The British public and press were shocked by a breach disclosure from the Electoral Commission. The security incident, which is thought to have impacted as many as 40 million UK voters, was described by the Commission as a “complex cyberattack”, in which malicious actors leveraged a “sophisticated infiltration method, intended to evade our checks”.
And evade they did. When the news broke on Tuesday, it came two years after the hackers first accessed the Commission’s systems, and only 10 months after security teams had identified the breach. This meant that hackers had access to the organisation’s electoral registers, email and control systems for well over a year before anyone noticed.
The image of the unseen threat lurking in your midst is one that keeps a majority of CISOs up at night, and over half of security leaders report that “unknown blind spots” are their biggest concern. Despite this, blind spots are all too common in complex organisations and continue to pose a risk to their most sensitive data and workflows.
Critics have been quick to highlight that, given the Electoral Commission’s central role in Britain’s democratic processes, the near 15-month delay in incident response is positively a nightmare scenario. As public sector organisations invest more into digitalisation to meet modern challenges, it remains paramount that the public can have full faith in public institutions to transform as securely as possible. Unfortunately, incidents like this unseen breach can sow real distrust, and public sector organisations should endeavor to do more.
Protecting against a network of motivations
With ransomware attacks often filling the headlines, it’s important to remember that not all bad actors are after money. From kinetic hacks to attacks targeting intellectual property (IP), there are countless reasons why a bad actor would benefit from an extended time within your systems.
The electoral registers stolen in last week’s breach present their own threat. While each individual entry is of low value, the aggregated database could prove very useful for a nation state. Intelligence agencies have four techniques that they deploy to persuade a person to do something they wouldn’t normally consider: Money, Ideology, Coercion and Ego – MICE for short. Gaining access to the home addresses and family members of a would-be target offers bad actors powerful intelligence for persuasive campaigns.
In general, nation-critical organisations have an almost “white whale” status within the cybercriminal community: not only do hostile actors benefit directly from a breach, they also succeed in undermining the security posture of the United Kingdom as a whole.
Organisations with this greater risk potential should therefore have the processes and tools in place to identify any suspicious activity. The longer a bad actor can hide in any organisation’s networks, the more damage they can do, but maintaining visibility over complex networks – especially those with legacy technologies – is an ongoing challenge.
A future-facing observability strategy
Hybrid cloud networks are a common part of most IT strategies, but as organisations migrate more and more workloads to the cloud, the security stack is struggling to keep up. Many monitoring tools are designed for on-premises environments, making them insufficient in addressing unseen weaknesses and security gaps in hybrid landscapes. In turn, cloud-centric tools have little visibility into on-premises traffic. The result is an ongoing visibility challenge that bad actors are keen to exploit.
In today’s climate, organisations must shift towards a more proactive security mindset and reduce blind spots before they’re exploited by embracing deep observability. This will provide real-time, network-level intelligence to track normal and suspicious activity.
Achieving visibility into networks should be a priority for security teams if they are expected to manage cyber risks in a complex environment, and this is where deep observability comes into play. It offers security teams insight into malicious incoming traffic, even when encrypted, and monitors East-West traffic for suspicious activity. The ability to identify behavioural anomalies in an organisation’s data is vital to spotting potential breaches – ensuring threat actors can’t go months or years inside an IT environment without anyone noticing.
As cloud adoption continues to grow, security leaders need to empower themselves with the right insights and oversight of their own networks to effectively address the complexities that their hybrid state brings to conventional security methods.
Learning from a breach
Nation-critical organisations should build out their security posture with a well-resourced and capable intelligence service in mind. These hostile attackers, with access to some of the best exploit writers and operatives on the planet, need to be met with a network security model that goes beyond tradition logs or Endpoint Detection and Response (EDR). Techniques to evade these methods are well known: threat researchers have shown that EDR is easily disabled, especially on Windows, and the hackers’ attack playbook consists of turning down logging and erasing Windows event logs as soon as they enter a system. Deep observability offers the next level of visibility to ensure that breaches can be detected and mitigated as early as possible.
The detection of intruders is a critical component of any cybersecurity strategy. However, tracking intruder activity after detection is equally important. With deep observability, when security leaders detect an ongoing attack in their network, they can then track intruders to inform a long-term incident response and recovery strategy.
When organisations are lucrative targets to criminals, tracking intruder activity provides valuable insight into attacker tactics, techniques, and procedures (TTPs) to improve Network Detection and Response (NDR) capabilities. To use an example, if an organisation identifies a specific type of malware used in an attack, it can deploy tools to block that malware in future.
In the time between detection and public disclosure, the Electoral Commission has reportedly implemented multiple measures to improve its security posture. These include improved threat monitoring capabilities, updated firewall policies, and more robust network login requirements. These are, of course, important upgrades, and we can only hope that other critical organisations are taking note of the blind spots that these attackers were able to exploit. But we can all learn from this breach. Without the right level of visibility, bad actors can hide in complex hybrid environments undetected for a dangerously long time.
The ability to collect and analyse vast amounts of data from network traffic, endpoints, applications, and other sources across a network infrastructure is the key to building a real defensive strategy and responding to threats in real time.
Bad actors are everywhere. In embracing deep observability, both public and private companies will ensure that when their time comes, they can react accordingly to minimise damage.
Mark Jow, Field CTO EMEA at Gigamon aims to help organisations leverage deep observability to optimise hybrid cloud security and performance. As the organisation’s first field evangelist for EMEA, Mark Jow has over 30 years of experience in the industry, having held senior technical leadership positions in Oracle, EMC, Veritas, Symantec and more recently Commvault.