Expert opinions, TECHNOLOGY

The country entered permanent cyber war mode

Data protection in today’s digital world where data moves from one digital service to another for the convenience of users is collective task, and it can be solved only by joint forces of business and state. On October 23, the conference “Data Defense: to Save Everything” was held in Moscow where experts shared experiences of countering attacks at the modern stage of cyber war, presented their decisions and outlined joint plans to strengthen positions of Russian cybersecurity in the near future. A central discussion theme in sections of the event has become a new approach to data protection, the practice of investigating and repelling both computer and information attacks, as well as state regulation of collection, processing and storage of personal data.

Photo by Kevin Ku on Unsplash

Recent information security events are good occasion for summing up the first results of life in the new cyber reality, which is characterized by:

  • legalization of any cyber attacks on Russia’s digital resources;
  • disconnection of foreign solutions (including security equipment);
  • shortage of IT specialists;
  • destruction of trust in cyberspace.

Nothing teaches better than your own sad experience

After the powerful attacks of last year, which led to noticeable downtime of digital systems and massive leaks of personal data, the principle “the most secure organization is the one that has already been hacked” worked. The owners of digital systems for the most part have already learned the lessons of last year, updated the protection systems, staffed the defenders, debugged the protection processes – nothing teaches you better than your own sad experience. For those who did not learn the lessons of last year, the state introduced strict regulation, raising the level of responsibility, tightening administrative penalties and adding criminal prosecution to them. A law on turnover-based fines has been sent to the State Duma, which implies huge penalties compared to today for data leakage.

We can say that the first stage of the cyber war has been completed. The country has entered the regime of permanent cyber war, tightening both practical cyber defense and legislation. IT professionals who expressed their political position through sabotage and leaks have already been fired. The shortage of specialists practically did not affect information security specialists who did not leave the country as actively as programmers.

The positive result of mass attacks is the self-organization of the industry. The general problem with cyberattacks has forced even competing organizations to exchange information actively about the signs of attacks and methods of repelling them. Quite quickly, this spontaneous self-organization was headed by the Ministry of Digital Industry, giving it official status.

Every step of the attack as a legal event

But the opposing side is also adapting to our new capabilities. If earlier attacks were organized mainly by politically motivated enthusiasts with basic knowledge in cyber attacks, then behind today’s attacks professionals are already visible. Attacks have become targeted, well thought out and distributed over time, which makes it difficult to detect and repel them. Each step of such an attack looks like a legal event in the information system, and they do not see the means of protection. Having penetrated the system, attackers are in no hurry to cause damage, but prefer to take root in the system, collect data, intercept passwords, increase their privileges in the system. There are cases when hackers have been in the system for years, moreover, there have been wars between different hacker groups over who will control the system – and they went unnoticed. How can this happen, if today any company has security tools: antiviruses, intrusion detection systems, access control systems?

Modern digital systems are already quite large and quite complex, consisting of a layered infrastructure, a large number of databases and applications that exchange this data. This is not only a complex information structure, but also often changing one – every day the infrastructure is updated, functions are modified, users and data are added. This situation makes it difficult to monitor events that can be a signal of the beginning of penetration – they can be easily mistaken for legitimate actions. If you respond to each anomaly in such a complex system, you can quickly use up all the resources involved, and excessive paranoia in the response can negatively affect legitimate business processes.

Threat hunters and fake news

Thus, the transition from mass attacks, reinforced by insider actions of politically motivated employees, to subtle targeted attacks symbolizes a new stage in the cyber war announced to our country. Gradual introduction into the victim’s infrastructure, intelligence, subtle espionage actions – to counter such tactics, you need your own or contractual investigation teams called threat hunters. For their work, you need as much data as possible – up to telemetry of workstations and network devices, with their help it will be easier to distinguish an accidental anomaly from a trace of cybercriminals.

Another hallmark of the new period of cyber war is fake news-style information pressure – a day does not pass so that some criminal group does not announce the hacking of any iconic company and does not post a compilation of the leaked bases as evidence. Since the number of leaked records of Russians is in the hundreds of millions, you can always collect a compilation from them that meets any predetermined requirements, and declare it a leak from a bank, telecom operator, public services, etc. This does not mean that all such statements are intentional lies, perhaps there are fresh leaks among them, but it becomes quite difficult to look for real leaks among synthetic bases.

The new tactics of cybercriminals and the connection of at least advisers from cyber armies of Western countries to attacks require new approaches to protection. This is, first of all, the understanding that it is not enough to protect only the perimeter – it is quite possible that the enemy is already present in the infrastructure and is still invisible. This means that intraperimeter protection tools are needed that analyze intranet traffic, user actions, database access, file operations, etc. It is necessary to collect as much data as possible about events in the internal network, use tools and expertise that can notice malicious enemy actions by weak signals and anomalies in traffic.

To be continued

Today, it is obvious that those who create new convenient digital services are now under active state regulation, and therefore they listen more carefully to colleagues from information security – such tripartite cooperation between IT, information security and the regulator should have a noticeable effect.

By Rustem Khayretdinov, Deputy General Director of the Garda Group of Companies

Previous ArticleNext Article