The rise of Internet and the democratisation of digital technology have led to an exponential development of positive uses that are now a common part of our daily lives. But they have also left the door open to other forms of use which constitute real risks of varying magnitude, and may affect individuals, professionals or even States.

In the face of increasing software attacks and the emergence of “as a service” threats, the cyber risk continues to intensify through attackers who are becoming more professional as quickly as, or even faster than, the defence can be organised. In response to these risks, cybersecurity is now a necessity.

Cybersecurity is still relatively unknown and not always well enough controlled, yet it is an essential discipline to which ALTEN contributes. And the starting point for this is a good understanding of what it covers.

CYBER WARFARE: WHO AND WHAT ARE WE TALKING ABOUT?

Attackers with a variety of profiles

State-sponsored, cyber-mafia, individual hackers, etc.

Increasingly powerful and complex multi-vector attacks

Ransomware, Distributed Denial of Service, Supply Chain attacks, etc.

Many challengesfor informationSvstems SecurityManagers (ISSMs)

Defence in depth, ldentityAccess Management, enhanced Cloud protection, DevSecOps, etc.

Preparing for defence by better understanding the threat

Using real-life cases, Laurent Vromman offers an overview of the major cyber-trends of the coming months in a three-part dossier:

Attackers with many faces

The 3 hot attacks to watch out for

The CISO: a cyber-risk insurer!

" It’s a real game of cat and mouse, with hackers becoming more professional at a speed that matches the pace at which companies are countering their threats; cybersecurity will continue to be a fascinating topic, and the coming months will be packed with learning experiences and great advances in this field.” Said Laurent Vromman, Director of IT Practices and Cybersecurity Practice Manager, ALTEN.

Cyber Trend 1: Attackers with many faces

What are the new trends in cybersecurity? What new challenges and objectives does this imply? Laurent Vromman, Coordinating Director for IT Practices and ALTEN Cybersecurity Practice Manager, explains this little-known discipline and offers an overview of the major cyber trends for the coming months.

The best way to understand cybersecurity is to start by understanding what it provides a response to: a growing threat. The term “threat” covers two distinct concepts: “attackers” – the subject of this first part – and attack techniques (see Part 2).

Groups of cyberattackers can be classified into three broad categories:

Large groups of hackers who are often “sponsored” by states

Cyber-mafia organisations

Individual hackers, sometimes in small, loosely organised groups. The current trend is towards increasing professionalism in the sector: as defence methods become more organised, with increasingly complex protection capabilities, attackers need to be structured and innovative in order to be able to circumvent it.

State or state-like threats target other states, directly or indirectly, via their industrial infrastructure, for various reasons, including destabilisation, sabotage, espionage, etc. These are often sophisticated, ongoing, multi-vector attacks (i.e. using several cyberattack techniques together) and yet are very discreet. Among the most famous examples are the SolarWinds attack – a computer infiltration that targeted the US government in 2020 – and 2021’s attack on Colonial Pipeline, a US group managing almost half of the fuel consumed on the East Coast, who were forced to pay a ransom of 4.4 million dollars to hackers (the Russian government has announced that its FSB have dismantled the group behind this attack, known as REvil). This constant and sustained state pressure is also known as “cyber-coercion”.

At the non-state level, a twofold trend is apparent.

Firstly, the growing professionalism of certain attack groups, made up of individuals organising themselves into gangs or cartels. They see everyone as potential targets – from large companies to individuals – for money laundering, extortion, theft and fraud. Their attacks are shorter and more direct, but their impact is no less significant. What characterises these groups? The fact that they are pooling their resources and infrastructures in order to be more efficient and to offer new services. The business model of “IT as a service” tools – such as “platform as a service”, “software as a service”, etc., is now being extended to include cyberattacks; for example, with “Ransomware as a Service” (RaaS). A third party chooses a target and the attack is carried out by the RaaS platform. The gains are then shared with the infrastructure provider. These services are increasingly varied, including not only ransomware, but also phishing and DDoS…

Secondly, this increasing professionalism has led to the emergence of a new category of cybercriminals, much less technically expert than a few years ago because they are able to use these off-the-shelf “as a service” offerings. The result? Anyone is now capable of controlling a large-scale cyberattack, despite the increased complexity of attack methods. Outsourcing the technical side to specialised service providers provides access to potentially (and increasingly) important technical know-how to detect security flaws and vulnerability combinations that the opposing side tends to solve as it goes along.

Cyber Trend 2: 3 hot attacks to watch out for

Among the multitude of existing cyberattack techniques, most of which are multi-vector, there are three to be particularly wary of: ransomware, Distributed Denial of Service attacks (DDoS) and Supply Chain attacks. Let’s take a look at each of them, and consider how to avoid and detect them.

Ransomware

Ransomware has the distinguishing characteristic of taking personal data hostage and claiming to be able to return it for a ransom (usually in cryptocurrency). Ransomware is currently riding the back of three trends.

First of all, this type of attack is increasingly targeted and structured, in line with the increasing professionalism of the threat. This more vertical, planned targeting is emerging because some organisations are more willing to pay ransom than others. This is true of hospitals, local authorities and the Colonial Pipeline company, mentioned above. The financial, economic, social – and in some cases even safety – risks to human life leave them with no choice. As a result, the proportion of organisations opting to pay ransoms has soared in recent years, with almost 65% of companies now choosing to pay at least part of the ransom demanded.

Ransomware is also an attack subject to the “as-a-service” rule, making it accessible to all, with the complexity of implementation being outsourced by the service operator.

Finally, it is important to mention the concept of double jeopardy, a new “idea” developed by hackers. Not only do the hackers encrypt the data, but before that, they steal it. There is therefore no guarantee that once the data has been recovered from the hackers, it will not be retained in some way by them for potential future attacks, or even for a further extortion attempt using the threat of revealing confidential or sensitive data. The threat of double jeopardy thus remains constant.

Several groups, such as LockBit, Conti or ALPHV, have been particularly active in this field in recent months.

DDoS attacks

DDoS attacks refer to the saturation of a server by thousands of machines, made possible mainly by the use of “botnets” (networks of compromised machines).

The associated trend is that the price of entry for carrying out such attacks has been considerably reduced, due to the transformation of DDoS into “DDoS as a service”. These services enable third-party organisations to carry out attacks, for a fee, with shared infrastructure.

Increasingly frequent in recent years, DDoS attacks have seen their size records increase fourfold in 8 years.

This exponential development can also be explained by the widespread use of smurf attacks. With this method, the size of the botnets becomes less critical. Moreover, since the attacks are carried out by bouncing off uncompromised servers, they are seen by the target as traffic. This trend, and its associated attacks, will continue to accelerate; and ultimately, only the large web players will have the resilience to deal with it. Microsoft suffered a record-breaking attack at 3.47 terabits per second, breaking previous records. Even more surprisingly, Andorra suffered widespread internet outages in January 2022, leaving its 80,000 subscribers without internet access due to DDoS attacks that spanned several days. The probable motive for the attack was to prevent players from participating in a Minecraft competition…

More recently, the Ukrainian conflict has highlighted the use of DDoS attacks to destabilise opposing IT infrastructures. DDoS attacks are tactical weapons that are easy to deploy in an armed conflict, as they are quick to set up and do not require privileged access that can take a long time to obtain.

Supply-chain attacks

The latest example of “celebrity” attacks in cybersecurity: supply-chain attacks. Their principle? Attack one of the target’s suppliers in order to hit the target itself. The risk of this type of attack is increasing.

Today, more than 60% of attacks on the supply chain are successful (compared to 44% in 2020).

There are two ways of achieving this, which equate to two different modes of attack.

The first is to attack the network by bouncing off a network of suppliers. The most high-profile example is that of Target, a North American retailer: in 2013, hackers broke into Target’s information system using the supplier’s access to its air-conditioning system obtained as a result of a phishing campaign. Such forms of access, which normally have a purely technical use linked to the management of air conditioning units, were not considered sensitive but nevertheless constituted a link with the company’s network which the hackers were able to exploit. This type of threat is taken very seriously by major industrial companies, whose networks are regularly connected to those of their subcontractors and suppliers to enable data sharing, as a means of delivering efficiency and performance.

The second type of supply-chain attack uses a software production chain to infect a legitimate program (the aforementioned example of SolarWinds is an illustration of this, with pirated software distributed to third parties).

What makes this mode of attack different is the way in which it targets open-source components, making its spread potentially wider and faster. Contrary to popular belief, open source – with its verifiable open code – does not offer a guarantee that it has been properly reviewed and verified, and therefore secure. Faced with the quantity of existing software and the billions of lines of code associated with it, exhaustive and perfect checking is unattainable, and flaws (whether intentional or not) can easily slip in. Some hacker groups therefore take advantage of this to add loopholes to serve their purposes. This is a very recent trend, but one that is sure to accelerate.

Indeed, supply-chain attacks have also proliferated in recent months on open-source frameworks. They sometimes target the core of the software, such as PHP (CVE-2021-29472), to create a backdoor. They can also target peripheral modules such as Python, which suffered an automated attack creating 3,500 packages with spelling close to legitimate “typosquatting” packages, in an attempt to trick developers into unknowingly downloading malware with the aim of turning them into unwitting crypto-currency miners. More recently, npm has been the target of typosquatting campaigns specifically targeting Microsoft Azure users, with more than 200 malicious packages stealing user and network data, with the possible aim of paving the way for a larger attack.

Cyber trend 3: the CISO as a cyber risk insurer!

As the cyber threat intensifies, the challenges for Chief Information Security Officers (CISOs) become more numerous in their attempts to control the associated risks.

Business focus vs. Cyber risk management

Unlike the CIO, whose primary mission is to be a “business enabler” by providing the company’s various functions with the digital tools best suited to their missions, the CISO’s role is to control risks.

Indeed, for the third year in a row, cyber risk is the number one risk feared by companies (according to the Allianz Global Corporate & Specialty Corporate Risk Barometer). The prevention of cyber risks is therefore becoming a central issue in corporate governance.

Of course, the deployment of cybersecurity solutions requires the two functions to work hand in hand. There is then a necessary sharing of information system security tasks, highlighting the need for the independence of the CISO, who is both a prescriber and the controller of the proper implementation of security policies.

The CISO:

Measures risks and threats

Specifies security policies

Checks that these policies are applied

Manages cybersecurity solutions

Detects and responds to attacks

The CIO:

Implements the technical aspects of security policies

Secures the information system

Ensures that the IS is maintained securely

The CISO also needs to be independent from the CIO in order to allow for the proper ranking of priorities in terms of cyber-investment. Indeed, the impact of a serious cybersecurity incident is such that it inevitably imposes a cost upon the company, which can sometimes reach several hundred million euros. It requires investment decisions to be handed over to the management committee, and is not simply an adjustment variable for the IT department’s budget.

Defence in depth and zero trust: protect at all levels, and trust no one!

A few years ago, in the field of cybersecurity, only perimeter security (firewalls, DMZ, VPN, IDS/IPS, etc.) was implemented. This is no longer sufficient, and must be supported by physical security (badges, surveillance, cameras, etc.), network security (network segmentation, encryption, probes, etc.), equipment and servers (patching, hardening, ACL, monitoring/AV/EDR, etc.), applications (IAM, ACL, MFA, updates, vulnerability management, DevSecOps, etc.), data (crypto at rest, DLP, etc.) and through policies and procedures (threat management, standards, training, awareness, etc.).

This defence in depth is all the more necessary given that the multi-vector nature of threats allows physical access to be opened through means such as a cyberattack, and vice versa. So everything has to be taken into account in every data item and application, at every level, and everything has to be continuously maintained.

Defence in depth is now complemented by the concept of zero-trust security, an approach in which any concept of trust disappears completely. The mantra is simple: be suspicious of everything, all the time, and never grant trust without constant control. This applies to rights, to the legitimacy of a flow, of a login, of the attachments of an e-mail, etc.; everything must be checked.

Identity Access Management: learning to control the uncontrollable

Identity, access and rights management (IAM) is an increasingly complex organisational and technical issue. This is no longer just a problem of the minimum length of passwords in the Active Directory (company directory), but instead of the management over time of identities and associated rights, acquired progressively for a multitude of tools.

And this is where the real challenge lies for the CISO: controlling the life cycles of rights, access and identities. Very often, the reason why these life cycles are not controlled is because we do not know how to track the relevance and the underlying issues behind the associated usage practices: is such and such an account that has existed for X years, providing access to such and such tools and information, still being used today? How many people have access to it? If we delete an account linked to an industrial system that no longer meets the standards, are we not at risk of compromising ongoing operational activities, sometimes linked to huge financial stakes? These difficulties illustrate the CISO’s inevitable task of balancing of risk, in order to limit the impacts and be able to manage them.

Too few companies have yet achieved maturity in this area, yet a professional attitude towards IAM has become essential because poor access management or poor segmentation of authorisations is involved in most attacks. Before achieving this final objective, the CISO will first have to gradually build a more integrated and focused system. This will first and foremost have to rely on a well-structured Active Directory, manage privileged accounts (accounts that have more extensive permissions than usual) with tools and procedures, and then extend the identity and access life cycle management process to all of the company’s users and IT systems. This iterative process requires in-depth organisational, technical and training changes, and is usually carried out over several years.

Protecting the cloud: a new imperative

More and more data is hosted in the Cloud, with no control over the security of the infrastructure, and with more complex and high-level off-the-shelf services. This new technological reality is prompting the emergence of specific protection methods (WAF, CASB, data security, access management, etc.). Few staff are trained in cloud protection, and this is where another challenge lies: reversing the trend and recruiting such experienced staff.

DevSecOps or SecDevSecOpsSec? End-to-end security

DevSecOps refers to the fact that the software development cycle integrates security aspects (securing the development chain and the deliverable). Everyone talks about it; but in reality, few development teams have any real maturity on the subject, and so too few projects in the field completely take account of the notion of security.

There is therefore a very strong need for support and training for developers and system architects in this area (and in particular on attacks and solutions to protect against them), in order to limit and eventually eliminate the integration of security flaws in their codes.

Too often, developers see security as an issue that affects the development framework or even the infrastructure teams: “DevSecOps must become a matter of culture for the groups concerned,” says Laurent Vromman. He adds, “Personally, I would even call it a SecDevSecOpsSec culture, so as not to suggest that security is only managed between development and deployment, but rather from start to finish: throughout the software life cycle, from the architecture stage and even during its operational life, because new vulnerabilities are constantly emerging and you have to learn how to protect yourself against them on an ongoing basis.

Investment, support, training, tools… these are the assets that the CISO will have to leverage to initiate change both inside and outside the company in order to understand and control the cyber risk.

“It’s a real game of cat and mouse, with hackers becoming more professional at a speed that matches the pace at which companies are countering their threats; cybersecurity will continue to be a fascinating topic, and the coming months will be packed with learning experiences and great advances in this field,”, Laurent Vromman concludes.