Cyber breaches seem to be constant – and cyber professionals are having to work in an environment of perpetual breach, as we discuss in our regular teissTalks. But with cyber-crime still a tier one threat to business and wider society, there is news that the UK is “cyber-fying” its military, although still backing digital technology up with traditional firepower.
Keep safe out there.
However, the British military is waking up to the threat that cyber attacks pose to society. Despite the British Army being downsized, it looks as though the National Cyber Force is here to stay. Everyone (apart from certain nation state actors) should be relieved. And in a chilling warning, there is news that Britain may also deploy Trident missiles in response to destructive cyber-attacks.
Technology is everywhere and nearly half of European adults believe that people should be free to enhance their own body with digital technology. But many people harbour concerns about the longer-term societal impact of “cyborg” technology. Technology implants can be hacked and that could have tragic effects. And it isn’t just our bodies that technology is changing. AI continues to transform the cyber security landscape.
Many people accept that cyber security is about culture as much as it is about technology, and we explain why. But you can’t simply ignore technology. Threats such as Man-in-the-Middle attacks are evolving and defensive technology needs to change alongside that.
Film studios: An illegal video-streaming app with over 100m users has been taken down in Europe. We say: copyright theft is not a victimless crime.
Organisations using Microsoft Office 365: it’s becoming clear that many of them are highly vulnerable to account takeover attempts.
Originally Aired: Tuesday 16th March 2021, 16:00 (BST)
This episode is now available to view on-demand.
This is the same old story – we have seem so many zero days attacks and now its exchange servers – a different take on an old story. But that’s the world we are living in now. One issue is that Microsoft released a patch 14 days after the release of the vulnerability. Similar attacks were emerging last year and then Microsoft released patching very quickly. In fact people are reporting that they had visibility of the problem back in January so they have come in for some criticism for this delay.
Microsoft said that they were sure it was Chinese sponsored Hafnium and yet this also seems to have been inaccurate. No doubt this was “best efforts” and it’s a complex landscape. No one company has a complete picture of the threat landscape.
And it’s a landscape that is constantly changing. There are so many known unknowns. Nowadays ransomware attackers only take a few days on a site – they are not being found faster, the criminals are just getting in and exfiltrating data more rapidly – often in the evenings and at the weekends.
Because there are so many unknowns and the world is changing so fast, we need to stop being focussed on the latest threats that people are talking about and focus more on our own security postures and what is happening on our own systems.
Anything can be vulnerable. If you don’t patch then you will be at risk. There may be as many as 85 000 unpatched Exchange servers out there – that’s the real problem. There will always be threat actors looking for vulnerabilities and software companies looking to develop patches. But if companies don’t use the patches there will always be problems.
The core problem is that everyone agrees what should be done but people still get hacked. We need to look for different approaches instead of doing the same things we have been doing for 20 years. Moving to the cloud and having automated scanning as part of that will help: cloud providers are simply more diligent at keeping systems patched.
We have an increase reliance on remote working. This has brought many new challenges for some companies, although many companies were prepared and switched to remote working as part of a well-rehearsed plan. In some instances the move to remote working has reduced the pressure on IT support teams, allowing them to focus on other issues.
Most of incident response is the triage and investigation. This can be easier with remote working. And as people get more used to remote working and experienced using the tools like Github, it actually gets easier. On the other hand, being physically with people makes it easier to draw people out and ensure they understand particular issues. So there are benefits in both directions.
Context and automation will make it easier to identify the threats. You need a system that gives you context and the ability to pivot round that context, rather than having to write queries for each investigation. So that rather than having to monitor everything, if you can be shown that there is a new connection and that perhaps it is using a Russian keyboard layout that context will be very helpful.
Desk top drills are also important. They can help to identify gaps in business continuity – even things as simple as how documents get signed. And you can use them to explore how to respond to a particular incident – defining communications and practising procedures like encryption which perhaps might otherwise get forgotten.
Threat intelligence always looks at yesterdays attacks. Todays’ threat can’t be protected by it because they don’t have useful file signatures in the way that we did 10 years ago. It’s fine for attributing an attack by a known vector but it shouldn’t be used as a ay of sefending yourself. The bottom line though is that every organisation is different. Rules won’t fit everyone – so you should look at what works for your organisation and do that. Follow best practice, question what you are doing, don’t rely on what happened last year. And patch!
Britain is prepared to retaliate with a nuclear strike if it faces an exceptionally dangerous cyber attack or any other attack leveraging emerging technologies, the government's latest integrated Review of security, defence, development and foreign policy has revealed.
As reported by Guardian, the integrated defense review states that Britain is ready to launch nuclear weapons if it faces an exceptionally dangerous cyber attack or attacks leveraging other “emerging technologies”. This statement marks a significant departure from the existing policy of using submarine-launched Trident missiles. As per the earlier policy, Trident missiles, which are armed with thermonuclear warheads, can only be launched against another nuclear power or in response to a biological or chemical attack.
According to the new defence policy that was unveiled Tuesday, the UK would “reserve the right” to use nuclear weapons in the face of “weapons of mass destruction”, including “emerging technologies that could have a comparable impact” to chemical or biological weapons.
Commenting on the government’s announcement, Natalie Page, threat intelligence analyst at Talion, told Teiss, “This is an extremely alarming claim from the UK government. For cyber warfare to spill over into the real world in such a destructive and dangerous manner, is an ideology that is not only terrifying but as we witness cyber attacks becoming so advanced and widespread, is something which we may see governments across the globe begin to revert to in the imminent future.
"A major concern is exactly how governments will monitor attacks and identified assailants. It is not always clear-cut during nation state attacks who your attacker is. As analysts, we often witness attributed threat groups change during the investigation of an attack, with it sometimes being months before researcher’s are able to indisputably establish a threat group, due to attackers utilising all mechanisms available to obfuscate their true identify. If the government reacts too quickly to these attacks, releasing a nuclear weapon upon an innocent country, the implications could be catastrophic," she added.
Dimitris Strevinas, CTO of Obrela Security Industries, also highlighted the problems that nations face when attributing cyber attacks to specific adversaries. "Attributing cyber-attacks to a specific country or group operating in it, based on the direct origin of the attack may lead to false attributions of responsibility. Cyber attacks are highly decentralised and in most cases, the actors utilize multiple levels of cross-country access to hide their origin, identity and intent," he said.
According to Strevinas, sophisticated hacker groups today follow a chain of command, which crosses country restrictions and may involve multi-national groups with variable levels of knowledge related to the mission objectives. Therefore, pinpointing a particular country as responsible for a cyber attack is problematic.
"As such, engagement of weapons of mass destruction as a response to a low-confidence attribution of responsibility should be carefully re-considered, even if the intent is to demonstrate readiness," he added.
This is not the first time that the government has not ruled out using offensive military capabilities to respond to large scale cyber attacks. In November last year, the government formally announced the setting up of a National Cyber Force that will carry out cyber operations to counter terror plots, support military operations, and disrupt the activities of terrorists and criminals threatening the UK’s national security.
"The National Cyber Force is a joint Defence and GCHQ capability, giving the UK a world-class ability to conduct cyber operations. The NCF is bolstering our global presence in the cyber domain, and it is a clear example of how we are turning our ambitious agenda to modernise defence into a reality," said Defence Secretary Ben Wallace.
NCF is tasked with conducting cyber operations to support diplomatic, economic, political and military capabilities and its range of activities includes preventing terrorists from communicating with each other, helping to prevent the internet from being used as a global platform for serious crimes, including sexual abuse of children and fraud, and keeping UK military aircraft safe from targeting by hostile weapons systems.
In June last year, the Ministry of Defence also launched the first dedicated Cyber Regiment with the responsibility to protect vital defence networks at home and on operations overseas from cyber threats. The 13th Signal Regiment secures digital communications equipment and channels used by the armed forces, but also works with the Royal Navy and Royal Air Force to provide secure networks for all military communications, and provides the basis of the new Army Cyber Information Security Operations Centre.
"This is a step-change in the modernisation of the UK Armed Forces for information warfare. Cyber-attacks are every bit as deadly as those faced on the physical battlefield, so we must prepare to defend ourselves from all those who would do us harm and the 13th Signal Regiment is a vital addition to that defence," said Wallace.
Originally Aired: Thursday 18th March 2021, 10:00 (GMT)
This episode is now available to view on-demand.
Incidents are a great way of engaging with the Board. The Solar Winds incident got a lot of coverage and that sort of news will often prompt board members to interact directly with the security team. Larger incidents will open a dialogue and the opportunity it to explain the issue as it might impact on the organisation, and a lever for getting resource decisions made.
Operational risks cover a wide range as well as cyber, including resilience, outsourcing, change – and it’s a challenge to ensure those different risk types come together. Teams need to be proactive and work with colleagues e.g. in threat intelligence so ensure all the required resources are in place.
Response to a major incident is highly stressful for teams and leaders. Even larger organisations with mature security processes will find it tough. Being well prepared is important and as part of this running desk top simulations will help. These can include the Board who can practice and discuss their responses.
Supplier organisations should be classified so that they only have access to those systems and data that they need access to. This is an ongoing process as suppliers change and their security postures also change. Perhaps a company has been compromised; perhaps some of the team have left; perhaps they are dealing with risky organisations. This is a major challenge.
The problem isn’t just hacking into IT systems via a supplier. Fraud is an issue as well. The supplier may have been compromised: in that case fake invoices with fake bank account detail may be sent out -this is a major problem for organisations.
And because this is such a challenge, and one that happens at scale (most organisations have thousands of other companies in their supply chain) there is a need to set up a triage process where you review some suppliers more regularly and have close discussions with them, especially technology companies. But you won’t be able to put all suppliers at the top of your triage list. And that’s a problem too ad tier 2 and 3 suppliers can also be a threat.
Control across a complex estate is not always consistent. This leads to a debate about contingency controlled monitoring, something that could be used with the supply chain, so that as well as external scanning of supplier networks you can also get an internal view. Perhaps a third party might engage with third parties supply chains, reaching inside their networks and providing some form of monitoring. This type of scanning can be beneficial for both parties.
This will depend on the supplier. How important is the supplier to the business. Do they process critical data? Do they get involved with critical systems or products? If they do then there may be a need for continuous engagement with the supplier. Otherwise perhaps you are just using some form of annual review,
With covid, use of cloud and BYOD have increased. This can cause a real challenge for instance when shadow IT is purchased on business credit cards but the IT and security team have no visibility of the new IT being used or whether it has been set up securely. This means that supply chain risks may increase, but in an unseen way.
It should be standard practice for supplier to inform their customers if they have been breached. This of course needs to be defined – is a near miss where no data went missing counted as a risk? You and your supplier need to know what needs to be reported.
It’s hard to quantify the cost of a breach even if you can quantify the monetary value of an operational breakdown at a supplier. The difficulty is that there will be many elements to a cyber breach caused by a supplier: fines, customer costs, IT costs. So it’s hard to assign a value that should be set against the price that a supplier wants to change you.
In addition, risks from individua suppliers will be affected by your own security posture. Is it their fault if they are breached and you are affected because you have been negligent? Many organisations really don’t understand the degree to which their systems are secure and how easy it would be, for instance, from an attacker to move from part of an IT system accessible by a particular supplier to other parts of the IT system.
Kevin Bocek at Venafi describes how "man in the middle" attacks are far more common that people realise.
Although less well known than ransomware and malware attacks, Man-in-the-Middle (MitM) attacks are among the most widely used methods available to cybercriminals: according to some estimates, 35 percent of incidents where cyber weaknesses have been exploited involved MitM attacks.
MitM attacks happen when a cybercriminal sits between the connection of two parties. This gives them the ability to covertly intercept or sabotage communications, so they can spy on their victims or obtain their login credentials or other personal information. As such, MitM attacks are a valuable part of the cybercriminal’s toolkit.
As MitM attacks are one of the oldest types of cyber attack, security professionals have found ways of guarding against them over time. Yet as organisations have become increasingly digitised, MitM attack methods have evolved.
Traditionally, MitM attacks have been carried out by interfering with legitimate networks, or by setting up a fake network that cybercriminals control. This allows cybercriminals to intercept communications to a user’s network before reaching the target destination. Ordinarily, this involves the attacker executing a ‘passive’ attack, such as setting up malicious Wi-Fi hotspots, and making them available for public use. Once the victim connected to it, the cybercriminal can access any exchange of data on the network. This gives them the ability to decrypt any traffic encrypted with a Transport Layer Security (TLS) certificate, all without the user or application knowing.
However, thanks to advancements in cybersecurity defences, network-based attacks such as these are increasingly difficult to execute. As such, cybercriminals have begun to shift their MitM efforts away from networks, and towards the endpoint. Increasingly, cybercriminals recognise that by exploiting machine identities (such as X.509 digital certificates used for TLS), they can make their activities appear trustworthy and secure. By targeting an individual computer and installing a root Certificate Authority (CA), attackers can generate valid digital certificates that allow them to impersonate any website. The user may be visiting, say, Barclays’ website, but since the root CA is controlled by the bad guys, every encrypted communication the user sends can be intercepted. As the communications are underpinned by a valid machine identity, they appear to be safe and trustworthy, making this method extraordinarily difficult to detect.
The Superfish fiasco was a prime example. In 2015, hardware giant Lenovo shipped devices with advertising software from Superfish, a US-based software developer, pre-installed. The software was used to place adverts into the user’s Google search results that Lenovo wanted them to see. However, for it to work, Lenovo needed the ability to intercept user traffic so that it could advertise to users. It did this by interrupting the certificate chain – the system of trust that machines use to verify online communications – through the use of a ‘self-signed’ certificate; enabling Superfish to appear as a trusted party. This effectively made Superfish the root CA, which ensured that every website the user visited would have a certificate that’s signed and controlled by Superfish. Lenovo’s intentions may not have been malicious, but they gave cybercriminals a blueprint to follow.
As organisations become increasingly digitised, we can expect MitM attack methods to evolve once again. Digital transformation is now a priority for organisations of all types, and spending on technologies such as cloud, artificial intelligence and the Internet of Things has skyrocketed, even amidst the challenges of 2020. As a result, the number of machine identities used to secure machine-to-machine connections has grown exponentially.
For MitM attackers, this presents a new opportunity. By following the Superfish method above, cybercriminals can compromise a machine – from a cloud instance to a Kubernetes cluster to an API gateway - that issues commands to others on a network. For instance, were a cybercriminal to install a root CA on a cloud server that communicates with a wide variety of other machines, they could intercept and potentially alter every communication that’s issued. In this way, the concept of ‘Man-in-the-Middle’ becomes ‘Machine-in-the-Middle, and while the latter will be more challenging for cybercriminals, the potential to wreak havoc is huge. For example, what if this method was used to alter commands sent to networks of connected healthcare devices? Or to autonomous vehicles?
The reality is that cybercriminals know all too well that organisations routinely overlook the importance of protecting their machine identities, such as TLS certificates. They know that since every single digital process relies on a machine identity, organisations have thousands of them to look after, and that it only takes one to slip through the cracks for them to take advantage. They know that they can then use machine identities as a weapon, enabling them to subvert machine-to-machine communications while appearing to be trustworthy.
The nightmare scenarios that ‘Machine-in-the-Middle’ attacks might involve remain hypothetical for now. Yet unless organisations begin to understand the importance of protecting their machine identities, it’s only a matter of time until we see one in practice.
Visibility over every single certificate on their networks is the best defence organisations have against this threat. Security teams need access to the right tools to enable certificate discovery and to automate responses to anomalous behaviour. This allows organisations to find and evaluate every certificate to make sure they are secure and automatically remove any that have been compromised. Critically, enterprises need to ensure that issues such as certificate creation, renewal and replacement are automated as much as possible, preventing any certificates from expiring or being forgotten about, which opens the door for their use within MitM attacks.
Air Date: Thursday 25th March 2021, 16:00 (GMT)
Roland Cloutier - Global CSO, TikTok
Mudassar Ulhaq - Chief Information Officer, Waverton Investment Management
Andrew Tsonchev - Director of Technology, Darktrace
Air Date: Tuesday 30th March 2021, 16:00 (GMT)
Gaynor Rich - Global Director Cyber Security Strategy, Unilever
Gary Sorrentino - Global Deputy CIO, Zoom
Jitender Arora - Chief Information Security Officer, Deloitte
Sudeep Venkatesh - Chief Product Officer, Egress
Air Date: Thursday 8th April 2021, 16:00 (BST)
Andrew Aken - Zero Trust Lead Technical Architect, Twitter
John Rouffas - Chief Information Security Officer, Pharos Security
Rob Hornbuckle - Chief Information Security Officer, Allegiant Air
Jason Soroko - CTO of PKI Sectigo
Air Date: Tuesday 13th April 2021, 16:00 (BST)
Jordan M. Schroeder - Deputy MD & Managing CISO, HEFESTIS
Robin Lennon Bylenga - Human Factors Analysis Classification System
Jean Carlos - Group Head of Information Security, Nomad Foods
Richard Cassidy - Senior Director – Security Strategy, Exabeam