What's Missing in your Threat Landscape Picture?

ENISA (European Network and Information Security Agency) recently published its "ENISA Threat Landscape" report for 2012. Overall it's a good document as far as traditionally known threats go, but it's a re-hash of the threat landscape that we've accepted as complete because we've relied on security vendors to create it. A vendor tends to focus on the part of the threat landscape that their product addresses and ignore what's irrelevant to their product line. Customers often accept that as accurate because, after all, they aren't in the business of information security or threat assessment and rely upon the advice from their vendors, which I'm sorry to say is often incomplete.

The following threat table from ENISA illustrates what I mean:

According to ENISA's paper, the above table was created from 120 reports issued from Virus/Malware protection vendors, CERTS, security agencies, commercial companies in the area of security, industrial associations and committees, and Networks of Excellence (p. 10). Unfortunately, they tend to mirror each other in terms of what they report. In the Intelligence Community, this is a cognitive bias known as mirror-imaging. Customers, especially governments and multi-national corporations, need to go beyond these types of traditional and limited threat landscapes and expand it to include at least two more very important areas:

1. Vendor-to-Government relationships (V:G)
2. Offices in Foreign States (OFS)

Vendor-To-Government Relationships
U.S. companies, especially those in the Fortune 100, rely upon vendors, both foreign and domestic, for everything from development work to marketing. Yet very few take the time to do a deep dive into who their vendors' executives are and what their relationships are with other partners and government officials. As an example, we (meaning my company Taia Global) regularly perform this type of due diligence for our client firms and at least 70% of the time discover significant foreign government relationships with both U.S.-based and foreign-based vendors who have unrestricted access to valuable data owned by our clients. Frequently, prior to our investigation, no one was aware of those relationships.

Offices in Foreign States
U.S. companies who have offices in Russia and China, including Hong Kong, are at high risk for technology theft through both legal and illegal means. It may be through a local vendor who provides "secure" paper shredding services off-site when in reality those documents aren't destroyed but are sold to interested parties. It may be through legal intercepts on all landline, VOiP, mobile and satellite communications from the foreign offices of a U.S. company in Russia or China. It may be through a legal request to review your products' source code for "national security" reasons. The bottom line from a threat landscape perspective is - if you're doing business in a foreign state, there are a dozen ways for them to access your company's crown jewels; all of which have nothing to do with spear phishing, APT, or botnets.

If your company has overseas offices or uses vendors who do, the traditional threat landscape - even one created from over 100 sources - is incomplete. And if your security plan is built around that limited threat landscape, you're intellectual property is still at risk. Contact us for more information.

Add to Cart View detail

Lessons for CEOs from the Saudi Aramco Breach

Source: Joint Intelligence Preparation of
the Operational Environment (JP 2-01.3)

It's doubtful that Saudi Aramco will issue any substantive statements about the scope of the network attack that it suffered last week. However the information that's been privately shared with me by people with inside knowledge as well as by the attackers themselves reveals enough about the incident to draw certain lessons that CEOs from multi-national corporations (MNC) need to pay attention to. Here are my top 3 recommendations:

1. The Conventional Cyber Threat Landscape Is Too Narrowly Viewed
Most if not all companies' security operations centers are monitoring for the now conventional Advanced Persistant Threat-style of attack and their defensive tactics are geared towards interrupting that attack by use of an "intrusion kill chain". The attack suffered by Saudi Aramco didn't fit this model, and hence would have been completely missed by most of the world's largest companies. A multinational corporation must perform a comprehensive review of its entire threat landscape prior to designing its security framework. This includes evaluating its network exposure through its offices in foreign nations, its vendors (including U.S. vendors) and their relationships with the governments of potential adversary states, compromise of its senior executives while traveling, legal access to its intellectual property (i.e., source code) by foreign intelligence services (FIS) if the company conducts business in those same states, and so on. None of these potential attack vectors rely on spear phishing, social engineering, or other commonly watched-for schemes nor would any of them be caught by the vast array of security software being shopped by vendors today. While MNCs are busy sticking their fingers into the APT holes in their dike, State FIS are quietly re-routing the entire river behind the dike.

2. Companies Need To Pay Closer Attention to the Insider Threat
It's my understanding from a confidential source that the initial infection vector wasn't through a spear phishing attack but instead was via a Shamoon-infected USB stick which was inserted into a workstation in one of Aramco's foreign offices. This required the cooperation of an insider which, in fact, has been a serious and growing threat vector for a number of years. It's also one that conventional defenses like anti-virus, firewalls, and IPS/IDS cannot stop and that more sophisticated defenses like encryption and virtualization are not entirely effective against. This threat vector requires a more specific and potentially intrusive security posture which monitors for early signals that an insider typically presents prior to his malicious act.

3. Companies Cannot Keep a Dedicated Adversary Out of their Network
Saudi Aramco's attackers have threatened another attack today, the 25th at 2100 GMT to prove their ability to cause harm to the company. And the fact is, they can. This is a David and Goliath scenario if there ever was one. The world's wealthiest company cannot stop a small group from successfully performing an attack. No one can. Therefore, the correct course of action for not only Aramco's CEO but every CEO is to focus on being able to absorb an attack and not have it affect its critical operations. This requires making choices between what's critical and what isn't. Keeping your website up 24/7 in the face of a DDOS attack isn't critical. Keeping your oil production from being interrupted is. Keeping your intellectual property from being stolen is. An MNC's CEO and Board of Directors need to perform a difficult but necessary inventory of their corporation's assets and divide them into critical and non-critical groups. Different security protocols and controls need to be applied based upon criticality and resiliency.

While I haven't had the privilege of consulting with Aramco's leadership on their breach, my team and I have provided counsel for other MNCs and the above guidance is a very high level overview of our recommendations in those cases. Obviously, the devil is in the details and specifics on how to implement the above guidance will vary on a company by company basis. The bottom line is that if a company's board still believes that their company is safe from being breached, they have their heads up their collective asses.

RELATED:
Was Iran Responsible for Saudi Aramco's Network Attack?
Saudi Aramco's Security Nightmare: Poor Design, Corrupt Contractors, and More
Operations Security at Saudi Aramco? Zero.

Add to Cart View detail