teissTalk: Selling Threat Intelligence to the Board

teissTalk host Geoff White was joined by Luca Vigano, Professor and Head of the Cybersecurity Group of the Department of Informatics King’s College London; Jason Steer, Principal Security Strategist, Recorded Futu; and Daniel Adaramola, Chief Information Security Officer & Co-Founder, The Young CISO Network.

Views on news

The vast majority of cybersecurity professionals think that the business they work for IS a target for nation-state hackers, but only a small fraction think that their organisation can confidently identify if attacks are actually being carried out by hostile states. As nation-state-backed hacking operations are often designed to create long-term persistence on networks, not knowing that it’s a well-resourced nation-state-backed attack could lead to backdoors and other remnants of the attack being missed – and exploited later on. Rather than blaming users for offering backdoors to corporate networks for cyber criminals by falling victim to phishing or social engineering, cyber security professionals should ask themselves how systems can be built that don’t allow these to happen in the first place.

It’s important for an organisation to know what threat actors are likely to come after them – even nation states can have rather diverse reasons for an attack ranging from snatching intellectual property to grabbing some money from, for example, crypto platforms. If it’s a resource-rich nation state attacking your business, the odds are much more against you being able to fend it off. Having said that, being aware of a nation state’s involvement may guide and inform your response.

With over 80% of C&C (command-and-control) attacks linked to cobots, it’s become harder to tell state actors and cyber criminals apart. China is the only threat actor that – sticking to their own toolkit – won’t use cobots. It’s key to understand the capabilities of a cobot strike - how it installs, what the fire hash is, how it communicates back and look out for these signs.

The conversation with the board

Communicating with the board and convincing them to make information security investments requires learning “a different language.” You need to be mindful of how you present data to the board, how you empower them so they feel they make the decisions themselves autonomously. You also need to make them aware of the opportunity cost of their decisions and the price they may have to pay for inaction in the long term. The board will always have a business perspective on cyber risk and be interested in the company’s security performance against the baseline, as well as in the value cyber security can create for the business. On the question of whether false flag operations (an operation designed to deflect attribution to an uninvolved party) can affect the integrity of attribution, there is always some rush to attribute an attack, but the “how” most of the time has to have precedence over it. Sophisticated cyber criminals now have very good operational security, which is making attacks harder to detect and respond to. False flags are a problem not only because they’ll lead you to wrong attributions but also because it undermines the whole process. To avoid this, in certain cases it makes sense to bring in external intelligence, although it may be hard to sell this to the board.

Having a tech-savvy board or a compliance mandate will give CISOs leverage, and so will pen test results and threat intelligence platforms.