ArchiveOODA OriginalSecurity and Resiliency

What’s 2023 Cybersecurity Look Like? Trust.

Cyber malfeasance comes in a variety of forms and is conducted by an almost equally diverse threat actor ecosphere. The news is rife with examples of big and small cyber theft of money or data; of disruptive attacks directed against public and private sector organizations; of increasing threat activity against critical infrastructures; of severe vulnerabilities that continue to emerge and need patching; and of mundane and innovative attack types and methodologies that are forever knocking on the cyber perimeter.  It has become so that the benefits of increasingly advanced and connected technologies are almost on par with the dangers associated with them in the fashion of a true double-edged digital sword.  A quote by the French culturalist Paul Virilio captures this sentiment perfectly: “The invention of the ship was also the invention of the shipwreck.”  And so is the dichotomy of cyberspace where hostile actors race to compete with the rate of its innovation.

The volume of cyber-related information is daunting to say the least. A “cyber professional” can encompass a multitude of functions and disciplines ranging in technicality.  Skills include but are not limited to network security, network architecture, application security, data loss prevention, forensics, vulnerability management, incident response, security auditor, encryption, and threat intelligence, to name a few. When applying a security mindset to cyberspace, it is fairly easy to get lost down a rabbit hole of malware, tools, vulnerabilities, in addition to the actors that develop them, promote and sell them, and use them.  It is unsurprising that cyber security professionals are worn out from a never-ending assault of cyber threats trying to penetrate their organizations’ perimeters.  Per one report, more than 90% of security professionals surveyed admitted to being stressed in their roles, with 46% disclosing that they considered leaving the industry permanently. This can happen given the volume of attacks organizations face on a daily basis, as any given attack will have action items for cyber professionals in a variety of disciplines (e.g., writing detection signatures, ensuring patch management and configuration, remediating and removing the threat, conducting forensics where necessary, threat intelligence reporting to inform leadership, etc.).

While the cyber attack kill chain focuses on the step-by-step mechanics of hostile activity, the attackers’ main goal is to be able to abuse the trust that is inherent throughout the model because trust factors at all levels of a cyber interconnected world.  Through this prism, trust is a principle that may be as extensive and multi-faceted as cyber itself as it is the very cornerstone of securing the digital environment.  The savvier attackers understand that by successfully exploiting trust, they exponentially increase the chances of their success in whatever type of attack they are executing. Consider the following attacks and how trust is targeted and manipulated in order to achieve operational success:

  • End User Exploitation. Social engineering has long been an instrumental tactic to manipulate, deceive, or influence the human element to gain an advantage. Phishing, spear phishing, and Business Email Compromise attacks prey on human nature to gain a foothold into a targeted computer or system.  According to one computer security company, thus far in 2022, 90% of malicious data breaches have involved some form of social engineering.  This is consistent with 2021 statistics that saw an increase of 270% of social engineering attacks across multi-channel phishing attacks. But not all end user trust is exploited via carefully crafted content.  Attackers have been known to deploy watering holes, a type of targeted attack that compromises users – usually within a specific industry – by infecting reputable websites they typically visit.  Combined with socially engineered emails directing victims to the sites only increases the effectiveness of the attack.
  • Vulnerabilities. Users trust that their computers and systems not only function effectively, but that they are also secure and reliable. However, vulnerabilities inherent in computers call into question system legitimacy, as by definition a vulnerability is a flaw or weakness whose exploitation threatens to violate the confidentiality, integrity, and accessibility of systems.  When looking at newer technologies like the cloud, exposed vulnerabilities puts into question trust into these services particularly as more organizations move toward this solution.
  • Organizations. There is no greater example of the exploitation of organizational trust than supply chain attacks. Most organizations regardless of size have partners or trusted vendors that they rely upon and that have some level of access into their systems.  It’s little surprise that attackers have sought to exploit supply chains to their benefit with a reported 650% increase in supply chain attacks occurring in 2021.  This situation is exacerbated when the compromised victim is not only trusted but involved in security.  The 2020  SolarWinds compromise revealed how savvy attackers could exploit a tech company and weaponize updates to be automatically accepted by customers due to  assumed trust.  In 2022, the REvil ransomware group compromised Kaseya, a company providing software for managed service providers, and infecting more than 1,000 customers with ransomware.
  • Insider Threats. These attacks leverage the human element again but this time in the form of a trusted individual inside an organization with access to internal systems.  Whether witting or unwitting, there was a 72 percent increase in insider incidents with 42 percent of these activities focusing on the theft of sensitive information, according to a 2022 report.  With approximately 66% of organizations that believed themselves to be moderately-to-extremely vulnerable to insider threats, and 82% acknowledging they would find it difficult to assess the full extent of damage resulting from an insider threat, it’s easy to see that trust is paramount when it comes to employees within an organization.

We are now in a world where the mantra is “trust no one,” and a prominent cybersecurity strategy promulgating around the public and private sectors is the concept of “zero trust.” A zero trust model requires that all possible vectors into an organization are monitored, which can be an overwhelming task for security teams often mired in financial and human resource constraints.  A 2022 IBM report found that only 41% of surveyed organizations had implemented zero trust security architecture in their environments, a low number given the cybersecurity state of affairs.  Further complicating matters is that trust extends beyond architecture and systems and confirming user identity, device identity, and device health.

As new security technologies emerge to address zero trust issues, organizations need to consider how trust can be targeted and manipulated for nefarious purposes outside the technical space.

For example, in the greater information sphere that leverages the cyber domain to produce, process, and disseminate data, people need to trust the sources of content and stories to help inform their decisions.  Exploitation of this type of trust can have negative consequences against an organization’s brand, image, and reputation, potentially impacting public perception, and affect their bottom lines.  Considering the promulgation of disinformation, organizations also need to be cognizant of material being published about them or their industry and be prepared to validate what’s being spread around, and counter-message it if necessary.

One influential consultant said, “Trust is perhaps the most critical single building block underlying effectiveness.”  This is especially true as we move into 2023.  The CIA (confidentiality, integrity, availability) triad has been around since 1986, and has served as an important security model for organizations.  But it’s also outdated, and its focus is too narrow.  It needs updating to bring it up to today’s standards.  Trust, Visibility, and Resilience are natural complements to the triad, as they address the areas in which organizations need vast improvement and are not confined solely to the technological space.  Security concerns have expanded past perimeters and focusing on trust will aid organizations in diverting attention where it’s most needed. And in 2023, that’s the road organizations should take for not only their own security, but also for their own success as well.

Emilio Iasiello

Emilio Iasiello

Emilio Iasiello has nearly 20 years’ experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as the private sector. He has delivered cyber threat presentations to domestic and international audiences and has published extensively in such peer-reviewed journals as Parameters, Journal of Strategic Security, the Georgetown Journal of International Affairs, and the Cyber Defense Review, among others. All comments and opinions expressed are solely his own.