Nation-State Actors or Common Cybercriminal, Your Cyber Fundamentals May Be Your Achilles’ Heel

I have seen quite a few articles of late proclaiming that a major cyberattack against Australia is imminent as a result of the ongoing situation in Ukraine, and in truth it's kind of riled me up a bit.

The most recent announcements about Australia promising cyber support to Ukraine has increased speculation on this question. As someone with a keen interest in Geopolitics, who frequently writes and delivers threat intelligence briefings, what does this all mean for Australian organizations, and why is my blood pressure so high right now?

Well, the main thrust of the conundrum is “The enemy of my friend is my enemy, my friend is about to have a fight, I may get hurt” which is probably a fair set of assumptions. Where it becomes problematic for me, is the sort of hasty generalizations that attempt to draw a long bow between Russia invading Ukraine, and Australian hospitals or schools being on the receiving end of a ransomware attack, along with a conflation of threat actors in play, namely APT's, Cybercriminals and Cyber Vigilantes.

I don’t know the expert quoted in this article, but to give him the benefit of the doubt it’s possible that his words were taken out of context by a journalist or sub-editor whose objective was to write a sensational story. In truth, Australian businesses including hospitals and schools have been constantly bombarded with ransomware attacks of this nature for several years now. This is unlikely to increase as a result of the conflict.

These attacks are not simply the result of a Russian government directing their agents to create chaos, but a complex combination of many factors primarily driven by personal greed rather than patriotic ideology. Typical ransomware groups are not military, they are not really backed by the government, and they have little need for military datacenters at all, rather the Kremlin have historically tolerated them provided they were attacking businesses in countries outside CIS and China.

Ransomware crews have more in common with Uber Eats than the KGB, much of the work is carried out by freelance ‘affiliates’ who may well work for several different crews. An open marketplace of vulnerability exploit kits, ransomware and attack delivery routes are available on the Dark Web, and can be assembled in a coordinated mesh for a price and successful delivery of a payload. Picture your Uber Eats delivery rider showing up with a Deliveroo Jacket and a Menulog helmet.

Did somebody say Threat Intel?

There seems to be a common misconception that corporate cybersecurity people consume threat intelligence as if they are sat in something resembling an old railway signal box pulling levers in accordance with the level of threat they are tipped to be expecting.

The 19th century railway signal box museum at Romsey, Hampshire by Anguskirk CC BY-NC-ND 2.0

“Oooh look Russia is about to Invade Ukraine, Russians are known for Ransomware quick pull lever number 3 all the way back.”

That’s not really how any of this works, the mundane truth is that cybersecurity is more akin to farming than a military operation in that it’s an iterative process of mending fences, planting seeds and pulling weeds in the hope that your crops will continue to grow. The problem is that combine-harvester-automation analogies are just not as sexy as pseudo military geopolitical intelligence briefings.

Please Be Prepared

If you are unprepared for a cyberattack today, it might be because you are wasting your time consuming hype like this rather than patching your fences, and propping up your scarecrows! Don’t be distracted by the noise and ensure you have your house in order first.

Please don't stop doing the mundane stuff to focus on the extraordinary. My key tips:

• Get the fundamentals right. As always, one of the best places to ensure you are covering all the cybersecurity essentials is the Australian Cyber Security Centre’s Essential 8. Many good tips are in the ACSC’s “strategies to mitigate cyber security incidents” document .
• Understand your attack surface. Vulnerability Assessments and penetration testing can help you spot those long forgotten and vulnerable hosts left open to the great unwashed.
• Test how both your technical teams, and executives might respond if the worst should happen, prepare a Ransomware Playbook and crisis management plan to ensure you can respond effectively and quickly and use a tabletop exercises to put your teams and plans through their paces.
• Carry out continual awareness training that is regularly refreshed and up to date so that staff can spot and avoid common contemporary attacks.
• Implement a best of breed EDR agent on your endpoints that will enable you to collect telemetry, and isolate a system if alerts are detected.

Nation-state actors grab the FUD headlines, but most organizations should care less about ‘who’ is attacking them and focus more on the ‘how’. Many successful attacks would have been avoided by getting the basics right.