Speaking at the ‘Solving Cyber Threats to Critical Infrastructure’ workshop Oleh Derevianko shared his ideas about what needs to be done to help effectively protect critical infrastructure from the always evolving cyber threats. Having a strong presence in the countries at the front line of cyber and hybrid war, such as Ukraine, and serving both private and public sectors, ISSP provides unique expertise for APT attacks analysis, detection and response. Below are key thesis of Oleh Derevianko's presentation.
GOOD CYBER-SECURITY CULTURE
Creating/building/maintaining an effective cybersecurity culture:
ensuring understanding of modern cyber threats at C- and Board levels, making cybersecurity a priority for Boards and C-level executives, making them committed and responsible for cybersecurity. Cybersecurity can no longer be the responsibility and concern of just IS and IT departments. Everyone should take care of it including top management and boards.
improving quality and speed of decision-making regarding cybersecurity issues and threats
introducing and developing common language to talk about cyber threats and attacks between technical specialists as well as between technical specialists and non-technical decision/policy makers.
developing common framework for APT detection and keeping up to date with ability to ‘think like a hacker’. Avoiding focusing too much on perimeter and intrusion prevention only, always assuming compromise and improving detection of adversaries inside infrastructures. Deep understanding of adversaries’ behaviors, challenges and common cycles is needed to identify their presence within infrastructures. Even more important is to understand changes in the above as quickly as possible. Using ThreatSCALE framework (where SCALE stays for Sequence of Cyber Attack Lifecycle Events) for these purposes is one of the possible approaches.
THINKING LIKE A HACKER
Improving cyber-security architecture
SOC controls extension for OT - permanent monitoring and threat detection operations should be implemented not only in IT environments; monitoring should be extended to ICS networks, even for isolated networks to make sure they are isolated. ICT commands and protocols should be monitored too.
making sure that any connection to any industrial control system at any given moment of time is really needed, relevant, authorized, and secure.
making sure that no IT system is connected to more than one zone of operations, traffic between zones is always logged, mechanisms of monitoring and logging errors, deviations, violations, and indicators of cyber-attacks are in place and fully functional at all times
Enhancing cybersecurity cooperation within and between industries
further developing (or creating where necessary) industry specific competence and early threat prevention centers with common interface to exchange information about cyber threats. Cyber-security should be cooperative to effectively address modern threats.
implementing common framework for APT detection. While cyber-security standards relate more to process design and cyber-security controls, the success of cyber-attack is very much dependent on the level of automation and adversaries’ constantly evolving and improving cyber-mimicry tools and techniques.
REGULAR CYBER HEALTH CHECKS
Regular cyber health checks with existing and new technical solutions
learning from past incidents and monitoring external environment for new threats and risks
technical security assessment should be conducted at least every quarter and based on deep understanding of APT. APTs have evolved significantly over the last three years, adversaries have become highly skillful in mimicking user and privileged user activities, which makes it very difficult to detect malicious behavior and distinguish it from a regular user activity. Thus, online monitoring should be reinforced with user behavior profiling and anomalies detection based on machine learning obtained from processing of historical log data sets (compromise assessments). APTs last for months, so regular assessments are key process for pointing out suspicious activity and execute threat hunting.
enforcing third-party contractors to take cyber health checks and provide results at least on a quarterly basis or more often by assessing historical data sets for the period from previous assessment for presence of APT or bad practices that make them vulnerable for APT. With ever increasing usage of cloud technologies, outsourcing, and deep cross-application integrations with subcontractors supply chain cyber-attacks have become the most dangerous and devastating than ever before. News about user accounts and personal data breaches has become an everyday feature. In each industry there are third-party contractors that may supply the whole industry or even sector of economy with a particular highly specialized product or service. Cybersecurity of these highly specialized suppliers is critical for national and global cyber-security. If captured by successful APT attack these companies become an ideal gateway for massive attacks against nations, global corporations and beyond as it was the case with NotPetya attack, which started with capturing an SME in Ukraine and resulted in Massive Coordinated Cyber Invasion against Ukraine and billions of dollars of losses all over the world.