{"id":88429,"date":"2023-03-07T07:45:00","date_gmt":"2023-03-07T07:45:00","guid":{"rendered":"https:\/\/cloudnewshub.com\/?p=88429"},"modified":"2023-03-07T07:45:00","modified_gmt":"2023-03-07T07:45:00","slug":"what-can-security-teams-learn-from-a-year-of-cyber-warfare","status":"publish","type":"post","link":"https:\/\/cloudnewshub.com\/?p=88429","title":{"rendered":"What can security teams learn from a year of cyber warfare?"},"content":{"rendered":"
<\/div>\n

Days, weeks, even months before Russia\u2019s armies crossed the border into Ukraine on 24 February 2022, security experts were warning of an impending cyber war<\/a> the likes of which the world had never seen.<\/p>\n

Talk of destructive attacks against critical targets in the West that might draw Nato into the conflict grew when, prior to the invasion, increasing volumes of cyber attacks<\/a> against targets in Ukraine were launched to lay the groundwork for Russia\u2019s attack. This culminated in the discovery of multiple data wipers<\/a> \u2013 malwares that look and act like ransomware lockers, but destroy data rather than encrypt it.<\/p>\n

With the benefit of hindsight it is easy to see how so many were swept along. Russia-based threat actors have become the b\u00eate noire of the cyber security community, and not unreasonably so, for they are highly active, highly sophisticated and highly dangerous.<\/p>\n

Recent geopolitical history also sets a precedent, littered as it is with Russian state-linked cyber attacks on Ukraine, some of which, such as NotPetya<\/a>, spilled over to have global impacts.<\/p>\n

Jamie Collier<\/a>, senior threat intelligence advisor at Google Cloud\u2019s Mandiant<\/a>, looks back. \u201cAt the start of the conflict, there was definitely a lot of concern about the spill-over,\u201d he says. \u201cThere was talk along the lines of, are we going to see another NotPetya, or wiper malwares with all kinds of propagation features spreading uncontrollably, [and] concern about critical infrastructure \u2013 not just in Ukraine but across Europe.\u201d<\/p>\n

But in the event, the cyber war, although extensive, did not materialise in the way that many had imagined. Collier\u2019s colleague, Paul Tumelty, who is Mandiant\u2019s regional consulting leader for the UK and Ireland, and practice leader for EMEA government, says: \u201cThe overwhelming threat has been inside Ukraine, against Ukrainian interests.<\/p>\n

\u201c[But] there has been some evidence of ongoing espionage against Russian targets outside of Ukraine, but related to Ukraine,\u201d he adds. \u201cWe\u2019ve done a number of incident response cases with governments in Europe, where it\u2019s evident that the group we track as APT29 [Cozy Bear]<\/a> continues to conduct cyber espionage activities against European governments and decision-making bodies, largely to track the decision-making processes around things like sanctions and diplomatic manoeuvring.\u201d<\/p>\n

\n

<\/i>Failure of attacks an important lesson<\/h3>\n

In the nine years since Russia\u2019s illegal annexation of Crimea and the past 12 months of outright conflict, Ukraine\u2019s armed forces have become a byword for bravery and heroism, and its cyber defenders have also more than held their own.<\/p>\n

Lindy Cameron<\/a>, CEO of the UK\u2019s National Cyber Security Centre (NCSC), says the failure of Russian cyber attacks on Ukraine to achieve their intended impacts contained an important lesson, although she warns against complacency in this regard.<\/p>\n

Speaking at a Chatham House conference in the autumn of 2022<\/a>, Cameron said the established strength of Ukraine\u2019s cyber defences built up over years, and the support Kyiv has received from friendly governments and private sector partners had stopped Russian disinformation and cyber attacks from achieving their intended effect of destabilising Ukraine still further.<\/p>\n

\u201cBoth efforts have largely failed, thanks to the efforts of Ukrainian and western digital expertise within governments and the private sector,\u201d she said at the time. \u201cIn many ways, the most important lesson to take from the invasion is not around the Russian attacks \u2013 which have been very significant and, in many cases, very sophisticated \u2013 it is around Russia\u2019s lack of success. Try as they might, Russian cyber attacks simply have not had the intended impact.<\/p>\n

\u201cRussia has made Ukraine match fit over the past 10 years by consistently attacking them,\u201d added Cameron. \u201cWe haven\u2019t seen \u2018cyber Armageddon\u2019. What we have seen is a very significant conflict in cyber space \u2013 probably the most sustained and intensive cyber campaign on record.\u201d<\/p>\n

Clearly cyber Armageddon did not happen in the UK or Ukraine, but Ziv Dines, chief technology officer at Armis<\/a>, is anxious to address the idea that all has been peaceful and quiet outside the war zone. Indeed, he says, general volumes of malicious activity emanating from Russia are through the roof.<\/p>\n

\u201cWe\u2019ve seen an increase of 15% in cyber attacks and malicious activity on the networks that we monitor,\u201d says Dines. \u201cIt\u2019s not 500% or 1,000%, but there has been an increase, so we\u2019re trying to break that perception that nothing is happening. No, things are happening, and they are impacting networks around the world.\u201d<\/p>\n<\/section>\n

\n

<\/i>Digital transformation blocked<\/h3>\n

Organisational leadership is not blind to this growth in malicious activity. A recent report compiled by Armis<\/a> revealed that over 50% of UK organisations believe the threat of cyber warfare is actually hindering their digital transformation programmes. Dines says this may have something to do with a growing realisation that nobody is immune to potential spill over.<\/p>\n

\u201cCritical infrastructure operators were always afraid, and anybody who works with armies or the military or whatnot, but when you look at random companies, they were not afraid,\u201d he says. \u201cThat changed in the past year. They are now afraid. They have seen the devastation. They have seen what can happen with those attacks, and they\u2019re now afraid. That impacts their project.\u201d<\/p>\n

The ultimate effect of this, says Dines, customers that started a large scale digital transformation project two to five years ago are now realising that they need to pause and reassess what risks the war in Ukraine is exposing them to before proceeding, so<\/p>\n<\/section>\n

\n

<\/i>A tendency to overreact?<\/h3>\n

This raises questions around who is actually at risk of being dragged into the cyber war? Collier says: \u201cIf you\u2019re a large, multinational organisation, say a bank that\u2019s going to have some interaction with sanctions regimes, that there is concern there that Russia might target you. Those concerns were reasonable, they weren\u2019t invalid.\u201d<\/p>\n

However, he has seen a tendency for some organisations to maybe overreact, or even overcorrect to the Russian threat, and while it\u2019s important to pay attention to that and dedicate resources towards it, some may have dropped the ball on other issues that were perhaps more relevant to their organisation.<\/p>\n

\u201cRansomware remains the top threat for the vast majority across Europe,\u201d says Collier. \u201cWe\u2019ve also seen the likes of China and other states remaining active, so zeroing in on Russia for most is a risky strategy given all the other threats out there.\u201d<\/p>\n

Dines argues that some security leaders may have been a bit na\u00efve in the past, in the sense that because they were maybe not operating in a vertical that was of much interest to Russia\u2019s espionage goals \u2013 they thought Russians did not care about them, and so they were safe. \u201cNobody\u2019s safe anymore, therefore, part of my mindset has to be, \u2018okay, what do I need to do or change in my day-to-day work because of it?\u2019\u201d he says.<\/p>\n

He likens the current situation to how the process of flying changed dramatically \u2013 particularly in the US \u2013 in the aftermath of the 11 September 2001 terrorist attacks.<\/p>\n

\u201cWe created new industries and new security concerns and spent hours at the airport and completely changed the way we think,\u201d says Dines. \u201cThe fact that you can\u2019t carry a deodorant onto a plane because it contains over 100ml of liquid would have been absurd 25 years ago, and yet it\u2019s so common and obvious now. The same long-term effect is happening in cyber.\u201d<\/p>\n<\/section>\n

\n

<\/i>Lessons learned<\/h3>\n

And as always, the old maxim that those organisations that have paid attention to the fundamentals of cyber security will withstand an attack better than those that have bought the most costly service holds true here to some extent.<\/p>\n

\u201cThose that focus on the fundamentals do tend to be the ones that are better set up for long-term success,\u201d says Collier.<\/p>\n

\u201cWhat we have seen is that a lot of Russian activity over time has actually reused infrastructure and malware. We\u2019ve got to remember that these Russian threat groups, while well-resourced, are also people with finite resources, and that means that over time we have become increasingly empowered to actually do something about it \u2013 because a lot of this does come down to locking down the basics and having good security hygiene.\u201d<\/p>\n

Tumelty reports that a lot of organisations have demonstrably improved their overall cyber security posture as a result of the business continuity exercises they ran during the Covid-19 pandemic<\/a>.<\/p>\n

\u201cA lot of what I hear from board level is that they learned a lot from Covid-19 in terms of remote working, in terms of planning, and while it may not be formally documented they did adopt similar process and methodologies to adapt to the Ukraine crisis, and then it was business as usual, once they overcame the initial shock of the invasion,\u201d he says.<\/p>\n

But this is not to say there are other weaknesses that are still being overlooked. In many cyber warfare-linked incidents Mandiant has responded to, says Tumelty, it has found legacy unpatched or uninventoried hardware riddled with vulnerabilities, and in some cases, pirated software seeded by Russian actors ahead of time, that has been laced with malware. He recommends paying more attention to asset management, closing down legacy applications and taking steps to minimise the attack surface.<\/p>\n<\/section>\n

\n

<\/i>Shields up<\/h3>\n

Chief information security officers and security teams in organisations that may be more at risk of a Russian intrusion should also be paying attention to new threat intelligence as it emerges, because an additional effect of the conflict has been to cause a significant shift in the nature of the financially motivated Russian cyber criminal ecosystem, as Immanuel Chavoya, a threat detection and response specialist at SonicWall<\/a>, pointed out.<\/p>\n

This trend is perhaps best exemplified by the collapse of the Conti ransomware cartel<\/a> amid supposed infighting. \u201cSome groups have split over political allegiances and geopolitics, while others have lost prominent operators, impacting the way we think about these groups and our traditional understanding of their capabilities,\u201d he says. \u201cAdditionally, we\u2019ve seen a trend towards specialisation in the ransomware ecosystem, making definitive attribution more difficult. This highlights the importance of continuously monitoring and analysing the evolving threat landscape to effectively mitigate risks.\u201d<\/p>\n

And Trustwave<\/a> security researcher Jeannette Dickens-Hale says it would be a mistake to underestimate Russia\u2019s cyber-offensive capabilities.<\/p>\n

\u201cWhile Ukraine has been Russia\u2019s cyber playground to try out various attack types over the years, one should not assume the current cyber offensive and physical war against Ukraine is indicative of any weakness on Russia\u2019s part,\u201d she says. \u201cRussia is also learning quite a lot from this incursion and may come out on the other side with new and honed skills to implement in the real world.<\/p>\n

\u201cAs we know, crimes usually come before the laws that govern them,\u201d says Dickens-Hale. \u201cThreat actors innovate and law enforcement has to draft and enact laws that mete out justice for the crime or cyber crimes committed.<\/p>\n

\u201cHybrid warfare \u2013 cyber and kinetic attacks being waged simultaneously \u2013 is new to the warfare arena. However, the Tallinn Manual<\/a> identifies specific rules governing cyber Rules of Engagement. Like all types of war, to what extent these rules are complied with or to what extent those rules will evolve is anyone\u2019s guess.\u201d<\/p>\n

The development of modern-day computer science owes much to warfare. Indeed, there is a direct line between the development of early mainframes such as ENIAC<\/a> \u2013 which was designed during the Second World War to help the US Army calculate trajectories for artillery shells \u2013 and a smartphone.<\/p>\n

Even if peace returns to Ukraine in the short-term, absent a complete collapse of Russian forces or some form of regime change in Moscow, the end of the kinetic war will not cause the cyber threat posed by Russian threat actors, state-backed or otherwise, to diminish.<\/p>\n

It\u2019s a virtual certainty that Russia\u2019s intelligence services are using the conflict to develop and refine new tactics, techniques and procedures, and as we have seen so often before, it\u2019s likely that these attacks will trickle down<\/a> into the cyber criminal underground.<\/p>\n

On 14 February 2022, as tensions in Ukraine escalated, Jen Easterly of the US Cybersecurity and Infrastructure Security Agency issued her now-famous \u201cShields Up\u201d advisory<\/a>. Now is not the time to drop them.<\/p>\n<\/section>\n","protected":false},"excerpt":{"rendered":"

Days, weeks, even months before Russia\u2019s armies crossed the border into Ukraine on 24 February 2022, security experts were warning of an impending cyber war the likes of which the world had never seen. Talk of destructive attacks against critical targets in the West that might draw Nato into the conflict grew when, prior to […]<\/p>\n","protected":false},"author":1,"featured_media":88430,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[533],"tags":[],"class_list":["post-88429","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-it"],"_links":{"self":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/88429","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=88429"}],"version-history":[{"count":0,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/88429\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/media\/88430"}],"wp:attachment":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=88429"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=88429"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=88429"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}