Rising global tensions put us a few lines of code away from a significant cyber event

Cyberthreats are dominating the news headlines. Ntirety CEO Emil Sayegh highlights the current ever-changing cyber landscape and how we can better protect our cyber infrastructures. 

Rising global tensions put us a few lines of code away from a significant cyber event 

Reflecting on the threats and targets that we are most concerned with given the Russia-Ukraine war, cybersecurity is now the front line of our country’s wellbeing. Cyber threats endanger businesses and individuals — they can affect supply chains, cause power grid failures, and much more. 

This growing environment of risks and increasingly aggressive adversaries demand our readiness, yet our national response continues to be largely reactive to threat conditions. History shows how a small event built on daisy-chained circumstances can kick off a catastrophe, or even a shooting war. 

As the war in Ukraine endures and as countries around the world align, a rising threat emerges from Russian sources, adversarial states, unscrupulous opportunists, and a shadow world of 5th column provocateurs. An 800% increase in activities was observed in the first 48 hours of the invasion alone, and scanning and probes on domestic network infrastructures are reaching historic highs. 

Cyber vs kinetic warfare 

This is a heightened condition of hostilities that will continue and extend beyond physical engagements. We must confront the fact that globally sourced cyberattacks are the essence of modern warfare. It is simpler, cheaper, and more impactful to run a cyberattack campaign than a traditional kinetic act of war. 

Cyberattack campaigns make strategic military sense since they are designed to impact communications, impact energy, cripple a population, military readiness, or make any number of dire situations worse. This is why we see intelligence agencies either directly or indirectly involved in cyberwarfare. 

As Russia becomes more isolated from the rest of the world, it is believed that even in the aftermath of current conflicts its leaders, intelligence agencies, and even rogue groups of unemployed hackers will be more apt to deploy cyberattacks, either in retaliation or simply for monetary gain. 

China has targeted the United States for decades and they have done so on every possible front. From the military, to business, to finance, to the global race for resources, China has leveraged every possible point using tools such as political influence, market manipulation, cyber intrusions, partnerships, and military threat. 

Throughout the industry, we can track countless advanced attacks and backdoors to their efforts. In the crosshairs of this force are state departments, contractors, and any organization it can hook itself into. In many cases, their aim is a lot more everlasting, as it is industrial espionage and the theft of intellectual property in addition to ransoms. 

Rebuilding Security 

We are in a position where even a minor escalation of cyberattack characteristics could cripple this nation and cause massive impacts on life and property. Our response positioning must equal and exceed the specter of the overall threats, and our readiness must be comprehensive. 

In addition to the ongoing Congressional efforts to improve our national cybersecurity, we must add the following tasks to the national cybersecurity mission: 

  • Fix the damage. We must put a priority on funding new security initiatives, with an emphasis on new technologies, the growth of intelligent protection, and services that can augment the baseline of overall security posture.
  • Training a nation Quality training systems must be made readily available that address modern kill-chain awareness, attack simulations, and advanced countermeasure techniques.
  • Greater collaboration We must expand the efforts of the Cybersecurity and Infrastructure Security Agency (CISA) to work with the community beyond early warning systems, and to help model comprehensive cybersecurity protection systems by leveraging technologies and services.
  • Pursue criminal activities We must continue to bring cases of cyber theft, cyberespionage, and cyberattack to the point of grand jury indictment. We need these cases as assets in defending our digital sovereignty, even when they will not result in fines or jail time.

Building a secure digital future is an essential task that demands success, and it should be one of our core missions as a nation. We must take measures to improve cybersecurity through increased knowledge, better technologies, and tactics that are built for the modern range of cyberthreat conditions. 

From mobile endpoints to applications, to identity, and onward to the cloud and infrastructure combined, safeguarding critical assets is a comprehensive task that requires the highest possible prioritization. The recent history of cyber-driven disruptions to critical services thus far has only been indicative of warnings of what could happen. 

We must face the threat that we are only a few lines of code away from a very significant event. Our readiness must improve immediately. 

 

Check out this piece, originally published in The Last Watchdog, here and follow me on LinkedIn. 

The Cybersecurity Implications Of The Russia-Ukraine Conflict

The Russia-Ukraine conflict has undeniably created heartache within and outside of these countries’ borders. In addition to the invasion of Ukraine, cyber spaces have seen a higher number of invasions – cyberattacks have increased by over 800% when the conflict began. The following article from Ntirety CEO Emil Sayegh was originally published in Forbes. 

The Cybersecurity Implications Of The Russia-Ukraine Conflict 

 At this hour, the world is hurting in ways that people did not expect. The Ukrainian crisis has erupted into a significant conflict and whatever the ultimate outcome, the world will never be the same. As a company, we have employees, contractors and families that live in both the Ukraine and Russia. We are worried for their safety above all, as most are unable to leave. With the financial complications and sanctions, we now may not even be able to pay them. I know there are other companies and organizations trying to figure out what to do about their employees, partners, and the grave threats that they face. There is no doubt that the human cost will endure longer than the effects of artillery and we hope that cooler heads ultimately and quickly prevail, especially with the specter of a nuclear war now looming large. 

Massive Surge in Attacks 

Immediately after the conflict broke out, suspected Russian-sourced cyber-attacks were observed over a 48-hour period at an increase of over 800%. U.S. cybersecurity agencies, the FBI, and the Department of Homeland Security have all shared high alerts covering threat levels, preparedness, and response. This is as critical as it can possibly get. Hostile cyber warfare is one of the primary tools of the modern global military today, and there is little doubt that this series of global events have been planned for some time. Historically speaking, nefarious state-sponsored cyber-activities have escalated when geo-political tensions are high.  

We do not know the form of attacks that will emerge, or those that may emerge successfully, but with a history of previous international attacks, we must have our eyes open for: 

  •        Advanced Persistent Threats (APTs)
  •        Malware
  •        Ransomware
  •        DDoS
  •        Network attacks
  •        Zero-Day vulnerabilities
  •        Code flaw vulnerabilities
  •        Privilege escalation
  •        Data anomalies
  •        Network anomalies
  •        Or – some combination of any of the above. 

Internationally, governments have shared the following general outlines for cyber security preparations: 

1. Patch Internet-Facing and Business Critical Software: Patch for all software and all vulnerabilities, even the old ones. Take no shortcuts because if you only patch against known attacks in the wild, you may get caught. If it’s on the internet anywhere, in any way, or handles your traffic, communications, or remote business operations – patch it. 

2. Prepare for Ransomware and/or Data Destruction: Ransomware is bad enough, but many have become accustomed to the behavior of demanding a ransom. Those same methodologies and vulnerabilities can also destroy data with a simple disposal of the decryption key or a simple rewrite. Recovering from attacks is much more than nullifying the threat – it means coming back from a disaster. Test your backups, validate your recovery plans, and continuity plans as well. Take the path of scenario planning on every component of your systems. 

3. Be Prepared to Respond Quickly: Have your response organization finely tuned. Consider what might happen if emails are out. Consider who will be the incident manager and that all non-email contacts are up to date. Walk through and reinforce how information for teams, customers, and employees will be shared in the event of a crisis. 

4. Lock Down Your Network: Batten down the hatches. It may seem inconvenient to run through every aspect of your network, especially when you are used to sending links to team members and clients or using a convenient chat application. However, it may be time to modify policies and affect the convenient experiences until some point in the future. Basically, if you can figure out a way to function without and you can eliminate a potential risk point, you should do it. 

An Urgent Call to Go Beyond the Basics 

Those are the basics above, but there is a present and imminent danger facing US companies. The basics are not enough. Every organization, without exception, must act with extreme urgency to secure its information technology infrastructures.  President Biden shared a warning about cyber-attacks leading to a “real shooting war” in a recent speech. No matter how small the company, a breach can lead to a national security emergency as we clearly saw with the SolarWind breach.  The best possible approach is to leverage the methodology of security, recovery, and assurance into a comprehensive security mission. They must keep watch 24x7x365 and there is no room for exception. If an organization or company cannot do this level of security themselves, they are vulnerable. Know that the sphere of business is all about collaboration and the best way to get through this is to work together. If you don’t have a competent security team to help (and most don’t), you absolutely must find a reputable security partner immediately. 

We Must Work as a Community 

We have arrived at this moment of truth: This kinetic war in Ukraine combined with the global cyber war is the test of our times, a trial of our resolve, and a reckoning for our cyber secure abilities. All the while, as rogue nations are built on cyber offensive attacks, our postures need to be built on the foundations of security because our assets are significant and prized targets. All information technology personnel must be vigilant on duty, keeping watch, and prepared to work diligently to protect customers, businesses, and systems.  

The Soft Underbelly 

As real as any military, political, and economic threats are, cyber threats are an unfortunate reality. All organizations, especially sensitive and critical industries can expect heightened threats of the scale and variety never seen specially as sanctions start to take a toll. Smaller organizations will most certainly be a target as they are considered the soft underbelly of this war.  

Financial institutions, critical infrastructure, government contractors, even providers of the internet itself must be prepared for what is happening and will continue to happen for some time to come. This is not just about one country – there are other global adversaries out there right now, executing their own opportunistic attacks. We can expect that as financial sanctions increase, retaliatory tensions from all nation-state operations will also rise. There is much, much more to come, and much more to fear for the unprepared.  

Unprecedented Times  

Make no mistake, we are witnessing unprecedented times. We have never faced the aspects of war that we do today – where attacks can be executed at lightning speed from anywhere in the world. As I have said before, packets can cause bullets and none of us want to be the weak link against the global cybercrime syndicates. Whether brazen or anonymous, attacks against our financial systems and our core infrastructure systems such as power, water, health, and the very internet itself should be expected, and can be rendered unusable through cyber-attacks. In the face of these threats, cybersecurity is no longer some afterthought. Cybersecurity is basic survival, and it has never been more important, especially in light of the escalating Russia-Ukraine conflict. 

 

Check out this piece, originally published in Forbes, here and follow me on LinkedIn. 

The Russia-Ukraine Conflict and the Mounting Cyber-Threat to the Homeland

As Russia’s invasion of Ukraine moves into its second week, the cyber threat to Western countries supporting Ukraine grows as Russian forces get bogged down.  I have had several friends ask, “How did we get here?’ or “Why is the Russian affiliated cyber threat so big?”  The answer begins with a story (like many conversations).  

 A History Lesson in Cyber-Security

Fifteen to eighteen years ago when the FBI formally established Cyber squads to counter aggressive nation-states, Russia and China were at the top of that list.  The activities were somewhat confined to the defense sector or critical infrastructure and we in the FBI were not even allowed to say that we were engaged in cyber investigations against those countries.  “We cannot confirm or deny” being a common catchphrase.  Iranian cyberthreats began to grow approximately 10 years ago, and it remained a relatively high-level engagement between these cyber “Super-powers”.  

Then it changed.  I use the Target attack of 2013 as the beginning of this change.  Criminals started realizing that they could use the Internet to connect to and exploit businesses all over the world.  They started spending money, building data centers, and developing code.  The bigger change came when three distinct forces emerged in 2014 and 2015 and began to dominate cyber-crime.  One was the dark marketplaces which allowed software and personal information to be sold.  These sorts of places had already existed, but they became even more prolific with the rise of the second force: cryptocurrency allowed for these dark marketplaces to grow.  Lastly, we say the creation of what we today call ransomware gangs.  These groups are highly organized, well-funded, and often work in countries where they are protected or at a minimum can operate with relative impunity.  This is where the story of the suspected Russian cyber-threats comes in. 

 Russian Based Cyber-Threats Up 800% 

Suspected Russian affiliated cyber threats have always been advanced, and their suspected state-sponsored hackers are some of the best in the world.  But where does a suspected former state sponsored hacker go after they are done serving their country?  To make money of course. But what if the best way to make money in a country like Russia was to work with cyber-crime organizations?  This is what appears to have happened to many of these individuals because cyber-crime pays very well indeed. Many of these criminal organizations have long been suspected of having ties to Russian intelligence and, recently, these ties appear to be confirmed with the leakage of hundreds of pages of internal communications inside the Conti ransomware gang. Conti has made more than $30 million in ransomware payments in the last couple of years, and they are just one of the groups suspected to have these ties to miscellaneous Russian intelligence agencies. With the start of the Russian invasion, we started to see where the true allegiances of these criminal groups lay.  The number of ransomware attacks rose more than 800% in just the first week of the war and most of this is attributable to Russian-homed criminal groups. In fact, Conti is purported to have issued a statement that they would defend their homeland against all aggressors and supposedly pledged their full support for President Putin.   

 Bad “Guys” Can’t Win 

The threat is rising and not just for large companies. In 2021, 43% of ransomware victims were small businesses and when we roll in mid-size companies, that number rises over 60%.  Statistically, any (note ANY) business in the United States has a 1-in-4 chance of being successfully hit with ransomware and/or a data breach.  That  ransomware attack will take down the infected corporate network for 20-25 days on average.  And we are not even talking about E-Mail Account Compromise which affected more than 70% of businesses in 2021.  So, let’s talk security before this happens to you.  I hate seeing the “bad guys” win.  During my time in the Bureau, I too often saw a company get victimized and all they were trying to do was run their business. The threats will continue to evolve, and the criminal actors are awake 24 hours a day looking for ways to make everyone a victim.  This is why you need a comprehensive managed security partner in your corner to manage the “entirety” of your security perimeter, watch your environment 24/7, and take decisive actions to keep it secure. Let our 3 US-based SOCs, and our talented security engineers take care of security from beginning to end while you concentrate on what you do best.  

Freight Trains, Russia-Ukraine, Log4J And Supply Chain Attack Madness

The current conflict between Russia and Ukraine has undeniably captured the attention of countries all around the world. Our thoughts and prayers go out to the people of Ukraine, and we hope that there will soon be peace. It is crucial that we promote cybersecurity best practices always, but especially now as cyberattacks have increased drastically due to this conflict. This piece by Ntirety CEO Emil Sayegh was originally published in Forbes on February 1, 2022.  

 Freight Trains, Russia-Ukraine, Log4J, And Supply Chain Attack Madness 

We have all seen the images of the train tracks in California littered with boxes due to the systemic attacks by organized gangs of criminals. These attacks on our supply chain left train tracks resembling third-world garbage dumps as cargo containers were being raided with impunity, leaving a heap of strewn boxes in their wake. The train attacks delayed much-needed shipments to stores with empty shelves, as well as essential packages needed by businesses and consumers from all walks of life, at the exact moment when all of us were trying to deal with the resurgent Omicron virus. 

In the same way that physical attacks on trains have been on law enforcement minds, cyber-attacks against the software supply chain are on many cyber security professionals’ minds. These threats are perhaps not as visible, but nonetheless are a sleeping national disaster if left unchecked. A variety of factors have created a growing and consistent attack vector for the enterprise to deal with, especially considering the Russia and Ukraine geopolitical tension. Rumor is that if the US imposes sanctions on Russia, Russia will retaliate by mounting a concerted cyber-attack on US supply chain infrastructures. Regardless of the geopolitical situation, we are on the horizon of a hyper-escalated future of supply chain attacks, and it is critical that security strategies focus on comprehensive security and not point solutions.  

A Very Big Attack Hammer 

The enterprise is still stinging from recent high-profile supply chain attacks such as the SolarWinds breach. It did not take long for this threat condition to evolve. Successful attacks against SolarWinds caught significant attention in a supply chain attack that allowed the hackers to further select and target some of SolarWinds’s specific client targets such as Microsoft, FireEye, and US government agencies. Later, a ransomware attack against Kaseya, an IT management software tool, disrupted operations for many managed service providers and their clients. Even more recently, even more commotion emerged when a vulnerability was found in Log4j, a ubiquitous but obscure piece of monitoring software. The trend of one attack to many victims is a theme that continues in the headlines.  

What has happened in these and many other cases, is significant. By compromising the virtual supply chain, criminal threat actors have managed to breach centralized services, software, and platforms to get a foothold into target organizations causing considerably more damage than the California physical train attacks, and without even getting out of their chair. Once there, the cyber threat actor goes on to widespread infiltration of customers and clients of the original victim. For the attacker, one successful breach means that the economy of impact can be scaled out to hundreds, even thousands of victims, saving time and effort making it more lucrative, and less risky than physically raiding freight trains. 

Simple Attacks, Big Results 

Even scarier, most of these incidents happen through very basic attacks. While many of the high-profile attacks were sophisticated in their planning and execution, the technical measures used to achieve the attacks were not sophisticated at all. These attacks exploit common weaknesses including: 

  • Certificate comprise
  • Open-source vulnerabilities
  • Exploiting unpatched libraries and executables
  • Compromised accounts
  • Exploited firmware
  • Malware and Ransomware
  • Phishing

Further, with an arsenal of well-established and easily consumable nefarious methodologies, most cyber supply chain attacks are easily replicated. Simple and cheap, the characteristics of novel supply chain attacks are a significant problem that is bound to grow because as you will see, cyber chaos success begets imitation, and it will not be long before significant numbers of cybercriminal groups get on board the supply chain attack train.  

Standing Up to the Threats 

The ultimate takeaway from this growing threat breaks down to a highlight of focus. First, recognize that every organization and industry are stacked up against very different challenges. Then, recognize that slowly, the supply chain industry is working to update systems and platforms to help address this threat – using the latest dynamic principles of comprehensive security in a cloudified age. These organizations must escalate their efforts to defend their products in a coming storm of activity. There is a staggering amount of interdependence between all the components of a cyber supply chain. These companies must also position themselves to provide rapid response when needed, on behalf of their clients.  

Protect Your House 

As individual as organizations can be, every organization has a unique digital supply chain. We are all in this boat together, and so we must also focus on analyzing and protecting against these threats. We have built upon services, platforms, software, and other digital components that came from somewhere.  

The prescription for these threat conditions is a comprehensive security strategy and implementing the protections of continual analysis, introspective monitoring, and integrity enforcement of our own digital systems as well as the realm of digital outside our clouds that have been allowed into the organization. Focus on threat modeling, adaptive strategy, and risk-focused assessment. Increase security presence, monitoring, and controls at every phase of the software life cycles as well as throughout the library of digital platforms and tools. 

The Must-Do Mission of our Times 

There is no excuse for enterprise systems to linger unpatched, unreviewed, and unmonitored or for security systems to depend on outdated missions and technology. Considering the technology and services available today, actionable security data must be “in-the-moment” because stale information can only provide weak, ineffective and potentially misguided benefits. Preparation for the unknowable means investment in technology, investment in people and investment in robust services that can blunt these nefarious threats. 

The historical precedent is out there. The significant breach events have occurred. It cannot be ignored that the market for simple attack tools and methods are cheap and easy to implement, and are actually much easier than a freight train heist. Everybody likes a winning program (including hackers), and a boon of cyber disruption success means that shifting attack efforts onto the supply chain will continue to be a top mission. 

 

Check out this piece, originally published in Forbes, here and follow me on LinkedIn.