White House says private sector must accelerate efforts to lock digital doors

What’s new in the March 21 cyber attack fact sheet from the White House, which warned about “evolving intelligence that nation-states may be exploring options for potential cyberattacks” is that the cyber war has shifted to existential attack threats for geopolitical outcomes. The potential—and likely—new nation-state attacks seem to focus on disrupting the U.S. economy in retaliation for U.S.- and EU-backed financial sanctions. In this rapidly evolving environment, every company with a digital presence is at risk.

To cybersecurity professionals, this is not surprising for two reasons. First, the White House has indicated that this has been a likely route since the Ukraine invasion began. Second, cybersecurity professionals have long been preparing defenses against state actors threatening a wide range of attacks—from espionage to cyber theft for money to outright sabotage.

“The President has launched public-private action plans to shore up the cybersecurity of the electricity, pipeline, and water sectors and has directed departments and agencies to use all existing government authorities to mandate new cybersecurity and network defense measures,” the White House statement said, without specifying the kind of new defense measures they have in mind.

The real question is what should enterprise CISOs do differently to defend against these imminent nation-state cybersecurity threats? The White House suggested a variety of broad initiatives. But what organizations need are concrete actions tailored to their business objectives and unique security requirements.

Consider the following points made in the White House statement:

“Mandate the use of multi-factor authentication on your systems to make it harder for attackers to get onto your system.”

This is sound advice, but there are strong MFA deployments, and weak ones. Unfortunately, one of the most-used factors in MFA deployments is unencrypted text sent via SMS to mobile devices. In 2022 at the enterprise level, an unencrypted SMS MFA is unacceptably weak. Additionally, nation-states have many ways of gaining access to text messages. MFA is a fundamental requirement for all organizations. But it must be architected in a resilient fashion and hardened against current and emerging threats.

“Deploy modern security tools on your computers and devices to continuously look for and mitigate threats.”

Modern defenses need to factor in robust cloud defense capabilities that are stronger and more capable than what many enterprises currently have in place. The emergent threats that are being utilized by nation-states can only be detected through behavioral analysis, as they have not been encountered before. The process of continuously monitoring for such threats requires cloud computing capability at a scale that most organizations are only just beginning to invest in. And these monitoring systems have to on-board all of the endpoints in an organization across many environments.

“Check with your cybersecurity professionals to make sure that your systems are patched and protected against all known vulnerabilities, and change passwords across your networks so that previously stolen credentials are useless to malicious actors.”

A better approach today is to move beyond passwords entirely, which is possible but requires a heavy lift. In the meantime, organizations can at least leverage behavioral analytics (BA). If a compromise does occur, BA can detect it quickly enough to mitigate the damage. If a cyber warfare actor uses a phishing attack against employees and partners they might be able to get credentials, but within seconds of trying to use them BA should flag their actions—if not block them entirely—because they don’t act like the authorized user.

“Encrypt your data so it cannot be used if it is stolen.”

Encryption is almost always a good first step. But the White House statement doesn’t specify the level of complexity that can be present when achieving ubiquitous encryption. First, if the attackers gain access to the decryption keys, then encryption becomes pointless. Organizations must have a very aggressive and secure plan for protecting their keys, and must use Zero Trust principles to limit third-party access to encryption key infrastructure. Second, encryption schemes must include data at rest, data in motion, infrastructure, and embedded encryption for data that leaves the organization as part of a business process. Each encryption scheme layer requires different investments in technology and personnel.

Historically, state-sponsored cyber actors have used common but effective tactics to gain access to target networks, including spearphishing, credential harvesting, brute force/password spray techniques, and known vulnerability exploitation against accounts and networks with weak security. But now it’s expected that these bad actors may get more aggressive. The difference here is that the hackers are not attacking enterprises for economic gain as much as they are attacking for sabotage, cyberwarfare, and other geopolitical outcomes.

Edgile suggests that CISOs ask the following questions:

• Do we currently have full awareness of the data in our systems that are now a target?
• Do we have an ability to detect and respond to identity compromises in our cloud environments?
• Do we have the capacity to monitor our identities, data, devices, and services using behavioral modeling to detect these new and emergent threats?