This article was produced in partnership with Altus.
Mia Wallace, of Insurance Business, sat down with Aaron Cain, cyber security consultant at Altus, to discuss how corporations can try to keep pace with cyber criminals.
What springs to your mind when you are asked to imagine a ‘typical’ hacker? For many, it’s a picture that has changed substantially in recent years – with the image of a hoodie-clad youth sitting alone in their room gradually being overlaid by market reports of highly sophisticated and well-structured organisations boasting teams of threat actors.
However, as tempting as it can be to shift from one narrative to another, as with so much around cyber, the picture of the online threat actor landscape is more nuanced than any simple interpretation. This nuance comes back to the message central to the work that Aaron Cain (pictured) and his team at Altus are doing – creating accessible discussions around cyber risk without falling into the trap of assumptions and oversimplification.
Looking at the current risk landscape, Cain – a cyber security consultant with Altus – highlighted that cyber criminals, with exceptions, can generally be sorted into three categories. The first of these are state actors often assumed to be located in North Korea, Russia, several locations in the Middle East, or China. These are intelligent individuals who have been given a way out of poverty or into a better life than would otherwise be available to them.
“Nation-state groups create various pieces of malware – for instance, the WannaCry [malware] – that cyber specialists researched and saw it had North Korea’s or Russia’s or somewhere else’s fingerprints on it and thus could be identified as a state-sponsored attack,” he said. “So, states bring out something and it hurts their adversary’s marketplace and has an impact. However, once that impact is mitigated, they then take that packet of software and put it on to the dark web version of GitHub.
“The next category of hackers are those located anywhere in the world who then acquire that particular piece of malware. Where the nations have been using it at the state level, individuals can now use it at that next level – which is targeting corporations, small businesses, etc. They add their own wrappers, and if they’re smart enough, sometimes they recode it. In many cases, it comes with a complete operating manual on how to deploy it and how to get your payment out. ”
Cain noted that what makes this category of threat so daunting is that, with an internet connection and nothing else to do with their day, these hackers can be tireless in chasing one exposed prospect after the other. They’re not sophisticated, he said, but they don’t have to be because they’re using services somebody else has put together to relentlessly scan for any weakness in a business’s infrastructure.
Further compounding the issue is when the code becomes ‘Ransomware as a Service’ with hacking consortiums supporting users in these deprived areas. They invite successful hackers to join the business, he said, offering a monthly salary, skills upgrades, and English lessons among other perks. Having teams of such individuals hitting and re-hitting targets until something gives is still how a lot of cyberattacks are getting through.
“And are we going to put them in jail?” he asked. “We can find them, but even if we find them and pin down what it is they’re doing, what can we do? Absolutely nothing, because they’re in countries that don’t allow us to… So, when you’re dealing with that level of threat, you’re dealing with the major growth of the problem - like dust at the bottom of a cloud that just spreads and spreads.”
Considering the third category of risk, he said, corporations find themselves dealing with hacktivists – people who are morally outraged with an organisation and are looking for a way to do it damage. Traditionally, Cain said, the easiest way to hurt a company doing something you don’t like was to take its money away. Ransomware and denial of service attacks were the most popular way to do this, hitting a company financially while also doing reputational harm and raising the profile of the hacktivist’s cause.
“However, it’s a changing world,” he said, “and people have started to realise that even if I do get through, all that really gets affected is [my target’s] insurance. The attack is paid for, systems and services are restored, and it hasn’t really done what I wanted it to do. So, ransomware is starting to evolve into new threats like wiperware. Basically, instead of going in and encrypting systems, they’re deleting things, so you end up with machines with no data, no operating system and nothing left.
“And if they can find it, they will go after your backups as well so you can’t restore that data. This at least stops the organisation from doing whatever evil they perceive it’s doing for an indeterminate period of time until it’s brought back online. Additionally, it raises the visibility of their cause.”
This category of cyber risk represents a huge hazard in the context of nuclear power stations and worldwide supply chains. This kind of attack and attacker deals with more idealistic, siloed thinking, he said, which creates new sets of problems that cannot be met with a ransom payment.
An interesting combination of the types of threats is being exacerbated by the ongoing war in Ukraine. Up until this point, he said, the general populace in Russia has been able to almost shrug off the sanctions which have targeted the oligarchs first and foremost. However, as time goes by, there is increased financial motivation behind the government stepping up their cyber game.
“They’ve done a fair bit of damage in cyber,” he said. “In my opinion, they’ve been rather clumsy about it – their hacks haven’t had the sophistication that we see from other nation state actors, for instance… but they’re getting better, they’re sharpening up and they’re realising they can make up that lost ground. Along the way, they can trigger hacktivism with their mindset that any damage they do to the West is to their benefit.”
With so much cyber risk to balance simultaneously, it’s no wonder that companies are looking for any and every opportunity to mitigate their chance of being attacked but Cain highlighted that, unfortunately, you can’t afford just to focus on prevention. Everybody will be hit at some point in time, he said, and so the focus needs to also be on damage limitation.
The most frightening element of the shifting paradigm of cyber threats and cyber threat actors is now that wiperware concept, he said, as for every second in which that attack goes unnoticed or is not shut down, critical information and systems are being deleted or rendered unusable. With that in mind, Altus is changing the conversation around this threat by recommending segmentation and isolation of clients’ systems.
Traditionally, he noted that cyber security reviews acquire vast amounts of data about an organisation, regardless of whether it’s a small company, a big organisation or a government entity. Approaching every engagement in the same manner is the carpenter’s syndrome, he said, “where everything’s a nail because I’ve got a hammer”.
What Altus has recognised is that while cyber security needs those components, it also needs to know bespoke, mission-critical information such as where sensitive customer data is held, where financial data is kept, where third-party information is stored and where the control layer for all your IoT devices is located.
“We separate those out,” he said. “Part of what we’re looking at is that network segmentation so that when somebody gets in… a compromised account within the network only has a limited amount of information that they can see. [The hacker] can’t move from one segment to the other, because we’ve put that separation in place.”
“We’re [moving with the market] towards ‘zero trust architecture’ where if somebody’s in and trying to escalate to higher authority, they have to validate and revalidate over again to break out of the channel that they’re in. So, we’re containing and limiting the damage that’s being done because as long as they can’t get data out, then they’re restricted to the damage that can be done within that segment.”
To get to a place where this approach is the new normal for cyber security will take significant collaboration, he said, and Altus is committed to fostering that collaboration.
“We’re willing to invest our time, our help and our experience into these environments to make everybody safer and systems much more defendable,” he said. “Because we know that then when somebody is not prepared for something, we can help with programme delivery or if you’re already there with a tabletop exercise or assessments to prove what you’ve done is effective.
“The key thing is that if the market is stronger and sounder, then we’re not seeing huge amounts of money lost to individual hackers and collectives. Everybody at Altus knows that having these conversations educates the market – and an educated consumer is a better consumer.”
With over four decades of experience in multiple market verticals, Aaron Cain has worked to integrate and secure business critical information flows across technology stacks ranging from legacy systems to cloud computing.
During years of independent consulting assignments based in the UK and EU, Aaron has developed the ability to frame complex technical and security concepts in concise and clear business terminology. Leveraging his experience with banking, hedge fund and insurance clients, Aaron will be working within Altus to develop specialised cyber security solutions and programmes for the financial services marketplace.