Successful Attacks Can Blend Both Cyber and Physical Elements Seamlessly to Compromise an Enterprise
You’ve seen it before in movies like Ocean’s Eleven: a ragtag gang of thieves use a combination of social engineering, burglary and hacking to break into a seemingly impregnable site and make off with millions in stolen loot. While Hollywood often pushes the limits of “believability,” the scenario described above has a basis in reality; a fact some unfortunate companies can attest to.
While most organizations will not face a well-funded attacker attempting to break into a physical safe, the trope speaks to something all must now consider: cybersecurity needs to build bridges between the security operations (SecOps), network operations (NetOps) and physical security teams to be successful. Each group, working in a silo, may only have a piece of the puzzle, which is exactly what adversaries are counting on.
Before we focus on coordination between SecOps, NetOps and physical security, let’s examine a use case detailing how an attacker could plan and orchestrate the theft of intellectual property (IP) from an enterprise:
• Malicious actors determine the IP they want: schematics for a nuclear power plant, which are held by a Dallas, Texas-based organization.
• Once the target is identified, the attackers profile C-level executives at the company, eventually crafting a targeted email attack against the CFO.
• The CFO is compromised with a malware payload installed on the person’s machine. In typical scenarios, attackers would pivot from this initial entry point, which is the location on the network where the schematics reside.
• In this case, the production data center has strict controls for incoming data – they must maintain regulatory compliance, and there is limited ability to move laterally from the corporate network.
• Using the CFO’s email archives, attackers find the building where the engineering team is designing the next version of their nuclear plants.
• With this knowledge, the malicious actors move into the physical realm with their attacks in two ways:
– Drop a series of infected USB sticks in the parking lot of the engineering building.
– Tailgate an employee into the premises (they “forgot” their badge that day).
• Once access is established through malware on the USB, or physically by the tailgater, the attackers can access the schematics and achieve their goal.
You can see how a successful attack blends both cyber and physical elements seamlessly. When there are millions of dollars on the line, or a state-sponsored attack, the cost of an airline ticket or USB drive is trivial. How does this apply to the enterprise though? The answer lies in a security gap I’ve noticed. In most organizations, the SecOps, NetOps and physical security teams report to different executives: SecOps is the responsibility of the CSO, NetOps of the CIO, and physical security falls under the COO or CFO. These three teams are tasked with different objectives: SecOps keeps the network secure against cyberattack, NetOps keeps the network operating as fast as possible, and physical security secures company assets and personnel on location. Combine this with separate budgets and objectives that can conflict with each other, and you can start to see how these operational silos leave gaps attackers can exploit.
In our hypothetical scenario, if the target organization’s IT and security teams are structured as described above, the likelihood of the criminal gang succeeding is high, even if one of the attempts is thwarted. Why? Because in a siloed corporate structure, one team may never even hear of another team being attacked and think perhaps they should check their own systems. However, if the teams had been in communication, they’d be more likely to verify the security of their own areas of responsibility upon hearing that another team was compromised.
The SecOps, NetOps and physical security teams need a single executive sponsor to ensure all elements of the security program are working together. If one person had been in charge of security in the scenario described above, reports of both the physical and cyber intrusion would have been shared between the physical, cybersecurity and IT teams, who would then examine their processes, policies and technology to determine where the shortcoming was and how to fix it. In our scenario, that would include re-imaging the CFO’s hard drive, blocking command-and-control activity, tailgating awareness training, enhanced physical security for high-priority assets, and more.
A more coordinated security team can also yield budget savings by allowing each team to leverage the investments of the others. For example, if IT chooses a new next-generation firewall but it doesn’t provide the log data and prevention mechanisms that SecOps needs, they will end up buying and deploying one that does. The cost is doubled (not to mention the operational impact of adding yet another security device to the network). But if there were one executive charged with overseeing the needs of all groups, that person could influence the firewall purchase decision to address the combined needs, providing better security while saving precious time and resources.