Building threat intelligence to ‘mature’ your cybersecurity posture
Our very way of life, our public services, our Critical National Infrastructure (CNI) and our digital economy are not immune from constant cyber threats. Through time, history has taught us that the world we live in will ebb and flow, through periods of stability to periods of tremendous risk. Unfortunately, the present day presents no exception.
Our foes can be domestic and foreign. They range from the highly sophisticated, the highly resourced and the highly organised to those that are opportunistic lone wolves. They can be politically or financially motivated or individuals seeking merely seeking kudos.
Nation State sponsored threat groups seek to project power and cause disruption and chaos amongst their targets. Advanced persistent threat groups may be loosely or strongly affiliated to a Nation State and are always searching for any weakness they can take advantage of. Large, medium or small and regardless of public or private sector, adversaries do not discriminate.
On Christmas Eve 2020, The Scottish Environment Protection Agency (SEPA) became the victim of a ransomware attack and were unable to access a large amount of systems and data. Bravely, SEPA rejected a ransom demand from the Conti ransomware group who then published over 4,000 stolen files online. Within 24 hours of the attack it was able to continue to deliver priority services such as flood warnings. However, SEPA’s financial systems were impacted resulting in significant costs.
Independently, SEPA, commissioned reviews of the cyberattack including through Police Scotland, and the Scottish Business Resilience Centre. Police Scotland confirmed that “SEPA was not and is not a poorly protected organisation” and “SEPA has a strong culture of resilience, governance, incident, and emergency management. It regularly tested its emergency response capability and had undertaken a cyber-exercise.” In total 44 learnings were highlighted and accepted by SEPA which were shared with the public sector.
That collaboration and openness is necessary across government to ensure that we learn from these experiences and others in our trusted community can learn. So it has to be lauded that in response to incidents like these the Scottish Government published its Public Sector Cyber Resilience Framework.
It also created the Scottish Cyber Coordination Centre (SC3). The SC3 seeks to understand how Scotland can manage threat and vulnerability at scale, how to build its cybersecurity capabilities in the public sector, how to exploit and share cyber threat intelligence and how to detect and respond to cybersecurity incidents more rapidly and collaboratively.
‘Defend as One’ is one of the critical priorities for the UK Cyber Security Strategy and the Strategic Framework relating to a Cyber Resilient Scotland. The ‘Defend as One’ principle is focused on a collaborative approach with government to respond to the increasing rate of threats. It utilises the benefit of sharing cyber threat intelligence and expertise and capabilities across organisations to build a defensive force more powerful than the sum of its parts.
Challenges that we notice that organisations face time and time again in building their cybersecurity maturity include a focus driven by a technical and a product first mindset. Perfect technical cybersecurity is not there, for now, and we should be focused on understanding ‘optimal’ cybersecurity. People, process and technology is the mantra that should drive an organisations approach to cybersecurity.
Continuity of key leadership is also needed. While the cybersecurity market is hot from a retention perspective, frequent changes in leadership, such as having a new chief information security officer every few years, breaks the consistency of building a security culture and an investment roadmap across people, process and technology maturity. Many CISOs break the culture through investing in a new methodology that takes time to learn or a new technology direction, discarding any earlier efforts.
These habits of management are not going away but one antidote is to collaborate with service providers, whose business is cybersecurity, and who have experiences across many organisations, security platforms, and can integrate the technical debt you have with innovative new products that work. With this in place organisations can then move up the cybersecurity maturity curve improving their security posture.
Using the Leidos cybersecurity maturity model, Leidos has led transformations for major organisations across the world. Leidos currently supports the Defense Information Systems Agency (DISA)’s Global Information Grid Services Management Operation programme in the United States to modernise the Department of Defense communications and networks and has successfully spearheaded the implementation of one of the world’s largest security gateways, the Joint Regional Security Stack (JRSS).
The Leidos UK cyber operations centre (CSOC) provides a proactive and intelligence-led 24×7 threat detection and response service, identifying and managing advanced persistent threats at the earliest stage of attack, working with partners to defend and improve the cyber posture of our clients including many in Scotland to help the country more resilient in the global economy.