The news has been full of concerns that foreign powers are using state-sponsored hacking as a means to undermine the infrastructure of foreign powers. While it is irresponsible to scaremonger or imply that all UK organisations are at risk from a targeted hostile cyber security campaign by state sponsored hacking, it is worth every organisation taking a moment to imagine how it might fare if it were indeed attacked and use these principles to guide their defence strategy.
At the outset, however, we must consider what we are being told. In an unprecedented joint statement last week the US Department of Homeland Security, the FBI and the UK National Cyber Security Centre warned of malicious cyber activity orchestrated by state-sponsored Russian hackers who are targeting everything from network infrastructure devices to social media and even small businesses.
In November 2017, in a speech in the defence resource debate in the House of Lords, dot com entrepreneur Martha Lane Fox, who now sits in the Lords as Baroness Lane-Fox of Soho and recently joined the Joint Committee of National Security, quoted the academic John Naughton. His theory of modern warfare discusses the use of hacking as a weapon against an enemy society, identifying Russia, China and to a lesser degree North Korea as the nations most threatening to our security.
Of course, for most organisations, it is not an international super power that threatens their security, but reward-orientated hackers looking for financial gain or valuable intelligence. The same principles, however, apply whether defending against a Russian state-sponsored hacking campaign, an organised criminal hacking outfit or a lone individual.
Firstly, the only way to build a robust defence is to identify an organisation’s weaknesses and vulnerabilities. This is done through advanced penetration testing, using a synergy of automated testing, to identify potential vulnerabilities, and manual testing to exploit and develop those weaknesses so the gaps can be plugged.
Secondly, to go a level deeper, organisations should consider Red Team engagement. This is where highly skilled and trained ethical hackers get into the mind-set of a potential adversary, using a range of tools and strategies. This enables organisations to not only identify where a potential attack might take place but also builds in a level of resilience because the Red Team will identify where future vulnerabilities may lie.
The third level of defence is perhaps counter-intuitive: it is to plan for a successful attack. Where a Retained Forensics team has been engaged, through the process of developing robust defences, they will be completely familiar with a system and, as an aspect of this, will be able to develop a strategy in the event of defences being breached. This will include the preparation and testing of Incident Response, Business Continuity and Disaster Recovery plans to ensure they are up to date and ready to swing into play at the first sign of an incident. In this way any damage and disruption will be swiftly minimised and mediated.
SRM has an unrivalled reputation in all aspects of Test and Exercise and Retained Forensics as well as delivering Red Team engagement. Our team includes individuals who are CREST ethical security testers as well as those with OSCP qualifications, having undertaken a rigorous training process to learn real-life hacking skills, helping them to think creatively and with the mind-set of a genuine hacker.