to-do lists – the real challenge is prioritising the risks, not creating more lists of things that need to be done. The current focus of our innovations at Darktrace is arming CISOs with the technology to prioritise risks, continuously test vulnerabilities and harden defences in the background. Given the fragmented and ever-changing nature of cyber risk today, getting realistic and proactive about it requires a combination of teams with the right mindset and cutting-edge technology that cuts through the noise.

Low impact risks are often easy to ignore. My strong plea is to take the time to address those risks before they have that chance to snowball. Death by a thousand cuts is a very real concern for many organisations, and the steps it takes to go beyond checking a cyber compliance checkbox and ensure a true level of operational assurance may provide greater return on investment than they’re given credit for.