The cyber battleground

The cyber landscape is constantly changing. With a seemingly endless parade of new attack methods and other security concerns, it can be difficult to stay on top of emerging threats and opportunities. To learn about the latest global and regional developments, we spoke with Jake King, Director of Threat Intelligence at Elastic.

One of the downsides of an increasingly connected world is the speed and efficiency with which cybercriminals can take advantage of new risks and vulnerabilities — something that organisations of all sizes in both private and public sectors now face daily.

It’s no longer enough for enterprises, government agencies and vendors to practise a passive ‘wait-and-see’ approach when dealing with cyber threats. The constantly adapting and evolving environment calls for more pre-emptive strategies and action that is borne out of up-to-date analysis of the major threat tools, tactics and procedures currently employed.

According to Director of Threat Intelligence at Elastic, Jake King, and the rest of the team at Elastic — the company behind Elasticsearch^® — true change means transforming the threat landscape from reactive to proactive. That means weaponising defensive technologies and creating an environment that is inherently hostile to threats. It might seem easier said than done, but King says the path forward is clear.

GovTech Review: The last few years have really created the perfect storm, generating a rapidly expanding threat attack surface. The pandemic gave us digital transformation acceleration, hybrid working, increased mobility and more reliance on cloud services. Combined with sustained development in IoT, AI and machine learning, along with some significant geopolitical events, it’s been a boon for cybercriminals. What has this meant specifically for government?

Jake King: The pandemic changed things for the government. The scale of investment into cyber — infrastructure, programs to get people connected, healthcare responses and integrations — was more aggressive than we had seen in a long time. It transformed the public sector and allowed departments and agencies to extensively fund areas that were probably lacking prior to that. The opportunity now is to realise further dividends on that investment. Establishing these expert teams and utilising cutting-edge technology has made the public sector an attractive option for workers. Now is the time to level up those teams with training and skills development in key areas and new technologies — like generative AI — that will help the sector expertly address the challenges posed by an increasingly complex threat landscape.

GTR: How are those changes driving global threat trends, are they likely to impact our region and what should government agencies do to prepare?

JK: This is an interesting topic — on one hand, threats are borderless so there is effectively no real distinction. On the other, there are definite contrasts in defence and capability across different geographic regions when it comes to specific areas of security focus. We have observed strength in network-based security in some regions, including Australia, whereas other parts of the world, like the US, lean more heavily on endpoint detection methodologies.

Those divergent approaches mean response capability differs. Across APAC, where we have maturity at the network level, we can respond and react at the periphery, though that maturity hasn’t extended to automation upon detection in all cases just yet. It has, however, led to cross effort on the part of threat actors. Where five or ten years ago, we had hours or days to respond, threat actors are now observing and moving very quickly using automation and sophisticated tools. We’ve done deep analysis on specific attack groups, their processes and responses, and we see new threats and capabilities quickly fill the niche of those that preceded them.

The thing to remember is that there are multiple threat groups operating globally. Australia is on the radar — as recent attacks have shown us — but adversarial groups aren’t being drawn by geography, they’re looking for opportunity. They target nations and organisations they believe offer greater potential for financial gain – it’s usually that simple.

GTR: What are some specific insights gleaned from the latest Elastic Threat Labs report that you can share?

JK: One of the key things is the prevalence of business email compromise and the simplicity of many of these attacks. It is incredibly common to see a stolen password being leveraged to gain access to critical systems. We all tend to think of these large breaches as being complex or sophisticated operations when they are really just simple phishing or credential theft attacks — a tactic that is repeated globally.

What has changed, however, is that connected systems are making access available remotely. We now see more instances moving from business systems to infrastructure systems and, most recently, to the cloud. Cloud hosted applications and systems have historically been a bit of a blind spot for organisations, with many failing to recognise them as part of their own enterprise.

Things are speeding up on both sides. Our observation shows that threats of all kinds have adopted new capabilities and methods while increasing their cadence of activity. As organisations have tracked decreasing mean-time to detect (MTTD) and mean-time to remediate (MTTR) metrics, threats continue to act with even greater speed to undermine those efforts.

GTR: What does that mean for government agencies specifically — do their security and defence needs differ from private enterprise?

JK: The intricacies of many government systems — we’re talking large data sets and interaction with multi-faceted services — make security an inherently complex exercise. If it were a private industry, the organisation would hire highly skilled individuals who would be very open in the way they use technology to achieve the optimum security stance. This is not necessarily the current public sector approach in many cases, often due to skills shortages.

We know from our observation that some aspects of the threat landscape cannot be addressed using technology — the right visibility, capability, and expertise are integral to success. This makes it critical for governments at every level to understand their specific attack surface, which means examining threats outside of the public sector, as well as in. Cybercriminals don’t delineate between private enterprise and public, so efforts to understand the threat environment shouldn’t either. It makes sense to look beyond government attack trends and investigate industry sectors that share similar conditions — the Department of Health could benefit more from an analysis of threats in the private healthcare vertical than the Department of Education, for example.

It also means having the right expertise embedded internally. Without it, organisations rely on vendors and service providers to set up, manage and operate security infrastructure. We’ve seen how this has left targeted entities at a disadvantage, whether the threat was a newly announced vulnerability, a threat group determined to extort, or collateral from a geopolitical event.

GTR: Where should we be headed with security approaches and defence strategies?

JK: We know that a significant percentage of all threats achieve a degree of success against technical, procedural and human mitigations, so something has to change. We can’t keep operating in an endless cycle of vulnerability, exploitation, compromise and theft. The key to changing our collective response is to adopt a more open approach to security intelligence. Investments in data collection and our sensory apparatus indicate that visibility is the first step toward comprehension, and comprehension empowers us to act. There is no doubt our understanding of the global threat landscape is as open to change as the landscape itself, but we need to start somewhere. We know that through visibility, capability and expertise, we can create environments that are hostile to threats — allowing us to find them once, in one place, and interfere with them everywhere, all at once. That’s a powerful outcome made possible through the open security approach we are committed to fostering across sectors with our Security Lab activities and research.

Image credit: iStock.com/matejmo