Are you sitting comfortably? Then let us begin…
No, this isn’t the start of some Christmas fairy tale… it’s how I begin reading most reports which cover the last 12 months in Cybersecurity, and there are quite a few to look at. But for me, the one I value most is the ENSIA Threat landscape (ETL) report, which is now in its tenth year.
Every year, the report does a great job of presenting what has been happening over the last 12 months, and giving us actionable information that we can use in presentations and board papers. In short, it gives us threat intelligence at a strategic level, and if you’re not already thinking strategically, now is the time to begin, using this report.
A familiar landscape
So what does the ETL report of 2022 tell us? In truth, nothing surprising; The landscape is pretty familiar, as the report tells us that during the reporting period, the primary threats we face include:
- Social Engineering threats
- Threats against data
- Threats against availability (Denial of Service)
- Threats against availability (Internet threats)
- Disinformation – misinformation
- Supply-chain attacks
What I like about the ETL report is that it offers tangible evidence for some of the assumptions we make about the threats we face. After all, most of us could have guessed that the top three threats were ransomware, malware, and social engineering, but facts without data are just opinions.
This report is also essential because it offers context to the threats we’re looking at, which helps when we are trying to articulate the importance of these threats to the Board. Understanding context is vitally important, because it allows us to see how these threats play out or how they affect us in tangible ways. It’s always worth reminding ourselves that behind the digital threats, there is a real person (or persons) carrying out these acts, and there is always a reason for these attacks. Although the report does not analyse these motives in detail, it does identify who the threat actors are, namely:
- State-sponsored actors
- Cybercrime actors
- Hacker-for-hire actors
Understanding human motivation is a big topic, and although I am working with cyber psychologists to understand human behaviour (online) and cyber trauma, these topics need much closer inspection than this post can offer. But like every great journey, we must start somewhere, and every journey starts with a single step.
Motivation of a threat actor
The report makes the case that geopolitics is impacting the threat landscape, particularly the conflict between Russia and Ukraine, which has reshaped the threat landscape during the reporting period. The conflict in the real-world has undoubtedly spilled over into the virtual world as state-sponsored attacks and hacktivists wage a virtual war that is rarely discussed or considered at a local level. Suggesting to most CISOs or SMEs that the Ukraine-Russia conflict should be included on their risk registers will often be met with incredulity and derision. Yet, if a nation-state wishes to destabilise an entire country, the easiest way to do this is to attack its commercial and economic stability – and that’s not easy to do using kinetic military action.
The lesson here is that while you may think that a geopolitical event has no impact on you, the truth is that we must all consider ourselves part of the war effort. Consider how we are protecting ourselves from becoming collateral damage, and put this on your risk register today.
Of course, financial gain is at the root of most attacks, and it is interesting to see that the use of “hackers-for-hire” is on the increase, and has been steadily increasing since 2021. This relatively new business model allows less skilled threat actors to hire the skills they need to conduct targeted attacks against a nation, or individual targets. This particular threat actor is also further monetising their attacks by conducting double-extortion, whereby a victimised company could also be extorted, lest the attackers inform the victims regulators or clients.
The report again provides evidence of events we intuitively know are true, including the point that phishing is again the most common initial access vector. This is in spite of the fact that most organisations run some form of phishing simulation tests and/or training. Clearly, the threat actors never got the memo that everyone is aware of these kinds of attacks. But perhaps this is because attacks which originate from this attack vector continue to be successful. So, what does this teach us? Perhaps we need to rethink our approach to phishing simulations? Perhaps educating people to look out for bad grammar and poor spelling aren’t adequate anymore? Advances in phishing techniques and tools, user fatigue, and targeted, context-based phishing mean that we need to consider each of these and ask how we can short-circuit this approach.
We need to look closely at our workforce and ask what we can do to reduce the stress placed upon them to combat fatigue. If the company culture is to work long hours, including giving up weekends, you can easily see how the risk of a breach increases.
There is a lot to unpack from the 150 pages of the ETL report, so I urge you to take a look at it. But I would ask you to review the report with a critical eye and ask what lessons you can draw from it. These kinds of reports are highly valuable, but they can only be beneficial if we are willing to use them.
As Stephen R Covey once said, “…to learn and not to do, is really not to learn.”
About the Author:
Gary Hibberd is the ‘The Professor of Communicating Cyber’ at ConsultantsLikeUs and is a Cybersecurity and Data Protection specialist with 35 years in IT. He is a published author, regular blogger, and international speaker on everything from international security standards such as ISO27001 Dark Web to Cybercrime and CyberPsychology. He is passionate about providing pragmatic advice and guidance that helps people and businesses become more secure.
You can follow Gary on Twitter here: @AgenciGary
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.