Examples of severe cyber-attacks are already plenty. In recent years, we have witnessed ransomware attacks on private corporations like KIA Motors and A. P. Møller-Mærsk, as well as espionage attacks like the SolarWind attack that affected many private and public institutions. We have also seen attacks like the one on the D.C. police department, where confidential information about private citizens was stolen.
The types and aims of these attacks vary. While some seem solely economically motivated, others aim to deny access to critical services (DoS attacks), gain access to confidential information or distract cyber defense officers.
Regardless of the aims of hackers, cybersecurity is a matter of national security.
In this article, you’ll learn which countermeasures within cybersecurity are necessary for organizations, nations, and alliances to stay safe and resilient within the digital threat landscape.
Demystifying Cybersecurity: The Nature of Cyber Defense
Cybersecurity is often perceived as something technical and hard to understand — a domain reserved for IT departments and technical staff. However, this could not be further from the truth.
Cyber defense is never stronger than the weakest link. That link could be anything from a tired employee with their guard down to a senior-level officer clicking a link in an e-mail.
Consequently, all employees — particularly executives — must be aware of and alert to the cyber risks that constantly threaten to exploit any weakness in your system.
To understand cybersecurity and cyber threats, it can be beneficial to compare the digital threat to one that exists in the real world. Although the means of attack obviously differ, the aim, tactics, and targets are not as different as you might think. The general idea behind any cyber-attack is somewhat comparable to attacks on medieval castles, as Andre Cunningham, Cyber Exploitation Test Engineer at Lockheed Martin, explains:
“If I’m in the Middle Ages and I’m going to attack a castle, I’m not going to charge the main gate. I’m going to look for a posturing gate […] and areas that are less secure, or I’m going to surround it and keep things from entering to put [the castle] in a siege state to negate the strength of the defenses.”
While the type of attack has evolved, a lot of those strategies are still used in modern warfare, both digital and real.
Cutting off supplies and lines of communication is mirrored by contemporary cyber-attacks like the 2015 attack on the Ukrainian power grid, which disrupted the electricity supply to 230.000 people for up to six hours. This attack demonstrated the vulnerability of the critical infrastructure of any country and emphasized the need to meticulously assess the exposure of any public or private system.
Really, Cunningham says, it’s about shifting the mindset from focusing on the technology to focusing on the processes and the people. At its essence, all cyber technology delivers a service, whether that is exchanging information or controlling a certain capability.
When assessing the vulnerability of your cyber defense, you need to look at several aspects. We’ll go through them in the following sections.
Building Cyber Resilience
Recognizing the need to include all people and processes in your security assessment is the necessary first step.
The next step is to know your organization/company, both in terms of actual equipment and possible entry-points for hackers and in terms of critical functionalities.
The last step is to think like hackers would and assess your organization’s “kill chain” and your sub-suppliers.
With a full assessment, you can begin implementing security initiatives and gradually improve your cyber defenses. To build a strong cyber defense, we recommend going through the following five steps.
1. Know Yourself
Often, organizations have a hard time determining how many devices they actually have, Cunningham explains.
Some organizations have a fairly good idea of how many computers, laptops, smartphones, and iPads are in the machine park. However, with IoT-technology growing exponentially, IT security departments have difficulty maintaining an overview of all the additional devices that connect to the company WiFi.
These devices include printers and fax machines (yes, they still exist), but also less obvious ones like fish tank filters, dishwashers, heaters, lighting systems, watches, coffee grinders, or anything else that comes with built-in IoT functionality.
If not treated carefully, all these devices act as potential entry-points for hackers. Ideally, the IoT devices should run on networks separate from the main corporate network, just as network access should differentiate from device to device (and person to person) to minimize the impact if hackers find their way into the system.
2. Identify Your Critical Operations
Protecting every aspect of your business is an enormous, likely impossible task. Instead of trying to protect every corner of your organization, identify the core operations that must remain functional to keep the organization afloat.
Depending on your organization, critical operations typically include:
- Sending and receiving e-mail
- Running a production line
- Accessing specific databases or code
Critical operations are the things that would harm you the most if you were denied access to them, or the things that would cause the most damage if manipulated, deleted, leaked, or spied on.
By identifying your core, most critical operations, you can narrow the focus of your security work. You can then prioritize what should be most vigorously protected by secure processes and tools, and what should be communicated internally as the most clear target.
3. Diagnose Your “Cyber Kill Chain”
After distinguishing your critical operations, Chris Sargent, Cyber Architect at Lockheed Martin, brings attention to the importance of assessing the “cyber kill chain” of your organization.
The term “kill chain” is adopted from the military, where it refers to the stages and nature of an attack.
In other words, identifying your “cyber kill chain” means recognizing the potential weak points in your system and understanding the different steps a hacker would have to go through in order to carry out a successful attack.
The kill chain, as described by Lockheed Martin, consists of seven phases. The threat can be mitigated at each stage.
- Reconnaissance, where the attacker gathers information about your systems
- Weaponization, where the hacker develops the means of the attack (e.g., malware or a trojan horse)
- Delivery, where the attacker tries to gain access (e.g., through a phishing e-mail)
- Exploitation, where the malware enters your system
- Installation, where the malware creates the backdoor for the hacker to enter your system unnoticed
- Command and Control, where the hacker takes control of your system
- Action on Objective, where the hacker steals the data from the system and puts his/her objective into effect (e.g., locking, manipulating, leaking or deleting the system)
By analyzing each step of the process, you can plan defenses and arrange countermeasures accordingly. The tools in the security toolbox are not new but are often not thoroughly implemented.
The countermeasures include strict access and sharing policies, up-to-date anti-virus software, rapid implementation of security patches, blocking and quarantining of false usernames, two-factor authentication, and simply making staff choose strong passwords.
Still, even the best technical setup will fail if the cyber-education of your employees is insufficient.
Getting every employee to acknowledge the persistence of a threat and act with the appropriate precautions is critical to maintaining a strong cyber defense.
Training your employees properly goes a long way. However, all organizations are dependent on sub-vendors and sub-suppliers. Upholding a resilient cyber defense also includes protecting your entire supply chain.
4. Assess Your Subsystems and Supply Chain
Samant Khajuria, Chief Specialist in Cyber Security at Terma, emphasizes how supply chains pose a serious threat to the cybersecurity of any organization.
“From an attacker’s perspective, [sub-vendors] are quite interesting, because it becomes a question of finding the weakest link,” he explains.
While hacking or attacking a large organization is typically very difficult because their cyber resources are usually substantial, targeting a small sub-vendor of an open-source system is significantly easier. Suppliers then become the point of entry for the hackers to deliver their malware.
When considering sub-vendors, the immediate attention tends to focus on vendors providing parts or functionalities that go directly into the end-product: ¬¬ in our case, things like C2-systems, radars, or self-protection solutions.
However, while this part of the supply chain is indeed critical for cyber resilience, less prominent entry-points may prove to be more ideal targets for hackers.
The less significant entry-points, like IoT-based systems or subsystems for updating software platforms, could turn out to be easier targets as they do not get as much attention security-wise.
“We’re actually getting really good at defending the primary surface, a warship, airplane, a missile, or a car. But what about the diagnostic equipment that plugs into the car, is anybody defending that?” Andre Cunningham asks.
Paying attention to your entire supply chain and addressing cyber initiatives become critical in building a resilient cyber defense.
Despite the many initiatives and precautions you may take to build a resilient cyber defense, the last point of building resilience comes down to knowing and reducing your incident response time.
5. Know and Reduce Your Incident Response Time
Although knowing your incident response process is not necessarily a security function, being able to shut down your system while preserving as much data as possible may be the best or only way to stop an attack.
A resilient cyber defense consequently includes recovery mechanisms and procedures that can be put into action if a severe attack occurs.
And while you may have a “known good” gold disc in the drawer that can reset your system, one thing to consider is the time needed to recover. The longer the recovery time, the more damage an attacker can cause or the more data they can steal.
With military equipment especially, prolonged recovery times may even result in fatalities if decisive information fails to reach the people at risk in time. If someone has to go get the disc and insert it into the system, this can easily take an hour or two, or even more if the right cyber-emergency procedures are not in place.
In summary, a resilient cybersecurity system comprises several different tools, processes, and considerations, from knowing yourself — both in terms of how many devices your organization has and what your critical operations are — to diagnosing your “kill chain” and assessing the cyber threat coming from sub-suppliers. In the end, having emergency and recovery plans ready in case of an attack is one of the most important steps in building and maintaining a resilient cyber defense.
Learn more in our Podcast
If you want to learn more about cyber threats and what counter measures are taken in the military iindustries, listen to our podcast episode: Military Cyber Security: How to Stay Resilient When Threats Go Digital.