@ the IERP® Global Conference, August 2023
Safeguarding cyberspace today requires a significant amount of understanding. Goh Su Gim, Strategic Solutions Architect of cybersecurity consultant Mandiant, urged the audience to first understand the motivation of the ‘bad guys’ – the threat actors who hack into systems. “Understand who the bad guys are,” Goh said at the outset of his presentation. “When they come after you, they are coming for your secrets – like information and confidential data.” They could be state-sponsored cyber espionage agents or hacktivists intent on publicly shaming the company in support of their own cause. Or they could be financially motivated hackers.
These don’t care about the kind of information you have, as long as they can sell it. “Different actors have different motivations,” he said, before moving on to a presentation which included the local threat landscape, and building intelligence-risk collaboration. Historically, Malaysia has been a target of cyber espionage campaigns related to regional interests in Southeast Asia, he said. However, information operations and hacktivism could be considered low-frequency, low-intensity threats. Statistics indicate that there are hundreds of new threat groups, and almost half of them are motivated by financial gain.
Explaining that Mandiant is able to track the point of origin of the hack, he said, “In Malaysia, many threats come from outside. Hackers want to know what projects are being awarded, for instance. Commercial organisations are at risk of ransomware.” Ransomware actors break into a network, find important data, encrypt it with ransomware, then demand a ransom to restore the data and services dependent on the data. They cause additional grief by timing their attacks after hours, such as on weekends, or after office hours on a weekday, for maximum inconvenience and suffering, he said. Threat actors may even enter a system for days before they are detected or make demands.
Cybersecurity affects decision-making. Organisations need to know what to do if they are under attack; they need to take an ‘intelligence-led’ approach, i.e., leverage on intelligence to create a proactive cyber defence posture while reducing cyber risk. While the government is always a target, technology companies are as well, and legal firms get hacked a lot because of confidential information they may hold. “Once exposed, this information may be quite damaging,” he said. “Today, hacking is about how to convert it into getting money. Ransomware was happening as far back as ten years ago but today it is about going after not just one machine, but a whole system.”
Hacking and computer crime nowadays tend to be run by business people, no longer the ‘lone wolf’ types who want bragging rights. “If you are running a company, they know what your risks are, and what to target,” Goh said. “They get into the system, encrypt the information, then demand a ransom.” Hackers may even time the release of confidential information for maximum embarrassment of their victims, as one of the multiple ways of monetising their activity. Today, it has become about fighting strategically from the executive perspective, not tactically, Goh added, urging risk professionals to assess everything they had to counter attacks.
“Get the terminology right. Look at the overlapping foundation, and the stakeholders involved,” he advised. “Every company should always have a threat profile. You want to know who is against you, and what they are likely to come after.” A cyber threat profile combines the externally-facing threat landscape with a more introspective review of an organisation’s internal operating environment, including its people, processes and technology. He added that in the past, nobody cared much about security but today, board members want to know what the organisation’s risks are. Risk professionals therefore must understand their threat landscape.
“It’s about understanding your crime ‘neighbourhood’ and what you are up against,” he said. “Identify what went wrong, and what could go wrong. And if it happened, how do you prevent it from happening again.” Many C-Suite officers – CISO, CFO, CRO – who have experience in strategising, are trying to influence the way cybersecurity is approached in their respective organisations. Emphasising the importance of understanding risks within the context of different environments, he said this will indicate what things you have to spend more time on. “From your cyber risk profile, you will know the kinds of threats which exist, and you will be able to analyse what threat ‘belongs’ where,” he said.
Organisations should build collaborative workflows, where the Cyber Threat Intelligence (CTI) team identifies key external threats, then collaborates with the risk management function to determine which threats pose a material risk. Gaps and weaknesses must be identified so that the organisation can recover from them in time. The organisation’s ‘Crown Jewels’ – its most critical data and systems – must be identified. Threat modelling and impact analysis should then be conducted, and prevention and detection measures established. Goh used two case studies to illustrate supply chain risks associated with developer environments, and transferring ransomware risk through insurance.
Supply chain attacks may not come directly; they may come through suppliers or third-party contractors. Such incidents were increasing, he said, adding that there were always risks involved when working with suppliers. In the transference of ransomware risk through insurance case study, he said that although businesses today ran a high risk of falling victim to ransomware, organisations should use cyber insurance to mitigate ransomware only as a last resort. “CTI contribution is where threat intelligence can really help you to make a decision,” he said.
