“The best jam is made in old jars.” This is a popular adage that could easily be applied to the cyber world, which juggles with future technologies and new uses while at the same time relying on existing skills and updating old, tried and tested methods for contemporary consumption. We serve up some food for thought.
What are the limits of innovation in the cyber world? That’s a question that everyone's now asking, but no-one can answer. And most importantly, when considering the question, we need to bear in mind the importance of the shared pool of existing knowledge. Because, although innovation is indeed a key pillar in this field, the ability to capitalise on a solid skills base and recycle old techniques is also a core principle of the cyber world.
Markets that had hitherto been unaffected by cybersecurity threats are now finding themselves on the front line, and tomorrow's next big headline cyberattack will probably be built in large part on the foundations of a previous attack. In other words, a cunning blend of the old and the new that serves the interests of key cybersecurity players as well as it does those of attackers, and engages the ecosystem in an almost permanent arms race between the two camps. Hence the need for those on the defensive side to form a common front by sharing knowledge and best security practices.
Skills that are obsolete in some sectors, but ideally suited to others
When we think of cybersecurity, we think first and foremost of the world of “IT” (information technology), a term covering everything related to computing and the Internet. We are less inclined to think of “OT” (for “Operational Technology”), which applies particularly to the industrial sector, a sector that is now quickly opening up and transforming and, in its turn, facing its share of cybersecurity issues.
IT is a constantly evolving world: new applications, new devices, new uses, and even new user groups, with the arrival of older users in this sector. Cybersecurity players have learned to live with this frantic rate of change, and to devise protective systems without having a clear vision of everything that could potentially happen. “We need to accept the risk and create security solutions based on this philosophy,” says Matthieu Bonenfant, Chief Marketing Officer at Stormshield. Conversely, the world of OT is much more controlled and predefined. Every command sent to every component of the industrial system matters, and must be known and referenced. This is the polar opposite of improvisation, because the stakes are so high: “By taking the risk that you might be sending the wrong command to an electrical substation, for example, you're taking the risk of bringing down the whole network,” Matthieu Bonenfant adds.
But just what do IT and OT have in common? That's right, cybersecurity – and more specifically, the cyber world's ability to recycle various tried and tested defensive techniques. Protective methods that for decades have proved their worth in the IT world are also a perfect match for issues in the OT sector, which has been having to deal head-on with cyber issues since the advent of Industry 4.0. “The arrival of cybersecurity in industry is still a fairly recent phenomenon, and what worked a few years ago for IT can still work today for OT,” explains Adrien Brochot, Product Manager at Stormshield. Working from this observation, cybersecurity actors in general – and therefore publishers in particular – must be able to capitalise by sharing their knowledge to replicate existing methods of defence on these new infrastructures.
Take, for example, the case of IPS (Intrusion Prevention System), which provides a detailed analysis of network communications in order to check that a flaw in a protocol has not been exploited or a malicious command inserted. While IPS is still of genuine use in the IT world, the system is proving even more invaluable in industry, where the consequences of altered connection content can be catastrophic. The need to authorise only information that is deemed to be legitimate and matches a set pattern of behaviour is often critically important in this context. The world of OT had previously had little connection to the Internet. Today, however, operational networks are directly or indirectly connected to the Web – as are production lines, which are subsequently exposed to cyber threats and attack types similar to those used in the past against IT targets.
New from old: the same goes for cyberattacks
The same principle applies to cyberattacks, too, which also draw upon the full range of options presented by changes in the cyber world: cyberattacks take advantage both of yesterday's skills and today's technological advances.
In reality, 90% of new attacks are based on old ones, and attackers are simply adapting them to get through security barriers and break into a system.Adrien Brochot, Product Manager Stormshield
Although new vulnerabilities and environments are exploited by attackers, the actual principles behind the exploitation of these vulnerabilities and environments change slowly. And to ensure that cyberattacks are profitable, groups of cybercriminals often turn to tried and tested recipes of the past. “In reality, 90% of new attacks are based on old ones, and attackers are simply adapting them to get past security barriers and break into a system,” says Adrien Brochot. After all, recycling is a hot topic in cybersecurity too, some “new” malware actually being nothing more than variations of its predecessors.
In fact, the databases that identify such malware and its multiple variants are becoming too dense and heavy to be supported by operating systems. Consequently, such databases only include the most recent malware signatures, providing attackers with an opportunity to exploit old and almost forgotten malware... such as the Emotet malware, for example, which was originally observed in attacks in 2014 and which, according to France’s ANSSI national information systems security agency, is now back in circulation as of autumn 2020.
Cyberattacks are also frequently carried out at different periods of time; firstly, because they have proven their effectiveness in the past; and secondly, because even though patches are published when a vulnerability is discovered, not everyone applies these patches; or at least, not simultaneously: this time lag provides a perfect entry point for attackers, who can also take advantage of this new, freshly revealed flaw.
Indeed, for a number of years now, there has been a considerable media focus on the discovery of vulnerabilities and cyberattacks; this varies according to the latest fads, serving the interests both of those seeking to protect themselves from them and of those seeking to exploit them. Some types of attack have received particularly strong media coverage, such as ransomware, webcam “sextortion”, and also the notorious CEO scams. This type of attack has really come to the fore in recent weeks with the Covid-19 health crisis: there has been an upsurge in instances of identity theft (ministers, hospital directors and other key health crisis players) with the aim of extracting money. However, there are also types of attack which, by contrast, literally fly under the media radar, and are nurtured by a part of the ecosystem that analyses them – with some state agencies using this method so that they can discreetly exploit them later at a safe distance from any buzz effect. For a more detailed discussion of this topic, the “Shadow Brokers” episode of the Darknet Diaries podcast is essential listening.
The key issue for attackers is, and will always be, to exploit areas that are poorly protectedMatthieu Bonenfant, Chief Marketing Officer at Stormshield
“Cyberattacks and the fashion industry evolve in somewhat similar ways: there are new things, old things and new things created from old codes”, Matthieu Bonenfant wryly notes, adding that “some old technologies will quickly reach their limits, and will therefore be adapted and brought up to date to make them efficient again, and so on, ad infinitum.” In 2017, the Wannacry ransomware attack made a lot of headlines, partially crippling a large number of major companies and organisations. And yet Wannacry – just like NotPetya a few months later – was propagated in a very similar way to the Conficker worm some ten years earlier.
Building on old methods, tailoring cyberattacks, making use of technological advances ... if you had to summarise the evolution of cyberattacks into one single concept, here’s the most important thing to remember, according to Matthieu Bonenfant: “The key issue for attackers is, and will always be, to exploit areas that are poorly protected”.
So what role do cybersecurity solutions play in all of this?
After all, the key role of cybersecurity solutions is to protect. But if they are to fulfil this protective role, we first need to establish how cyberattacks work and understand cyber incidents. Examining and analysing the operating methods of attackers and being on constant watch for the latest flaws discovered, developing systems capable of gathering “traces” for cyberattacks... these are all key elements in adopting an adequate defensive posture.
Security analysts play a decisive role in the ability to assess a cyberattack. Their role is both to identify the attack vector (the network, a USB key, etc.) and to understand the action(s) performed by the attack and the way it spreads through networks, whether IT or OT-based. Such information is necessary for good control over the cyber-ecosystem – listing the different types of attack, having access to catalogues of vulnerabilities and patches – but also making it possible to take in the wider picture and tailor cybersecurity solutions accordingly. The “tech” point of view is therefore essential in diagnosing a cyberattack and understanding its impact.
The way in which the cyber world is changing is a challenge for cybersecurity players, including publishers in particular, who must focus on new techniques and how they develop while at the same time keeping an eye on existing ones. They have a sort of “duty to remember”, and it is their responsibility not to overlook old protection techniques which gradually fall into disuse over time, because this is precisely what attackers are counting on. Just like Emotet, which was discussed earlier in this article, other items of malware regularly make spectacular comebacks, such as those based on Office suite macros. Malware is never more dangerous than when it is believed to be extinct.
In the same spirit of creating continuity between the old and the new, publishers of cybersecurity solutions “have a crucial informative role to play in the ecosystem: conferences, exhibitions, writing white papers, presenting use cases, etc.”, explains Adrien Brochot, who sees such tools and opportunities for exchange as facilitating the sharing and leverage of knowledge within the cyber community.
The importance of sharing knowledge and best practices
To get the best out of changes in the cyber world and the digital era, cybersecurity players would do well to consider themselves as an ecosystem and make cybersecurity a common cause and collective responsibility. Even though many players in this ecosystem are competitors, this in no way prevents the sharing of information and knowledge, and the creation of partnerships. In addition, many technical databases are accessible to the community and updated by it, such as VirusTotal, which analyses and identifies suspicious files potentially containing a malicious payload, or MITRE ATT&CK, which lists a large number of attack techniques and provides cyber players with access to an up-to-date reference system.
This sharing of knowledge can also be achieved via public interest groups, such as the cybermalveillance.gouv.fr portal in France, which enables companies and individuals to report malicious actions perpetrated via the Web. Or also through information technology attack alert and response centres (the famous computer emergency response teams [CERTs] and computer security incident response teams [CSIRTs]), providing near real-time information on major cyber threats. These CERTs can be either public or private, national (CERT-FR in the case of France) or international (CERT-EU for the European equivalent). “The ecosystem of cyber players is very rich in information and tools, but also very diverse in the way it presents and identifies knowledge: this poses something of a challenge when you need to sort through it and quickly and easily access the information that you need,” explains Matthieu Bonenfant.
Here again, the technical layer (aka the security analysts) plays a decisive role in the ecosystem's ability to share its best security practices and skills. These experts have their own ecosystem within the cyber community, out of reach of any possible commercial disputes or other competitive strategies. And this represents a real boon and genuine added value for cyber players, because in this case, the process of pooling knowledge in this case is being driven by technical considerations, with a thirst for learning that irrigates the whole ecosystem. In this way, technical analysts analyse, dissect and share their findings, with a goal of constant improvement.
Sharing knowledge and best cybersecurity practices is therefore an essential aspect of the ecosystem in that it encourages cyber players to challenge themselves, improve, adapt and dream up the increasingly effective solutions of the future, in the interests of risk prevention and analysis.