Commentary from Benjamin Harris on recent high profile breaches
- Written by Benjamin Harris
There have been three major breaches in the last few weeks targeted towards companies that no one would describe as being remotely small: Uber, Rockstar and Optus.
I think as the public receives this information, we typically jump to the conclusion that, “These companies must have been reckless in some way to have had this kind of breach. They must be doing something wrong that doesn't reflect their responsibility to protect customer data.”
While the notion is logical, it doesn't really reflect the challenge that cybersecurity has in 2022.
If we look at other kinds of things that we try to defend from like physical attacks - for example, someone breaking into a building - this is a well understood risk, there are well understood set ways of breaking into a business - therefore, the risk is static and can be managed as such. We defend the window, we check the locks on the doors, and nothing changes once the locks are in.
With cybersecurity and technology, there is constant change.
Every day we're using new systems, new technology, and we're using and leveraging more and more third parties to handle data. At the same time, the tactics and techniques that attackers are using to target businesses like Optus are changing and evolving every single day.
When you're the size of Optus and you're trying to defend yourselves, you may be faced with a logical conundrum. To defend a business, defenders are obliged to defend every single aspect of the business. But these defences can be static - the tactics that an attacker might use changes almost daily, and there is then a requirement to figure out how to defend against those tactics as quickly as possible, and subsequently implement relevant defences. So defenders face a difficult time because they must understand everything that's going on, they must understand emerging vulnerabilities, they must understand emerging threats, and they must then be able to defend against all of these things comprehensively.
Attackers in comparison have a relatively easy life.
While 99 out of 100 attacks may fail, all it takes for Optus to end up in the news is one successful attack.
It doesn't necessarily mean that Optus is being negligent or that they're not doing all the things a business of their size should do to defend themselves. It could mean that one attacker was just persistent enough over a sustained period of time to find the one tactic or system where Optus may have let the ball drop, or where Optus didn't necessarily fully understand a particular emerging tactic in a rapid enough manner to build appropriate defences.
This is the challenge with cybersecurity.
Adversaries are trying new techniques and techniques every single day, and somehow Optus are expected to be able to keep up with these rapid evolutions or changes. Regardless of the reality of how difficult this is for businesses like Optus, or any other large organisation (like Uber), regulators and customers - the court of public opinion - are not forgiving. The headlines are simple, a company has lost their data.
It’s compounded because we often don't have that much information about how the breach has occurred.
If we look at the other high profile breaches that happened this week, Uber as an example, the suggestion is, or at least claimed, that the tactics and techniques used to execute the breach were relatively simple.
This is an easy punching bag for the public: “the organisation is large, the tactics and techniques are supposedly simple - unequivocally Uber must have dropped the ball, and they should have been able to prevent this breach.”
Yet, going back to my previous analogy, it's very likely that Uber had the 99 other types of attacker tactic and techniques covered. They were fully defended. And someone just was very lucky, and persistent enough, to have found the one gap that Uber had missed.
I think the question that we as an industry should be asking is not what did Optus do wrong?
Instead it should be, for businesses like Optus, Uber, Rockstar, and whoever is the next victim of a breach, whether it be next week or even tomorrow; How do we help organisations understand what the latest tactics and techniques adversaries are using to break into their organisations, so they can get ahead of that exploitation and prevent the breach? How do we, as a cyber security industry, enable organisations to use data to defend themselves? How do we use technology to give companies like Optus insight into these tactics and techniques being used to breach organisations before they occur, so they can defend themselves?
At watchTowr, we are addressing this by building technology to give organisations a real-time view of how adversaries look at their organisation to then understand how they could breach the organisation. We leverage data to continuously help organisations understand how the latest attacker tactics and techniques apply to them, which then informs and enables actionable defence - removing the challenge that organisations face of keeping up with these ever evolving and emerging threats.