In a post-pandemic world, the cyber threat remains up, but vigilance remains down
That is not the sort of Tweet you would expect from the official Jeff Bezos Twitter account. Nor Bill Gates, Barack Obama or Kim Kardashian. Yet in July 2020, hackers made over $100,000 USD in a couple of hours via bitcoin transactions, compromising 130 verified twitter accounts.
It has been widely recognised that cybercriminals are developing their arsenal at unprecedented rates, and our security measures are failing to keep pace. But the pandemic has further exacerbated the problem.
Facing the factsCyber attacks are one of the fastest growing crimes in the world. Globally, cybercrime damages are expected to reach $6 trillion by 2021 (Cybersecurity Ventures 2020). If this was translated into a country, it would be the world’s third largest economy after the US and China. There is no denying that our unwavering dependence on the cyber realm during the pandemic harboured the perfect breeding ground for cyber attacks, through a groundswell of digital vulnerabilities. Cybercriminals exploit the fear and uncertainty manifesting within times of instability. These attackers are also living in the same world as us (potentially on lockdowns and restrictions), giving them time to develop tools and techniques. The World Economic Forum reported that the pandemic led to a 50.1% increase in cyber attacks, just between 31st December 2019 and 14th April 2020.
As a well-known example, Zoom’s video conferencing software that rocketed into our lives, nearly overnight, was accompanied by several security incidents, notably the 500,000 user accounts that emerged for sale on a dark web forum.
Ransomware — a malware that infects computers (and mobile devices) and restricts their access to files, often threatening permanent data destruction unless a ransom is paid —is the ‘go-to method of attack’ for cybercriminals. It has been dubbed the ‘digital pandemic’. These attacks have increased by nearly 500% since the start of the COVID-19 pandemic, according to a Bitdefender report.
'Red teaming’ can ease such issues, but has been de-prioritised through COVID-19, ironically, when it’s been needed the most. It is an adversary simulation; a scenario-based and goal-driven test, with the ultimate aim of emulating the real world adversaries and attackers who are trying to break into a particular system or steal information. It’s an appropriate measure to take when the system, or the data it holds, is at all critical to the business - we call these your ‘crown jewels’: the things that would keep you awake, cost you your job, cause financial ruin or loss of brand equity if they were compromised or stolen.
James Mason (Enterprise Cyber Security - QinetiQ) says: “I cannot recommend highly enough to evolve your red team exercises during current times to remote only, rather than nothing at all while awaiting a return to a more business as usual, onsite working environment. This is how realistically organisations are currently being attacked. A red team exercise can and does identify critical vulnerabilities, which when adequately remediated, rapidly reduces real-world risk, potentially organisation-wide from the very first exercise.”
Instead of looking at the target system in relative isolation, it looks to simulate how attackers will actually go about attacking an organisation.
With the total upending of the ‘normal’ working environment, many organisations with a large physical infrastructure footprint lowered their priority for red teaming. As full-spectrum red teaming exercises (QinetiQ’s Advanced Intrusion Exercise) could include physical breaches, this delay or cancellation was understandable. There was an absorbance of risk, whilst the all-consuming uncertainty of COVID-19 took its toll.
However, there also remained a reluctance to perform ‘cyber-only’ red teaming. Our QinetiQ experts were relayed justifications around accepting a level of risk until business returned ‘as usual’, alongside tendencies for large scale spending cuts, with employees on furlough and enforced remote working. These positions are likely to have been an underestimate of the pandemic’s nature and its longer-term impacts. And whilst we have now recognised that COVID-19 will not be subsiding any time soon, remote red teaming exercises are only just being brought back onto the agenda, with some red team exercises approaching three years old, which is not a good position to be in when considering evidence-based risk.
But why is such a delay in red teaming so treacherous? What makes them so indispensable?
Security blind spots
With such explosion and ubiquity of threats, the discounting of cyber-only red teaming is not only unjustified but is also dangerous. The pandemic has simply exacerbated the issue. Red team exercises can more closely simulate current situations and mimic the very latest real-world attacks, most likely preventing many of those we’ve seen during this period. Exposing the vulnerabilities and critical issues ahead of time would fast-track resilience and lower critical risks from a single exercise. Waiting until ‘business as usual’ returns is not only dubious, but even if it returns, it would be too late to catch up with the evolving nature of cyber threats. If a breach happened right now, with a 2-3 year break in such specialised exercising, it is not unfounded to assume the response would be suboptimal. Moreover, would a 2-3 year old outdated exercise be a reasonable excuse to senior management, to their own staff, supply-chain, customers and perhaps shareholders?
Similarly, VPNs, monitoring and identity access management have not been widely adopted across organisations, but are an extra layer of security for our virtual environments.
Phishing emails are a ‘known’ threat, but there is the question around when they are most likely to succeed – are employees more likely to click one when working at home? Do we have regular enough security updates and patching?
Looking at the physical side, are physical breaches more likely while offices and premises are emptier? Are building accesses, meeting rooms, network ports, Wi-Fi adequately secured during current times?
Rethinking red teaming
As the world enters into cyclical periods of relaxation and restrictions, security operating models need to be adaptable, reactive and rapidly deployable. This does not necessitate entirely new approaches to security, but a holistic perspective on the diversity and nature of threat vectors in existence at a given period.
Although the reprioritisation of cyber-only red teaming must be embraced, a hybrid approach continues to be paramount. Red teaming focuses should be accompanied by pen testing, security monitoring, risk and compliance, training and exercising to build a robust cyber-security strategy. Any weaknesses in a system – across both physical and digital infrastructure – are a potential win for an adversary.