Fabian Libeau, EMEA VP at the security intelligence firm RiskIQ, writes of the role of the CISO (chief information security officer) in the cybercrime pandemic.
Through 2020, the pace of digitalisation has only increased as the global pandemic has forced businesses to accelerate the trend of moving assets online. However, as companies shift their infrastructure into the vast and poorly mapped territories of the web, hostile actors are looking to exploit vulnerabilities into company networks – often to devastating effect.
The responsibility of keeping an organisation safe falls upon the CISO and their security team, but as the cybersecurity climate has worsened – and threats have grown more sophisticated – simply preventing an attack is no longer enough. CISOs must now act as an intelligence asset to their organisation and be able to contextualise attacks to the wider company.
COVID-19 has brought together two tangents that have both exacerbated the risk posed to organisations online. First, digitalisation by its very nature widens a business’s online attack surface – the web-facing company assets through which cybercriminals can trespass into the company network. Second, the world is on uncertain footing and anxieties in the populace are a boon to those looking to exploit fear via social engineering attacks. Even with the public health crisis abating in some areas of the world, there are additional risks as previously distributed devices are brought back into the fold of the company network.
Since the heralding of general data protection regulation (GDPR) legislation, the paradigm surrounding cybersecurity has been changing from it being simply a maintenance cost to a defining feature of company operations.
Today, a high profile cyberattack can exact devastation upon consumer confidence, a company’s brand and earn the organisation a hefty fine from the Information Commissioner’s Office (ICO). Amid the cybercrime pandemic, it should be clear to forward thinking CEOs and board members that money saved on cybersecurity solutions may be lost tenfold in the case of a successful attack.
When the seriousness of the situation is understood by company leadership, and the appropriate funds allocated to cybersecurity, the expectation then lies entirely on the CISO to guarantee the safety of the organisation online. More so than ever, they are their company’s defenders in a shadowy war being fought across the nebulous boundaries of the web.
In this battle, the CISO must defend against nation-state funded threat actors conducting corporate espionage or sabotage against Western companies. In recent years, Western intelligence agencies have recognised countless attacks stemming from their perennial adversaries, China, Russia, and Iran. Amid the political point-scoring, online criminal syndicates are growing ever more sophisticated in targeting the valuable troves of data companies are tasked to safeguard.
The task of online protection was mammoth even before the global pandemic threw industries into disruption, but remote working scenarios have added another layer of complexity with which security teams have to contend. Rapidly stood up IT infrastructures have allowed bad actors a wealth of targets between vulnerable or misconfigured remote access points and cloud assets, as well as shadow IT stood up outside the purview of security teams.
When an attack occurs through these vectors, CISOs must be able to identify where it originated, who is responsible, and why the company was a target. Even more importantly, they must be able to answer whether the company is still under attack or if more attacks are likely in future.
From prevention to investigation
Given the scope of the security challenge, the onus is on CISOs to adapt their role to that of investigators. Company leadership will expect security teams to divulge the origin and nature of a threat, related indicators of compromise (IOCs) to prevent future targeting, and what the motives were behind an attack. These expectations must be upheld if the company has invested significant resources into its security teams.
The key to a successful investigation lies in recognising the specific traces that can betray the identity of cyberattack. An attack on digital infrastructure will leave forensic clues in the domains, IP certificates, and other areas of the network. Upon these clues, a thesis can be built as to how an attack happened and why.
Building on forensic clues, a comprehensive cybersecurity investigation conducted by the CISO must go beyond the remit of security teams. Although security teams are traditionally segmented from company operations, a holistic knowledge of an organisation’s footing and trajectory can communicate telling clues as to where an attack upon it might have originated.
A successful investigation may even have to break from the confines of the organisation itself – hackers often attack multiple organisations in one swoop and this information will build a more whole picture towards the purpose of the attack.
A collaborative approach
As the cybercrime wave spurred by the pandemic has heightened the already perilous stakes of a CISOs role, they must be truly supported by their organisation. A cyberattack can now threaten every aspect of a company, from day-to-day operations to consumer trust. It is upon the company leadership to invest in the security infrastructure required to equip the CISOs in keeping the organisation safe, and it is upon the CISO to move deftly and effectively in attributing cyberattacks.
