Ransomware and supply chain attacks dominated the news in 2021, and experts expect them to persist and continue to converge in 2022. Government agencies, suppliers, and other target organizations must evolve their own cybersecurity techniques to stay ahead of attackers, says Sam Curry, chief security officer at Cybereason. In the first episode of MeriTV’s new Fix Fed IT series, Curry takes stock of the ransomware-supply chain attack convergence and outlines actions that organizations can take to protect themselves.
One challenge is the rate of innovation in cyber threats. Curry observes, “[Attackers] are good at getting better at their game … at a faster rate than defenders are, which is something that we’ve got to correct collectively.”
Supply chain security is a major focus of the Biden administration’s executive order on cybersecurity; other Federal actions to beat back attackers in the last year include the Department of Homeland Security’s 60-day sprint on ransomware and task forces on ransomware and supply chain disruptions.
Government must keep building on those efforts. “You don’t leap to maturity overnight,” Curry says. “It takes time and you have to grow maturity and grow complexity, and these are the right first steps. What matters now is what happens in the following 90 days, the next 90 days and so on, until we actually get higher security levels across the government.”
However, Curry cautions, “We have to remember we’re not dealing with lone wolves [or] random hacking.” Cyberattacks are increasingly the result of advanced research and development, springing from a sophisticated ecosystem where ideas and code get shared among bad actors, he notes.
Just like founders of a Silicon Valley tech startup, criminals take the best ideas from different places and put them together to create new tools and techniques, sometimes using agile methodology. “We should not underestimate them,” Curry warns. “We should assume intelligent players in this cyber game on the other side. They’re going to innovate and they’re going to put two and two together and come up with four or worse. … We need to match and/or eventually exceed that adaptation and innovation rate if we’re ultimately going to win.”
Ransomware and supply chain threats often do not take the form of malware or isolated attacks in a “bring your own virus” environment, Curry observes. Frequently, they
- Hide in obvious traffic
- Use trusted identities
- “Live off the land”— lurking inside trusted tools, including productivity and communication suites
Federal agencies’ best defense against ransomware and supply chain attacks is not a plug-in appliance or piece of software. Rather, to fix this critical issue, leaders must realize that “cyber is not different from the mission of any agency, department, or government organization or even suppliers in the defense industrial base.”
Cybersecurity must be viewed as integral to every mission and aligned with the core functions of every agency or department. Leaders must set the tone, viewing cybersecurity as “a way that you live day to day… it’s about making it culturally part of the fabric of an organization and part of leadership’s agenda,” Curry says.
Check out the full interview.