“It is not a matter of if but when you will be hacked.”
This sums up the current digital-native ecosystem. The Lapsus$ hacking gang first made headlines in December 2021 when it launched a ransomware attack against the Brazilian Ministry of Health, exposing the COVID-19 vaccination records of millions. It has since targeted several high-profile firms, including Nvidia, Samsung, Microsoft, and Vodafone. Lapsus$ also recently disrupted Ubisoft services and breached an Okta contractor’s laptop, jeopardizing the data of thousands of organizations.
Why are such cyberattacks still prevalent?
Despite companies investing time, effort, and money in building robust cybersecurity strategies, they are unable to view cybersecurity holistically. Adding layers of security products, increasing cybersecurity investments, auditing at regular intervals, and more such initiatives only provide a sense of security without adequate visibility. In today’s dynamic digital environment, businesses need to know their cyber risk posture across the enterprise and break it down into business groups, critical assets, employees, policies, and third parties in real-time.
Cybersecurity is still siloed, reactive, and lacks business context, making it difficult for organisations to know their real-time risk posture and actionable insights. The truth is - till cyber risk is measured, organisations cannot be well managed in cybersecurity.
How can businesses initiate or augment their journey towards proactive risk management?
An observation of the tactics, techniques, and procedures used by the Lapsus$ group reveals that they leverage less sophisticated methods to breach an organization. They usually target employees or use services and tools available on the deep and dark web. Interestingly, their attacks are not just motivated by money—in the Nvidia hack, for instance, the group asked the company to make its graphic cards more efficient for mining cryptocurrency during its extortion demand.
According to IBM’s 2022 report, four out of ten attacks start with phishing. The lack of a holistic way to look at employee security has been leveraged by multiple cybersecurity adversaries, not just the Lapsus$ group. Employee cyber risk posture is a factor of who they are, their history and status of employment, what devices they own, how they access critical information, what level of access they have, and why. However, businesses continue to look at phishing, vishing, or Business Email compromise-like threats and train employees to reduce the risk of being breached.
This is an excellent first step but to gain accurate visibility into employee-related cybersecurity is to aggregate all signals from allied cybersecurity services to curate a specific and overall employee risk score. User and Entity Behavior Analytics (UEBA), Cloud Access Security Broker (CASB), Endpoint Detection Response (EDR), company cybersecurity policies about passwords, Identity and Access Management, operating system updates, deep and dark web credential exposures, and other factors could be considered to develop this metric.
The other growing risk is unmonitored access of sensitive business information by third parties. A report published in 2022 reveals that 34 percent of organizations use more than 50 SaaS apps and over 16 percent use more than 100 SaaS apps.
As vendor networks become more widespread, ‘buffalo jumping’ or ‘one-to-many’ cyberattacks, such as the Lapsus$ breaches, will become more commonplace. We have already seen this happen with SolarWinds, Nobelium, and Kaseya. Rather than only depending on annual questionnaire-based or Security Rating Services assessments, organisations should get a 360-degree view of their third-party risk posture with outside-in and inside-out scanning, using automation and API-based integrations.
Businesses concerned about cyber resilience and maintaining a robust cybersecurity ecosystem already have access to a large amount of valuable data at their fingertips from the variety of cybersecurity initiatives in their security estate. What’s missing is the method to aggregate this data, leverage sound data-science-backed technology to quantify that risk, and finally prioritise its acceptance, mitigation, or transfer. This rethinking of risk management will enable organisations to take a smarter approach to cybersecurity—choosing informed decision-making over guesswork.
This powerful capability cannot be implemented overnight.
As Cybersecurity and Infrastructure Security Agency (CISA) outlines in its ‘Shields Up’ guidance, “the first step to resilience is to reduce the likelihood of a damaging cyber intrusion.” However, to reduce the likelihood of an incident, an organisation must be well managed in security, which first requires the quantification of the probability of a hack happening across the organisation.
Cyber Risk Quantification platforms that aggregate signals through API integrations are built on algorithms that account for globally acceptable standards; risk governance frameworks remove human error through automation. Such platforms can help business leaders become proactive, remove silos, communicate cybersecurity in a business context, improve the efficiency of security initiatives, and prioritise mitigation.
Emerging cybercriminal groups like Lapsus$ and nation-state adversaries alike (Cozy Bear - responsible for SolarWinds attack) are able to bypass basic information and technology best practices of multi-factor authentication.
“No limit is placed on the amount of calls that can be made,” said a Lapsus$ group member on their official Telegram channel. “Call the employee 100 times at 1 am while he is trying to sleep, and he will more than likely accept it. Once the employee accepts the initial call, you can access the MFA enrolment portal and enrol another device.”
According to American cybersecurity firm, Mandiant, this is precisely what had been done during the Nobelium data breach carried out by Conti.
Drawing from the employee risk example given earlier - the exposure of any employee's credentials, or suspicious UEBA signal activities such as superhuman employee logins would immediately trigger a real-time increase in the possibility of a data breach and send alerts to the relevant stakeholders.
Similarly, any suspicious activity of vendors and SaaS service providers such as a misconfigured S3 AWS bucket (Amazon Cloud Object Storage), or unexpected employee activity would immediately trigger a real-time increase in the possibility of a data breach and send alerts to the relevant stakeholders. This granular and dynamic visibility of the security vulnerabilities across the enterprise is an invaluable asset to any digital trust-based business.It is time for security executives to get the visibility to confidently lead a modern and secure business with cyber risk quantification.