The attacker victim scenarios we designed are no longer appropriate. It is amazing that no less than a decade ago I was working with teams to design information security attack scenarios where we were dealing mainly with mafia, ex-intelligence agents, and loose nit groups. Now we have countries organized and attacking with some brilliant attack strategies. The sophistication, coordination, and execution of these is obvious to be conducted by military / intelligence professionals. Despite all the conjecture it has been difficult to prove, as usually only victims and logs stand as evidence. The developments of YamaTough present a hard case where a countries espionage activities may be exposed.
I would encourage reading the multiple great articles on this topic, a superb starting point is InfoSecIsland. The facts are critical to understanding how to protect company, personal, and government assets. The actions are key to understanding what is at stake, and how critical it is to be ever agile to these threats.
A takeaway from this attack and the article referenced above though are not to be more agile. It is encouraging a deep evaluation of the third parties in which you do business. This evaluation must consider every partner with the business that gains digital access to company resources. Who should this include, well at least the following:
- Vendors that maintain your systems (hardware and software)
- Outsourcing teams that manage remotely management / operational support of your systems
- Vendors that support your Cloud environments
- Vendors that provide hardware authentication and other ‘highly dependent’ technology aspects of your infrastructure
- Loan staff brought onboard by HR and contractors
A progressive outsourcing / partnering has occurred with businesses where access to key networks are allowed, at least for a temporary basis. In some cases the security design, management, log monitoring, and underlying software are all designed by third parties. The cost of overseeing, testing, vetting, and validating the integrity / security of these operations must be considered at this time.
The scenario of India as a country conducting espionage created a timeline example, while humerous, is meant to provide a simple description of the current environment:
- Businesses outsource IT operations to company
- Team that managed operations hired by offensive security group
- Same team leverages prior knowledge to attack and circumvent customers throughout region
- Business does not have security through obscurity and in fact, is naked defensively against these individuals as most of security safeguards are the same
- Business, in most cases, is not monitoring these partners for activities such as reconnaissance
- Finally, the BPO and deep network (family and financially) of businesses where outsourcing occurs creates the possibility where approved access itself may be hijacked by attackers
Organizations must seek assurance regarding the operations of third parties, but also institute monitoring, detection, and response capabilities to ensure the ability to identify and limit these events.
Other thoughts / considerations?
James DeLuccia IV