The Professionalization of Cyber Crime and What You Can Do
Our webinar discussed how organizations like panelist Jack Fowler’s Harris Federation could change their security posture in light of new trends in cyber crime. These trends – detailed in a report from our Threat Intelligence team - showed how changes in the threat landscape have had a knock-on effect on the threat actor ecosystem. In short: consequences of the collapse of Conti Group and other factors have included:
- An increase in pay-to-play threat groups using tools provided by third parties,
- The rapid spread of Conti tools, techniques and procedures (TTPs) and,
- The advent or rise to prominence of a number of groups that have either used tooling developed by other groups or have inducted or been built with the help of former Conti members or other threat actors
There’s plenty more in the report, which you can read on our Threat Intelligence hub here: The professionalization of cyber crime.
The webinar replay can be viewed here: Webinar: The growing professionalization of cyber crime and what you can do.
We also asked our host, Security Consultant Katie Inns, Harris Academy’s Head of Information and Cyber Security Jack Fowler and the report’s author, Senior Threat Intelligence Analyst Stephen Robinson, for their thoughts on the questions we didn’t have time to answer.
You can find their answers below:
1) Jack, how can single schools have the same level of visibility as the Harris Federation - like having one of you and the staff and tools at each school?
[Jack] Speaking frankly, I’m not sure an individual school that isn't resource rich can. So, what's the next best thing? Raise concerns formally with your leadership, track the lack of maturity as a risk, then put in realistic, and 'big win' actions against that risk to help address it. That might be looking at the guidance from UK’s NCSC or working through Cyber Essentials as a starting point; the NCSC Cyber Advisor scheme is well worth looking into if your organization is based in the UK.
It also means that someone within the organization needs to wave the security flag, whether that be a teacher, member of the leadership or your IT technician. Once these things are raised formally as a risk, usually getting traction to address them, however big or small, can follow.
2) For security teams that are under resourced, where do you think they should focus their efforts as far as enhancing/maintaining security resilience?
[Jack] This is very similar to the first question about an individual school, and I think the advice for any under-resourced team is very similar: Raise concerns formally, track the lack of maturity as a risk, develop a realistic set of actions, have someone in your organization actively waving the security flag; all of these things establish cyber as a risk, and when it’s seen as a business risk, action often follows.
[Stephen] This feels like a similar issue to the previous question. If you’re under-resourced you can’t shoot for the stars, just make sure that you get the simple things right. You can only work with the budget and tools that you are provided with however, and when you’re getting squeezed you can get pushed into cutting corners. Once you start doing that it’s very difficult to go back and undo it. Document what you’ve got, document what you need, and make it clear that the shortfall between the two is a risk that needs to be owned and understood.
3) What tips do you have for communicating this change in our risk profile to my board of directors without totally freaking them out?
[Jack] Translate 'Cyber' risks into succinct, business-focused narratives. Translate the impact types, what it means for fiscal, reputational, compliance if they were to materialize. Talk about the cost of breach vs cost of reducing likelihood in the first place. Use evidence, internally, or publicly.
Don't just scaremonger. Suggest solutions, put together an action plan, a tangible, costed plan to help manage risks.
[Katie] Understand what it means to your organization and how you're actually affected first. There might be certain applications/services that are commonly targeted during the use of services (RaaS (Ransomware as a Service), IAB (Initial Access Brokers) etc.) that you're just not using, therefore it isn't relevant to your organization.
Highlight the things you're already doing to prevent/detect any attacks of this kind, and then highlight what you could be doing better and therefore what you should be focusing on.
[Stephen] It’s a change in our understanding of threat. It doesn’t necessarily mean that everyone in the world is now gunning for you, but it does mean that if there is a vulnerability in your network, there are (as there always were) many actors out there who will pick up on that vulnerability and try to exploit it. What has changed is that the knowledge of your vulnerability, or the capability to exploit it, may now be bought and sold until it reaches an actor who has the appetite and capability to do something with it. Essentially, you are less able to rely on your own obscurity, or an attacker’s lack of ability as a line of defense.
4) I find users are often OK until they get tired and "just click". Are people still the biggest vulnerability?
[Stephen] Technically, people and their choices are the only source of vulnerabilities. Everything else is just a tool that someone set up. However, are users the biggest vulnerability?
It’s fairer to consider users your greatest attack surface – they interact with so many systems, internally and externally, and they are required and expected to do so many things which can become points of attack.
Users have to go to websites, they have to click on links in emails and download attachments, they have to sign in when presented with a prompt. You can’t blame users for that, particularly as getting someone to the point of just clicking (i.e. MFA fatigue) is a specific attack method. How can you address this, though? Well, systems and processes are there to take the load off users and make their jobs easier, just like computers are meant to!
[Jack] No, if your users 'clicking' is causing a breach, there is much more work to do with your other security controls. It needs to be layered. Putting 'blame' onto users is an excuse for poor security in my opinion. This is not to diminish the upmost importance of training your staff and effecting behavioral cyber change - and that's not just running phishing simulations and delivering annual training. Check out Cybsafe’s behavioral database - we have no affiliation, by the way!
5) I'm gonna work in a newly formed Blue Team for an organization which is decentralized over all over Europe with more than 20,000 people. I haven't had a deep look into our security yet, but from what I'm getting at the moment it is a total [mess] to almost not existent. Where do we start?
[Katie] Establish what your attack surface looks like first (both internally and externally). I appreciate this isn't an easy task but it will help massively in the long run when it comes to defense. These asset inventories need to be maintained and updated regularly to provide the most accurate view of what your attack surface looks like. From there, you can drill down deeper to understand what services are running on those hosts and the risk associated.
[Jack] I'd look to assess maturity in each key pillar: Identify, detect, protect, respond, recover - use frameworks to help with this. Then decide, using a risk-based approach, where to start. Don't start taking bites out of the problem without structure and thought.
Begin with the fundamentals, get your dependencies and building blocks in place - then build. Everyone has to start somewhere, and in my opinion, in almost all cases, good is better than perfect.
[Stephen] It’s a large European organization: there will be regulations and statutes that they must follow. Find out what they are, because while people will argue with security best practice, it’s hard to argue with Legal.
You need to know the lay of the land re: infrastructure, assets and processes, you need to document what you have and what you need. You need to identify your risks and identify possible mitigations, and, if it’s a pre-existing organization that is only now creating a blue team, you need to find out where the sensible people who have been keeping everything running are and engage with them. The security of the organization isn’t new, just the security function. Wherever possible, tie into the other functions that should be doing security already and try to help them to do the work that you need them to do.
Identify your response gap
Do you have the capability to respond to an attack before it escalates to a major incident? Take a short risk assessment and get a tailored report about your risk levels - with practical recommendations on how you can develop your capabilities and processes.