by Phillip Hoyer, Field CTO, EMEA, Okta
In its recent advisory alert, the National Cyber Security Centre (NCSC) warned of emerging threats to critical national infrastructure (CNI). The warning covered the increased risks to CNI from state-aligned groups. It was explicit in identifying those groups ‘sympathetic to Russia’s invasion of Ukraine’ who might then ‘launch destructive and disruptive attacks with less predictable consequences than those of traditional cyber criminals’.
Behind the cautious language, the worry behind this advice is twofold:
1. Bigger tools: It is clear that more bad actors have access to an increased array of sophisticated resources to mount such attacks
2. Bitter goals: Driven by a motivation to disrupt and disable, may lead to more destructive and reckless attacks
Better tools
Recent research shows that most IT decision makers still perceive the number one cybersecurity threat as individual bad actors, such as independent black hats, hacktivists or script kiddies with nation states coming in fourth, behind specific threats of ransomware and data loss.
It can therefore be tempting to assume that better equipped, ideologically driven groups are less of a threat. However, there is a great deal of evidence to suggest that this evolution towards better equipped, smaller groups is underway.
One can also read ‘between the lines’ of the announcement that these smaller groups might be now given resources or access to cloud servers or zombie botnets by state-backed groups to mount attacks.
Former intelligence chiefs have warned that threats to the likes of CNI systems take extensive planning and a specific awareness and learning of systems. The fear here is, that such attacks are currently in progress of being planned. Given the recent increase in advanced persistent threats (APTs) reported by most vendors, this would support these fears.
There are further facets to this half of the issue. Firstly, within the broad church that is CNI, sectors lament substantial shortcomings in cyber security investment over the last years. Healthcare is an immediate example: in the UK, there have been occasions of log-in fatigue and authentication issues within the NHS. And of course, there is the recent history of the Wannacry hit.
Elsewhere, telecommunications can often be a very porous industry when it comes to cyber security as a result of poor integration, the presence of legacy systems and a lack of common security practices following the many mergers and acquisitions that happened in this sector.
Underneath these considerations of which vertical may be most at risk, the real ‘common denominator’ is size. Typically, CNI businesses are large organisations that have complex, multi technology stacks and employ a great deal of contractors, and thus present a greater attack surface which equates to increased risk. Whilst not a CNI organisation per se, the recent hit at Uber is very instructive here: access to a password vault was compromised, beginning with an external contractor being targeted.
In short, the better tools are being trained on weakened CNI targets.
Bitter goals
The NCSC alert was unusual in being so specific about the motivation behind these new attackers. There is an immediate and simple explanation for this – the alert was partly to highlight a session on day two of CYBERUK.
However, the growth of these smaller groups does demand a more focussed assessment of what drives these actors. ‘Traditionally’ the main reasons for any activity would either be recognition and status within the cybercriminal community, or financial gain. We now have to add a third element of ideology.
This is a cause for concern as the first two elements retain an air of ‘professionalism.’ It is possible to talk of a ‘better class of criminal’ if we track either informal standing within the cybercriminal community, or greater, illegal earnings. By comparison, this new facet leads to fanaticism.
This is not the only concern. Recent history shows it is harder to track and combat ideologically driven groups: they are smaller, more fragmented and there is no central control and much less likely a trail to follow – especially in comparison to groups that conducted attacks for payment. There is no money to follow.
How then do we combat these new, ideologically driven groups? Simply put, good guy thinking has to change. Instead of ‘following the means of payment for an attack’, it is now about ‘finding the means of production for an attack’. This means being on the lookout for those improved resources such as high-end machines, zombie units and server farms.
For those in the fight
For those businesses actually within the CNI industries, it is important to recognise that this threat has arisen and is set to accelerate. Consequently, the speed of response will be vital – be it establishing the identity of trusted users, accelerating plans to tighten security, implementing cyber defences and tools, or improving the response time to an attack.
As part of its advice, the NCSC recommends that organisations implement secure system administration, including the protection of administration interfaces, the use of tiered administration and privileged access management. Identity sits at the core of all of these disciplines and will be a key element in protecting CNI.
An identity-first approach based on Zero Trust has gained traction as businesses seek to protect themselves against common cyber threats. This approach does not rely on blindly trusting the requests if they come internally from the corporate network, but rather relies on determining for every service or data at the moment of access the complete context including network and location. This creates strong authentication, establishing the identity of the user and the device used to access data or applications. In an industry facing an advanced, evolved threat, this approach should be mandatory to balance security with frictionless access to applications, data, and resources, in order to keep the CNI working.
