Adapting Cybersecurity to Geopolitical Change

Blog Geopolitical Cypersecurity Satelite Earth

By Scott Russ

Security Architect

For as long as human beings have organized themselves into societal groups there has always been conflict. When differences of opinions arise between nations and things get heated, businesses are often caught in the middle. In the modern world, digital attacks impose a far larger business risk than conventional warfare. Cyber attacks occur every day, but as the geopolitical landscape changes and tensions rise between nations, the objectives and frequency may change. Businesses become targets based on their geographic location regardless of their position in the conflict. The famous quote from Sun Tzu rings just as true in today’s cyber warfare as it did when he wrote it in 500 B.C.

“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” - Sun Tzu, The Art of War
Know Yourself

In the digital world knowing yourself means understanding where all of your systems are and where you are vulnerable to attack. Asset management is the single most important aspect of a strong defense. You can’t protect something if you don’t know it exists. Maintaining an accurate CMDB (Configuration Management Database) is one of many ways to fully understand what systems are out there. Once you have a handle on your digital inventory, the next step is to understand where you are vulnerable. This can be achieved in a number of ways. Vulnerability scans and penetration tests are both good exercises to learn where defenses are weak. A comprehensive understanding of end-of-life or neglected systems is also critical. Whatever the method, the goal is to gain a clear picture of how an adversary might try to compromise the environment.

Know the Enemy

Now that you have an idea of where an attack might occur, it’s time to implement an early detection mechanism. Although cyber attacks take place in the digital world, human beings are ultimately behind them. Humans tend to follow the same patterns as long as they are successful, and the old proverb “If it ain’t broke, don’t fix it,” applies to matters of cybersecurity just as it does to other activities.

In the case of cyber aggression brought on by geopolitical issues, the intruder will come in the form of a sophisticated hacking organization backed by the financial resources of an entire country. These nation state threat actors are the most complex entity to identify and defend against in the cyber world. They are so advanced, the security industry has a special name for them: Advanced Persistent Threat, or APT. Luckily for us, even the most advanced threat actors follow general patterns when conducting their operations.

The MITRE organization, whose mission statement is “solving problems for a safer world,” has put together a database of patterns for known threat actors. These patterns, known in the security industry as TTPs (Tactics, Techniques and Procedures), are documented and freely searchable in the MITRE ATT&CK framework. Everything from how the entity gains initial access to the systems to the eventual impact is documented within the ATT&CK framework. When the political landscape heats up and new cyber threats arise, this framework is an excellent resource for organizations to identify how a particular threat group might conduct an attack.

Adjusting Security

An understanding of your own weaknesses and your adversary’s methods are the building blocks for stronger defenses in times of political tension. Organizations can put tools in place to identify attacks and take appropriate action based on the current geopolitical threat. Controls should be built around detecting attacks in the early stages. The “Initial Access” section of the ATT&CK framework allows organizations to understand what those early stages might look like for a given intruder. Companies should enable additional security logging on systems more likely to be used as initial access points and beef up defensive controls around critical systems that are identified as high risk for a specific APT. Alert priorities can also be adjusted to shed light on otherwise benign anomalies if they are believed to be associated with a threat group of interest.

Political unrest is difficult for business on a number of fronts, but a fundamental understanding of your own weaknesses and of your enemies tendencies can go a long way toward reducing the chance of cyber attack and can help organizations weather the storm.

Published on 01.14.20