Next's CISO: Learn from attackers to boost cyber defences
Collaboration, knowledge sharing, agility – there’s a lot that cyber criminals do right
Cyberattacks are changing quickly; the defenders have to be even more agile to keep up, said Next CISO Dan Burns at Computing’s Cybersecurity Festival this week.
Cybercriminals have a lot to teach us – that was the lesson from Dan Burns, head of information security at retailer Next, in his keynote speech at today's Cybersecurity Festival.
Malware has come a long way from its humble beginnings circulating on floppy disks (with payments via PO box) in the late 80s. Just 30 years later, in 2022, the ransomware industry was worth $14 billion.
"What this tells us is that as threat actors realise the value of something they become increasingly determined and start to pour resources in" – which means things become increasingly problematic for the defenders.
The transition from PO boxes to electronic payments and then cryptocurrency is an example of how threat actors have co-opted technologies designed for good to do harm, a trend Dan expects to continue with, for example, AI.
"The attacker is only going to become faster and more ferocious," he said. "Criminals have always demonstrated a really impressive ability to adopt new and emerging technologies – sometimes even better than we do."
Attacker evolution gives defenders an opportunity
Attackers are constantly looking for new avenues to exploit as the defenders close off existing vulnerabilities. Zero-days are no longer the sole preserve of nation state attackers; email is shrinking as an attack surface, while SMS and social media are growing; and the various groups are organising themselves based on specialisms.
Law enforcement has done a "fantastic job" over the last 12 months – victims include Qakbot, BlackCat and LockBit – but criminals are "very resilient," with an "impressive ability" to collaborate.
But, said Dan, "we have an opportunity here… There are things we can do, and learn from attackers, to get better."
As attackers get faster, so defenders need to do the same. Likewise, we need to get better at collaborating, even between rival companies, and making use of all the resources at our disposal. That includes not just tools and solutions, but teams and frameworks.
"We need to do a better job at securing budget and resources to combat that threat. We need to be better at communicating and explaining the cyber risk to board, to stakeholders and even to IT."
Finally, we need to know the enemy. If a security professional know who is targeting them, they can work out the methods they are likely to use and the data they'll aim for, making it easier to counter them.
"We need to know the attackers better than we know ourselves… Sounds really easy, doesn't it?"
How?
It all starts with that last point: know your enemy. This is key to speeding up cyber and avoiding wasted effort.
"If we don't understand [the threat], we risk fixing the wrong things… One of the biggest mistakes we've made as a cyber industry is trying to fix everything. If doing that was simple, everyone would be doing it."
The reality is that although thousands of new vulnerabilities are identified every year, only a tiny amount – often less than 1% - are ever exploited.
Dan's security team works with Next's IT team in a series of two-weekly sprints, partly to identify the areas of greatest vulnerability, and then assess and remediate them. A benefit to working in these short sprints is it gives "a fantastic ability" to be agile, establish credibility with IT and understand available resources.
Change the risk lens
The last major point Dan made, for cyber professionals young and old, is to change how we talk about risk: be clear about what the risk is, its impact on the business and how the money you spent to fix the problem actually fixed it.
Trying to have these conversations using a traditional risk matrix, like a 5x5 or 4x4, "doesn't actually make that conversation particularly easy," because they can't easily explain where problems are and what you need to do to fix them.
One approach that's worked "incredibly well" for Dan is using the notion of a kill chain: a chain of events that are going to occur when a cyber attack happens.
"It's something you can reasonably easily explain to any non-technical person. We use it extensively, whether it's with our IT teams, our executive or our non-executive board members."
The example Dan showed visualised strengths and weaknesses with a simple colour code, which made the board "appreciate that cyber is a moving target."
Thanks to work like this, "boards and companies are more aware of cyber risk than they have ever been.
"So, all that's needed to ensure the attacker has to get it right every time, rather than just one time, is to start working smarter and actually start leveraging the advantages we have."