The recent ‘Five Eyes’ cybersecurity advisory issued by the intelligence agencies from the US, UK, Canada, Australia, and New Zealand underlines current concerns about the possibility of state-sponsored attacks. In particular, the guidance focuses on the risks faced by critical infrastructure providers, with the aim of improving the resilience of organisations that could be targeted.
As explained by NCSC CEO, Lindy Cameron: “In this period of heightened cyber threat, it has never been more important to plan and invest in longer-lasting security measures. It is vital that all organisations accelerate plans to raise their overall cyber resilience, particularly those defending our most critical assets.”
The agencies advise that organisations in general – and critical infrastructure providers in particular – should focus on a range of mitigations against attacks that could be instigated by Russian state-sponsored operations and aligned cybercrime groups. These include what many would consider to be the minimum standard of preventive measures and cyber hygiene processes. For instance, prioritising the patching of known exploited vulnerabilities, enforcing multi-factor authentication (MFA), monitoring remote desktop protocol (RDP) and providing end-user awareness and training are key to frustrating the efforts of bad actors.
Lessons Learnt?
Unfortunately, the risks are increasingly familiar. Last year’s attack on Colonial Pipeline, a crucial element of the United States’ fuel network, crippled the company’s operations, forcing it to cease the distribution of 2.5 million barrels of fuel per day throughout its 5,500 miles of pipe infrastructure. That was roughly half of the fuel consumed on the East Coast of the United States, and the incident forced lawmakers to approve emergency legislation allowing fuel to be transported by road.
Part of the problem for every potential victim is that the underlying IT networks helping these organisations to operate have become more diverse and distributed, which has increased the number of potential vulnerabilities. Even the tiniest devices connected to the Internet of Things (IoT) have now become possible gateways to vital networks, giving bad actors more options for mounting potentially devastating cyber attacks.
This also demonstrates how successful ransomware attacks expose victims’ reactive security strategies. Colonial Pipeline, for example, took systems offline to limit the threat, brought in prominent third-party security experts, and established a system restart plan, according to official media statements at the time. The problem is that this kind of approach – where vulnerabilities are addressed only after an attack – means that for many organisations the damage is already done. Instead of preventing an attack, they are forced to pay ransom demands or implement costly recovery activities.
While Colonial is arguably the most high-profile of the publicly disclosed critical infrastructure attacks, it is far from alone. The FBI’s 2021 Internet Crime Report detailed nearly 650 ransomware incidents targeting critical infrastructure in the US alone last year. In the context of significantly increased current geopolitical tensions, it’s likely that the volume and severity of attacks will continue to increase.
Proactive Protection
So where does that leave us? Organisations are faced with a wide range of risks and vulnerabilities that require urgent attention. Take those presented by file-based cyber security threats, where approximately 1 in every 100,000 files contain potentially malicious content.
Even though most organisations recognise the importance of protecting their precious files and data from malware and ransomware, the great majority rely on a reactive approach provided by antivirus and sandboxing technology to do so. While these solutions form an important part of any holistic cybersecurity strategy, they can also create serious cybersecurity blindspots.
For example, roughly 70% of malware identified in files is of an unknown variant when it is received, thus rendering it invisible to reactive cybersecurity technologies. The problem is that updating antivirus and sandboxing systems to protect files and documents can take days or even weeks. As a result, malware and ransomware can remain undetected on network infrastructure for up to 18 days before reactive solutions can respond.
Instead, critical infrastructure organisations must take a proactive approach to file security, and one of the most effective ways to do this is by utilising Content Disarm and Reconstruction (CDR) technology that instantly cleans and rebuilds files to match their ‘known good’ manufacturer’s spec – automatically removing potential threats.
For critical infrastructure providers, closing all the potential angles of attack has become crucial to protecting key public services and the wider national interest. Indeed, the Five Eyes advisory urges “critical infrastructure network defenders to prepare for and mitigate potential cyber threats – including destructive malware, ransomware, DDoS attacks, and cyber espionage”. In the current climate, proactive cybersecurity strategies are now more important than ever.
Paul Farrington, Chief Product Officer at Glasswall, is a DevSecOps dynamo. With over 20 years of experience launching secure software, he now keeps Glasswall's product development team focused on delivering (and growing) the world's most innovative CDR product portfolio. His previous roles include CTO and leadership positions at Veracode, BCSG, and Barclays.