Being a veteran cybersecurity incident responder with over 21 years of field experience I know I will always have a job and it will always be interesting. In the evolution of cyber-attacks I’d argue while the fundamentals have stayed the same there have been two major critical changes recently in the past few years among nation-state and criminal attackers that require us to thoroughly understand and respond in a different manner than in the past.
Most of the world and in most industries we’ve reached the tipping point in our digital dependence on our IT infrastructure and it has drawn attackers in
The first change is around the larger scope of attack. In the past you could draw a heat-map around the most technological countries: The US, South Korea, Japan, UK and Germany. Today we’ve reached the tipping point where most countries are now dependent on IT technology to the point that heat-map is hot white over most of the world. Same is true for industries, in the past only certain industries were dependent on It where today most industries are reliant on IT and their digital capabilities like never before.
There is a positive side to this digital dependence. From the first world to the third world, while this pandemic has caused much sorrow and an economic slump – it hasn’t buried us the way it would have if this had occurred even ten years earlier – our ability to effectively work remotely is why. With such a digital dependence it only makes sense that nation-state and criminal hackers would grow and escalate in such an environment.
Digital innovation has given attackers a vicious edge that has expanded their speed, depth and breadth like never before
The second, a far more impactful change is how digital innovation has changed the trend dramatically. For the good guys, digital innovation has become a critical competitive differentiator and it has led to our attack surface to include whether by application, by network, supply-chain or through countless as-a-service offerings a large array of interconnected entities.
Using DevOps models, scripting and automation that allow playbooks to push out and manage entire environments with a single mouse click. It means being able to collaborate with others to build applications faster than ever before. For the bad guys, the attackers are also using this digital innovation to their advantage. They partner up, collaborate and share attacks and intelligence.
Using scripts and automation attackers not only do they establish a beach head, they script into their attacks and account escalations, setting backdoors and wiping their footprints clean. Attacks are further carefully orchestrated and optimized to hit entire industries at one time, dig in deep in the most impactful ways possible.
Turning digital dependence and innovation back on the attackers
If digital dependence means the current trend in attacks affects us all globally, the most powerful takeaway is how we can better defend ourselves in an easier and better fashion by incorporating that digital innovation that we use in other portions of the enterprise within cybersecurity.
For one, there are APT, ransomware and supply-chain expertise that keeps track of nation-state and criminal actors. It’s critical that we leverage their analysis, indicators of compromise, and expertise into our security controls within the SOC. The way we defend ourselves must include techniques that leverage automation and updates that occur in near-real time.
As automation is used to manage whole new IT environments, we need the same capability to be applied to security. Use playbook automation to seek out vulnerabilities, search for new indicators of compromise, and provided automated support during an attack to counter attack more efficiently.