The views presented here are the author’s own and not those of the Federal Bureau of Investigation
On Nov. 24, 2014, employees at Sony Pictures opened their computers to the sound of gunfire, scrolling threats, and a skeletal image now commonly referred to as the “Screen of Death.” By the time the cyberattack was over, more than 3,200 computers and 830 servers were destroyed, highly confidential files were released worldwide, and 47,000 Social Security numbers were compromised[i].
I spent more than 20 years at the U.S. Federal Bureau of Investigation and, in my last role as Assistant Director of the Cyber Division in Washington, D.C., I led the team that developed and implemented the FBI’s national strategy to combat cybercrime. One of the cases I worked on was the Sony attack, which was historic for many reasons.
For one, it involved a wide range of malicious acts against Sony, including intrusion, destruction and threats to employees and the public. The government was able to respond quickly. Within days, the FBI identified the perpetrators and, within six weeks, President Obama signed an executive order issuing sanctions against three North Korean organizations and 10 individuals.
Responding to this type of breach required an understanding of the legal and regulatory environment, the technical environment, privacy issues, media-related issues, and more. Preventing a breach of this size and scope is just as challenging, if not more so. It has been difficult enough to understand the mindsets of each of the individual types of adversaries. It becomes even harder when these adversaries have multiple motivating factors and sponsors, such as government-backed attacks for both profit and geo-political warfare.
Another reason I consider the Sony attack to be historic is because it portends what we can expect in the future, where there is a blending of mindsets, behaviors, motivations, and techniques from all types of adversary actors. We are already seeing examples across the globe from various nation state actors––principally from North Korea but also from Russia and China.
At the same time, those who would do harm for profit, politics, or principle are becoming more sophisticated, with easier and cheaper access to tools and technologies. We are even seeing the emergence of cybercrime-as-a-service. And we are giving our adversaries a larger potential attack surface, with innovations such as the Internet of Things (IoT), the growth of big data analytics, and our exponential use of massive social media platforms.
Responding to the Evolving Environment
As the threat landscape evolves, and as it becomes harder to distinguish between a threat from a nation state and a threat from a criminal enterprise, the onus is on all of us to be better prepared so we can prevent attacks and respond quickly and appropriately when there is a breach. Of course, that is much easier said than done.
In my experience, many company executives feel that cybersecurity is too broad and all-encompassing, and that it can be overwhelming. They don’t know where to start; they have a hard time measuring the return on investment for cybersecurity; and they are concerned about escalating costs. An exception to this is companies that have experienced a cyber-attack. Those are the companies that have a sense of great urgency and purpose.
We all need to adopt a similar sense of urgency. Our adversaries are getting bolder and more sophisticated. We have gone from Sony, where there was an attack on freedom of expression and business operations, to attacks on democratic processes and elections. It won’t stop there. We are seeing an increase in ransomware, extortion and, eventually, we can expect to see more attacks that threaten the loss of human life.
Disrupting the Attack Lifecycle
This is an important time to invest in cybersecurity education, awareness, and training. The more we understand about how attacks work, the better job we can do at lessening their impact––regardless of the motivation and mindset of the adversary, and regardless of our roles and responsibilities within our organizations. The way attackers work is to follow a series of stages that comprise what we refer to as the “attack lifecycle.”[i]
1. Reconnaissance: This is the planning stage, during which attackers research, identify, and select targets.
2. Weaponization and Delivery: Attackers determine which methods to use to deliver malicious payloads, such as automated tools, exploit kits, and spear phishing attacks with malicious links or attachments.
3. Exploitation: Attackers deploy an exploit against a vulnerable application or system, typically using an exploit kit or weaponized document. This allows the attack to gain an initial entry point.
4. Installation: Once they’ve established a foothold, attackers install malware to conduct further operations, such as maintaining access, persistence, and escalating privileges.
5. Command and Control: With malware installed, attackers then actively control the system, instructing the next stages of the attack. They establish a command channel to communicate and pass data between infected devices and their own infrastructures.
6. Actions on the Objective: With control, persistence, and ongoing communication, adversaries can act upon their motivations. This could be data exfiltration, destruction of critical infrastructure, theft, extortion, criminal mischief, or some combination of all the above.
Being able to leverage knowledge about the attack process provides an advantage for defenders because attackers must be successful at each step to succeed. The defender only has to “see and stop” the adversary at any stage to cause the adversary to fail. To be able to do this successfully, an organization needs to have a holistic approach to addressing cyber risks. In general terms, this includes:
1. Increase visibility
2. Reduce the attack surface
3. Prevent known threats
4. Discover and prevent unknown threats
5. Quantify risk
6. Transfer risk
Disrupting the attack lifecycle and reducing risk relies on a combination of technology, people, and processes.
- The technology must be highly automated and integrated across all network environments, including fixed, mobile, physical, on-premises, and cloud, from the perimeter to data centers, branches, endpoints, and IoT devices.
- The people must receive ongoing security-awareness training and be educated in best practices to minimize the likelihood of an attack progressing past the first stage.
- The processes and policies must be in place and enforced for rapid remediation should an attacker successfully progress through the entire attack lifecycle
Preparing for the Future
I strongly encourage board members to be aware of and adhere to the five principles of cyber-risk oversight developed by the National Association of Corporate Directors in the U.S. These are:
1. Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.
2. Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances.
3. Boards should have access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on board meeting agendas.
4. Directors should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget.
5. Board-management discussions about cyber risk should include identification of which risks to avoid, which to accept, and which to mitigate or transfer through insurance, as well as specific plans associated with each approach.
We can’t always predict criminal behavior. But we can be educated, aware, and proactive in making sure that we are doing everything we can to mitigate and minimize risk. As we look to the future of cybersecurity in the Digital Age, that should be our mindset.
James C. Trainor is Senior Vice President within the Cyber Solutions Group at Aon, responsible for helping to shape the organization’s overall cyber strategy. He previously led the Cyber Division at the Federal Bureau of Investigation. This article was excerpted from the upcoming book Navigating the Digital Age, Second Edition, Published by Palo Alto Networks.
[i] “The Attack on Sony,” 60 Minutes, April 12, 2015.
[i] Lockheed Martin has registered the term: Cyber Kill Chain®, which describes a similar framework in seven phases: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, Actions on Objectives.