Tried, Tested and Proven

It is good news that the government are looking to continue investing in cyber security; however, there are some takeaways from the chancellor’s recent speech which could cause alarm. In this blog post, our head of consultancy picks out some of these and highlights how they might impact UK businesses.

“Britain must be prepared for ISIL to develop the capability for cyber warfare, Chancellor of the Exchequer George Osborne warned today in a major speech at GCHQ.”, and “He [the chancellor] argued that everyone – individuals, businesses and the government – must play their part in countering the growing threat from cyber attack. Britain must be prepared for ‘hybrid conflicts’, played out in cyberspace as well as on the battlefield.”

The aspects worth highlighting in these two combined statements are “individuals, businesses” and “for ISIL to develop the capability”. It shouldn’t be news to anyone that cyber-attacks have been part of modern warfare for some time, but largely speaking this hasn’t really impacted anyone outside of government and defence circles. However, corporate targets have been targeted by foreign states in the past (albeit for different motivations) and corporate / civilian targets have always been a valid target for terrorists. It is only a small stretch for groups like ISIL, and their brethren, to take their armed conflict into cyber space with companies and civilians being the victims.

How realistic is the threat? In the modern climate, the government would not be spending billions on securing this threat without good intelligence backing it. All spend is heavily scrutinised, so it has to be assumed that there is a credible threat.

The chancellor’s tone is that this is an emerging threat “for ISIL to develop the capability”. This more or less stacks up with what we’ve seen in the real world. Portcullis is aware of several relatively rudimentary pro-ISIL website defacements, but nothing that could be perceived to be a serious, notable breach.

This government statement highlights that there is much for information security professionals and business leaders to be concerned about in the immediate future. In order to form a professional opinion from the chancellor’s statement it is worth considering how these attacks may manifest themselves.

When an attacker like ISIL focuses on individuals and businesses, Portcullis would anticipate that the targets, techniques and motivations would be similar to what organisations already experience from criminal gangs and hacktivists. Criminal activity is primarily designed to monetise information and groups like ISIL need funding; we know that information is worth money either directly (credit card information) or indirectly (e.g. personal details on the black market) and this naturally becomes a realistic goal. It wouldn’t be beyond the realms of possibility that cyber-attacks may also target the infrastructure of the emergency and security services – imagine how much worse Paris would have been without good communications – but few corporates would prove valid targets under such circumstances.

Hacktivist activity is targeted at disrupting those that they don’t like (in this case, let’s assume that means the UK) and it is certainly possible to extend this to key UK infrastructure in sectors such as finance and energy. Assuming that such attacks are successful, disruption to key infrastructure could result in a significant impact on citizens as well as UK PLC, which would undoubtedly be a very attractive outcome. It is also common for attacks to be motivated purely by a desire to drive a media narrative; taking control of well-known websites (potentially even high-profile Twitter accounts) to win headlines, even if those websites are not an obvious ISIL target.

In terms of attack techniques, there is no need for attackers reinvent the wheel here. We’re expecting more of the same: the use of known vulnerabilities in systems and applications, elements of social engineering, and malware based attacks. Nothing overly sophisticated, but spread across a wide enough range of targets, it will certainly effective. Sophisticated zero-day type attacks are a possibility, but this is a capability that is harder to achieve and as a consequence it is likely to follow – if it occurs at all – behind the less sophisticated attacks.

The big data leakages, website defacements and IT operational challenges hit the media regularly, but what doesn’t hit the media so much is how some criminal gangs target lots of individuals for small amounts of money. Both avenues are viable options to a group like ISIL; money is money and you would suspect there is little discrimination between corporates and individuals. As the chancellor explicitly referenced individuals, this has to be a consideration. Something to share with our friends and family, as well as staff awareness programmes which increasingly cover home users.

The expectation is that the threat landscape has changed only a little, but the type of attacks and techniques are not likely to change significantly. What may change is the frequency and the nature of the subsequent media coverage. For organisations already successfully dealing with hacktivist threats and potential compromises by criminal gangs, the chancellor’s statements shouldn’t present significant concern. The nature of the threat doesn’t really change for those organisations; it is more of the same, but just from a different threat actor. Those that should be concerned are the ones facing this for the first time, or have historical challenges. Take this announcement as a warning and, as if there wasn’t enough incentive already, start preparing a response now.

Another interesting comment in the chancellor’s statement is:

“A stronger regulatory framework
•  Stronger regulation in sectors defined as Critical National Infrastructure.
•  Through the National Cyber Centre, a new programme of work with businesses across the economy to ensure that they have the right defences in place.”

At Portcullis, we interact with a lot of regulators and many were already gearing up to take a stronger lead on information security in their respective sectors. The Bank of England with its CBEST framework has really set the standard for what a regulator could do and the expectation is that more regulators will be taking on-board this red-teaming type approach. The CBEST scheme involves scenario-based ethical hacking which is led by threat intelligence. The targets and techniques used mimic the most likely real-world attack scenarios. Naturally if ISIL grows to be a realistic threat, these concerns can be brought to these engagements.

At a more holistic, less technical, level we’re likely to see a greater push for organisations to adopt Cyber Essentials or ISO 27001 to meet regulatory concerns and more pressure in the supply chain from HMG and defence for their non-regulated suppliers to be the same. Some organisations may see this as unwelcome interference, but realistically this comes from the right place: protecting investors, customers, and keeping UK PLC safe.

Portcullis’ advice is to prepare for the coming change. Regulated industries and their suppliers are likely to be judged by new standards and, where required, may need to invest to meet new base levels of information security. The more learned may be looking at what may come and be pro-active in upping their game through sensible BAU projects, as opposed to being backed into a corner once the mandate arrives.

There are a few takeaway points and quite truthfully this blog could have been 10 longer by picking up on more points within the statement. There isn’t the space here to do that, but those interested in reading more should visit:

Portcullis is a Cisco company specialising in information security consultancy. Services include, but are not limited to risk assessments, security strategies, security testing, CBEST and red teaming, ISO 27001, and Cyber Essentials. For organisations concerned about this emerging threat, Portcullis would be happy to help.

Simon Saunders