In a week that witnessed another nation state cyberattack on an energy system, this time the Iranian nuclear facilities in Natanz, our belief that the power grid is somehow inherently protected from serious damage, due to universal agreements formed in the past through the Geneva Convention and such, starts to seriously erode.
The fact is that at this precise moment in time, there are no globally agreed rules guiding cyberwarfare, no bullet-proofed methodologies around attribution, and no speedy procedures for prosecuting cybercriminals and deterring repeat attacks. In cyberspace there are often no fingerprints left by attackers, no witnesses to leverage, no smoking gun to provide the evidence that has traditionally led to prosecution and deterrence. Add to this a collective culture of defender secrecy around cyber events and we have fertile ground for a booming cybercrime industry that is more organised, targeted, dedicated, collaborative, and deadly than ever before.
And yet we know that this scenario is just a moment in time! Once power grid operators accept that the old rules no longer apply, we will also get more organised, targeted, dedicated, collaborative, and deadly serious about protecting our infrastructure and our people from every conceivable cyberthreat on the horizon, without question.
So, how do we collectively get there from here? ‘Attribution’ is key and must be evolved as a matter of urgency to make it fit for purpose within cyberspace. When power grid operators place attribution at the heart of their cybersecurity strategies, the concept of cyberattacks shift from being our ‘new normal’ to one-off incidents that are indefensible and unrepeatable.
What the evolving attribution process requires from us is: 1) High levels of employee cyber awareness and vigilance to raise early alarm bells, 2) Honeypot or advanced deception systems that lure cybercriminals into dummy networks and enable us to identify them, 3) Advanced intrusion detection systems that closely monitor their behaviour and help us predict their intentions, 4) Robust incident response procedures that utilise state-of-the-art forensic tools and procedures to provide the vital evidence for a successful attribution, 5) Transparency around cyber incident reporting with the willingness to go public and contribute to the collective cyber intelligence pool.
The fact is, together we are stronger! In the past year over 80% of organisations have experienced a cyberattack and this number is set to rise in the year ahead. Organisations can no longer place ‘reputation concerns’ above their social responsibility of contributing to the intelligence pool and helping policy makers and law enforcement agencies re-define the rules of attribution so that cybercriminals can be identified, held to account, and prosecuted. By better understanding our power and influence we will deliver more effectively to our social responsibilities and build a societal firewall that will soon be impossible for cybercriminals to penetrate at all.
Please enjoy this week’s selection of news, views and resources below, and feel free to share this newsletter with colleagues in other departments, and peers in other organisations.
News, Views & Resources
REPORT: RAND Corporation. Stateless Attribution. Toward International Accountability in Cyberspace.
The attribution of a malicious cyber incident consists of identifying the responsible party behind the activity. A cyber attribution finding is a necessary prerequisite for holding actors accountable for malicious activity. In this report, we review the state of cyber attribution and we consider alternative mechanisms for producing standardized and transparent attribution that may overcome concerns about credibility. In particular, this exploratory work considers the value of an independent, global organization whose mission consists of investigating and publicly attributing major cyber-attacks.
REPORT: Illusive. Next Generation Deception Technology Vs. Honeypot Architecture.
Despite increasing security investments and best efforts, industry studies and research continues to find that sophisticated malware authors and cyber criminals are innovating at a faster pace than security professionals can react to. Attackers are increasingly able to slip past network security applications such as IDSs, IPSs, firewalls, and web application firewalls - regardless of how new and comprehensive they are. Reacting to the attacks is the exact problem. Honeypots and next-gen deceptions are markedly different from traditional cyber security appliances and architectural solutions. Where complicated applications aim to react to a cyber-attack and isolate it as soon as possible, honeypot architectures and next-gen deceptions take a more proactive stance to catch cyber criminals in the act.
REPORT: Darktrace. Immune System, Self-Learning Detection & Response.
The increasing frequency of novel external attacks and insider threats, together with the exploding complexity of the digital estate, have gradually disarmed security teams who still rely on traditional controls. The fact is that targeted attacks will inevitably get inside, and so the industry’s attention has shifted to the question of how defenders can be equipped to detect and respond to emerging threats that are already inside the business, but that can be handled before they become a crisis. And as in many other areas plagued by digital complexity, business leaders and security teams have ultimately turned to artificial intelligence to keep pace.
REPORT: The Police Foundation. Unleashing the Value of Digital Forensics.
The ubiquity of digital devices and the centrality of the internet to most people’s way of life mean that almost any crime will now generate a trail of digital evidence that is relevant to the work of the criminal justice system. The volume of digital evidence now potentially relevant to criminal cases is such that it threatens to overwhelm the police, prosecutors and the courts. In this report we define what we mean by digital forensics and set out how capability is currently organised. We describe the importance of digital forensic work as a core part of the modern criminal justice system. And, we identify a number of challenges that need to be overcome if we are to realise the potential of digital forensics.
VIDEO: The RAND Corporation. Accountability in Cyberspace. The problem of Attribution.
Recently, several cyber incidents with geopolitical implications have received high-profile press coverage. Identifying the responsible party behind malicious cyber incidents is a necessary prerequisite for holding these actors accountable, but there are many challenges that accompany cyber attribution. In this video we review how cyber attribution is handled, presented, and received today, and consider the value of an independent, global organization whose mission consists of investigating and publicly attributing major cyber-attacks.
To view the video, click here!
CyberAware Webinar Series