Chapter 3: The cyber threat surface


Our Chief Information Security Officers (CISOs) reported their teams fought off an increasing volume of attacks over the last 18 months. But they also said the number of incidents they faced remained pretty much the same. This revelation might lead to the conclusion that their teams are getting better at defending, criminals are more profligate and less effective - or a combination of the two.

Our respondents are fully aware they’re up against a criminal industry, not just individuals or gangs. Using cast-offs and stolen tools from nation-state actors and other threat groups, some of the more sophisticated hackers are causing a real headache. Meanwhile, other threat groups are failing to move on from the tried-and-tested (and now more readily-defeated) tactics and are becoming background noise for many cyber security teams.

Employees remain the most popular and effective vector for attackers, and are therefore a continual area of concern for CISOs, especially as they’ve observed adversaries employing far more elaborate and sophisticated approaches of late.

Increasingly, ransom payments bring all kinds of risk, not least where organizations are having to weigh up the dilemma of making a ransom payment to restore their operations, while inadvertently breaching government sanctions by paying groups that are subject to international or national economic sanctions.

Rather than continuing their primary focus on endpoint security, CISOs gave the nod to a more holistic, architecture-wide security threat surface approach to match the criminal’s attack vectors expressing their willingness to assume greater responsibility in the event of breaches.

Question #1

Have you had to respond to a greater number of specific cyber incidents in the past 12-18 months? What are the top three threats?

A cyber attack is an attempt by a skilled (or unskilled) adversary to breach a system's security policy to affect its integrity or availability, and/or the unauthorized access or attempted access to a system or systems.

A cyber incident is a breach by a skilled (or unskilled) adversary of systems security policy to affect its integrity or availability, and/or the unauthorized access or attempted access to a system or systems.

The above definitions are clearly not one and the same. Additionally, the vast majority of CISOs we interviewed were exasperated with the continuous flow of inaccurate and poorly researched news stories about attacks and incidents, interspersing definitions to sensationalize their headlines, enthusiastically reused by security vendors. The advancement of attack vectors being initiated by cyber criminals has sparked the need for CISOs to strive for a redefinition of cyber incidents that defines the difference between a ‘major cyber incident’ and a ‘cyber incident.’

Forty-four per cent of the CISOs scored 1-5 and told us the number of cyber incidents they observed had not grown over the past 12 months. This does not mean that the number of cyber attacks and cyber incidents are at an equilibrium; the remaining 56% of CISOs in our study have seen the number of cyber incidents grow, including the diversity of attack vectors. One respondent had seen the number of attacks increase by 400%, but no discernible increase in incidents. In fact, some respondents have seen a downturn in specific cyber incident vectors.

"Attacks are increasing; phishing, phishing and phishing. Seeing it all the time. But it’s still the same methods of attack vectors being used."

- Ian Dudley, IT Director, DriveTech

Where the security teams have needed to respond to a cyber incident, it is never about the quantity of the initial attacks, except where quantity when related to volumetric attacks such as Distributed Denial Of Service (DDoS) is very much a problem. It’s now about the quality of the attack, including the use of evasion techniques, machine learning (ML), and multiplicity of [simultaneous] attack vectors initiated by cyber criminals.

"We enforce our tools and look for more incidents, which means that we find more attacks."

- Hitesh Patel, Head of Cybersecurity, Cloud Computing & Digital Infrastructure Audit & Risk, Fidelity Investments

The increased awareness and deployment of security tools, threat intelligence and MITRE ATT&CK frameworks has meant that many security teams are proactively looking for gaps and blind spots in their architecture and operating environment to identify the outlier attacks that could create a cyber incident; hence, an expected increase in the number of intelligence-led, reported cyber attacks.

"The threats are higher, but the number of incidents has dropped."

- Marc Ashworth, SVP, CISO, First Bank

Many of the CISOs said they are challenged with an increase in possible cyber incidents, and the associated business risks due to the increase in a more mobile and flexible office workforce, are identified:

  1. A contaminated computer from outside comes inside the business network and acts like a trojan horse, infecting others on the network and creating the possibility of thousands of workers innocently exploiting the malware
  2. Hybrid – the continuous back and forth between business and social locations creates a major risk
  3. Contamination of computers used in the home that can be used for social engineering purposes, alongside its primary purpose of accessing communications and sensitive files, can impact the rest of the IT inventory, without entering the office.

The top three threats consistently encountered by the respondents were:

  1. Phishing
  2. Ransomware (wiper malware)
  3. Business Email Compromise (BEC)

In addition, the following cyber attacks were cited as ongoing challenges for their security teams, showing the diversity of attack vectors employed by criminals: trojan horse (via exploitation of remote teleworkers); data leaks (predominately external and third-party led); DDoS (diversionary and application), MSS/cloud hacking (externally driven); identity/credential/account compromise (via social engineering/phishing); APT malware (organized groups).

The CISOs consistently mentioned that they are having to run their operations with a level of security debt, where new security tools, lack of early security integration across business projects, and internal security awareness had not been previously prioritized. CISOs appreciate that they are constrained with actioning these levels of debt due to budget constraints, resource workloads and priority of other business activities. They also recognize that many of the issues they read about can be overcome by enforcing basic security processes that would remove the problems with legacy technology, patching and inefficient security tools.

"We have seen a greater number of attacks as we moved off a managed SIEM/log management provider and insourced this function. We now see all of the incidents internally. Now seeing 500+ (attacks) a quarter, having better precision and identification using our internal tools and capabilities."

- Leo Cronin, CSO, Cincinnati Bell

CISOs acknowledge that as their businesses increase their ‘network-effect’ (the value of a network is proportional to the square of the size of the network[1]) driven by greater digital platform integrations, they will need to be prepared for the introduction or increase of cyber attacks from nation states that will be a threat to critical national infrastructure, defense, health, and financial industries all taking the opportunity to exploit innocent or rogue insiders.

Question #2

Who’s moving fastest – you or your adversaries (criminals)?

Seventy-two per cent of the CISOs are in no doubt that the cyber adversaries they face every day clearly move the fastest, having the capability to attack from a distance, with greater agility and increasing resources, delivering an impact at speed that could have a catastrophic effect on their organizations.

Compared with legitimate businesses that have regulatory constraints, fluctuating budgets and internal controls of security over operational efficiency to balance, adversaries have the unconstrained opportunity for financial gain or political interference.

“The criminals always. I have a day job – they don’t!”

- Ian Dudley, IT Director, DriveTech

“We have to win every day and every event, whereas the hacker only has to win once.”

- Mauro Israel, Corporate CISO, ORPEA Group

“Adversaries. Constantly changing their attacks. Trying to stay up with them is overwhelming.””

- Marc Ashworth, SVP, CISO, First Bank

“Definitely adversaries. Better funded and have more time on their hands to practice offensive security – defensive is always harder.””

- Leo Cronin, CSO, Cincinnati Bell

Defensive security is always a harder challenge, as you need to get your game theory right every time. “We have to win every day, for every attack, whereas the hacker only has to win once.” Trying to create a cyber security equilibrium with an adversary is overwhelming.

CISOs acknowledge that they have a critical dependency on security vendors, as they do not have the scale to develop their own security tools, so will continue to be reliant on the security vendors to deliver on their product intention. Whereas their adversaries write, update and can integrate their code with ease to deliver offensive attacks every time.

When CISOs raise concerns internally and insist that senior management fund or invest in ensuring the security basics are consistently in place and policies enforced, they’re often challenged with business priorities. These procedural actions can be viewed as boring and restrictive, and not approaching the issue with thought leadership.

In general, the CISOs appreciate that the bright lights of cyber analytics, artificial intelligence (AI), ML, Secure Access Service Edge (SASE), and other emerging technologies and architectures may elicit an emotional level of cyber protection, but the CISOs all confirm that they will never be able to close the gap on the cyber adversaries unless the basics are in place.

Efficacy: challenged

Being the type to tell it straight, a major concern highlighted once again by a number of the CISOs was that something is definitely not working. They hear that the revenue opportunity for security products is in the trillions of dollars. So why, when businesses have security tools implemented, does the adversary continue to succeed in penetrating their defenses with cyber vectors that have been known about for more than a decade?

Question #3

Do you believe there has been an increase in the threat capabilities of cyber criminals? If so, what threats worry you the most?

As with every business, criminal cyber groups know they can improve performance by building partnerships with others. This opens up their market opportunities across more diverse industries, all the while maintaining a line of self-enforcement of their own ‘standards among thieves.’

Most of the CISOs we spoke to are under no illusion that cyber criminals have increased their threat capabilities. Very nearly all (96%) of the respondents scored between 6-10 and recognize that the cyber underworld has evolved into a well-organized commercial industry.

In the same way that legitimate organizations build out skill sets to compete effectively in their market, cyber criminals, their teams and alliances exhibit multiple disciplines in a structure of owner-operated, small, mid-size and large group operations. These structures extend to geographically dispersed, organized criminal groups (OCGs). They're also apparent in well-resourced, nation-state actors such as Lazarus Group and APT 29.

These days, cyber security groups are operating in a redefined arms race, or what one respondent called the “fifth wave of warfare.” US-based CISOs noted that the traditional hackers who have been around for a long time are still using low-grade attack packages. These attackers are becoming background noise.

"Threat actors are more and more creative. They are now exfiltrating data when asking to pay the ransom."

- Leo Cronin, CSO, Cincinnati Bell

The major concern for the future is around a small set of attack vectors that have ‘destroy-type capabilities.’ Thankfully, many CISOs have not yet experienced such an attack but recognize the need to prepare for a day when it could happen. One potential scenario could come from a nation-state attack which would normally be isolated and targeted at government and critical national infrastructure. CISOs see the probability of their organizations experiencing collateral damage from such an incident. A more discernible concern arises when OCGs and political activists are able to use nation-state tools gained from allies and enemies* for ‘zero-day’ – and other methods that no one else knows about – used against commercial operations.

* These include: US National Security Agency (NSA); the UK’s General Communications Headquarters (GCHQ); France’s ASIS; China’s People’s Liberation Army (PLA); Israeli military intelligence (Mossad); and Russian military intelligence in the form of the GRU.

FOR SALE: damage

Distribution of cyber attack products and services have their own marketplace, often on the ‘dark web.’ CISOs see the easy distribution of advanced cyber attack tooling as a major headache due to the availability of code for phishing, ransomware, APTs, etc, as well as groups that provide cyber criminality ‘as-a-service’ attacks built by teams funded by nation-states or major OCGs. Examples include EternalBlue, largely acknowledged to be a cyber attack tool stolen from the NSA, and elements of code developed by the groups behind the Stuxnet virus.

The free availability of these and other cyber weapons allow organized crime groups to use advanced capabilities against their targets that can be incorporated into the traditional attack vectors.  As well as new tooling, the dark web is the centralized marketplace for stolen credentials, data, and intellectual property such as the designs for limited-edition clothing and high-end shoes, creating a one-stop experience that delivers malicious capability and stolen reward.

Wherever the global market looks to gain a foothold to offer services and products to citizens, the cyber criminal sees an opportunity to increase competitive differentiation, market presence, profitability and penetration. For example, CISOs appreciate that cloud infrastructure can be helpful for scaling business and obtaining wider efficiencies, thanks to flexible operating principles and lower costs. But our respondents also noted how cyber criminals have realized the benefits of ‘dark cloud’ operations. With mirrored benefits, the cloud can accelerate criminal user base and volume of attacks to deliver DDoS, malware and phishing, all as subscription services (damage-as-a-service).

"Techniques have definitely developed and become more professional. My concerns remain on ransomware and wiper software, though; BEC for money is just money, but the other two can kill the business."

- Andrew Rose, CISO, VocaLink (A Mastercard Company)

It was clear from the feedback that CISOs believe cyber criminals are gunning for two things: financial gain and disruption, the latter via either data breach or infrastructure intrusion. The threats that align to these types of attacks and worry the CISOs most can be broken into two categories:

Ransomware, executed across Information Technology (IT) and Operational Technology (OT), is usually delivered directly via malware uploads, or by restricting access via DDoS . The objective of DDoS is to extract a ransom, or be used as a distraction tool, in combination with other downloaded malware for immediate or future exploitation (data theft, web redirects, command and control (C2) establishment).

Ransomware is a growth scourge. These attacks affect normal business operations, can damage services to existing clients/consumers and hinder the on-boarding of new consumers. The advanced ransomware that CISOs fear the most deploys ‘wiper code,’ which brings unrecoverable damage.

There are also unknown risks to the CISO, such as whether the cyber criminal will go through with their threats if the ransom is not paid, if they will indeed stop flooding the networks or even provide the promised encryption keys after a ransom is paid, or if the threat actor has exfiltrated data that they will sell to the highest bidder, use to extort individual customers, or simply release to the outside world. The capacity for organizations to continue to operate after paying any ransom may be a lower concern for larger companies more able to swallow this loss of capital and services. But for smaller and micro-businesses, this kind of hit could take them out of business – fast.

The other category of threat is ‘impersonation.’ This category accelerates a cyber criminal’s focus on the human, the most fallible component in cyber security. CISOs are starting to experience the evolution of traditional forms of social engineering attacks blended with AI and ML technologies, underpinned with softer intelligence derived from psychology, neuro-linguistic programming (NLP), and human behavioral sciences. Once access and privileges are compromised, impersonation allows a wider variety of social engineering, phishing, BEC, whaling among others to evade learned human cognitive actions and take polymorphism functionality to a new level. The latter evasion techniques combined with AI and ML may, in the 'near distant' future, render many security tools as useless.

Technology capabilities are accelerating for everyone

While our respondents’ organizations reap the benefits of technological change, so do attackers. Advances in automation and value exfiltration – for example, in the appropriation of infrastructure to mine cryptocurrency – make their crimes even more profitable. Our interviewees suspected that advanced threat actors are already observing how smart factories, homes and offices are all enabling IoT, mobile and next-generation devices. They worry that sophisticated OCGs have the capability to bias ML programs and adjust automated manufacturing operations, or build increased bots such as those capable with the Mirai botnet code from home and office networks, to impact corporate targets, nullifying the intended value of digitalization.

"They are going to dig more into AI/ML, and improve their processes to make it easier for people to initiate attacks. Using a cloud model in the criminal enterprise (damage-as-a-service, etc)."

- Marc Ashworth, SVP, CISO, First Bank

Finally, Quantum capability – where the ability to dramatically reduce the time required to solve the mathematical calculations that current cryptography (encryption) relies on – is seriously worrying a number of the CISOs. When this becomes available, CISOs believe it could nullify every organization, rendering cyber security – or any individual’s legitimate purpose – obsolete.

Question #4

Are there more attacks targeted directly or indirectly at your employees?

The employee is still seen as the primary attack vector for cyber actors

Almost three-quarters (71%) of the CISOs continue to recognize that the employee attack vector is still one of their most pressing concerns.

"Always being attacked; 95% of attacks come from phishing and tricking users."

- Ian Dudley, IT Director, DriveTech

Our respondents acknowledge that cyber criminals are using a far larger attack surface to get to their intended target. They reported experiencing more sophisticated employee targeted attacks via social channels, where the employees’ personal data is in the public domain. Our interviewees remain astonished that many individuals are blind to the fact that cyber criminals have the capability to understand the link between an employees’ social/personal life on social media and their business role.

"The attackers are finding out who works where in a company [by] using social media."

- Leo Cronin, CSO, Cincinnati Bell

Social engineering and phishing attacks are used to connect directly or indirectly to the employee. Infiltration is often via a disguised but familiar-looking network link to trick a click to action the attack vector. And no one is immune to an attempt. Even CISOs in the financial industry reported a greater number of BEC attack attempts to convince employees to action false invoices or payment transactions apparently coming from the CFO or the head of procurement, for example. In interviews, CISOs continued to quash the belief that there have been more cyber incidents in the last 12 months as the majority of ‘spray’ type volumetric phishing (anything up to a 400% increase in employee-related attacks for one respondent) continue to be picked up by email and anti-phishing security products.

"600% more attacks, could be higher…we have seen a 400% increase in employee-related attacks."

- March Ashworth, SVP, CISO, First Bank

But it is not enough that all dubious emails are routed to the quarantine. CISOs need confidence that email security tools will immediately remove suspicious emails to a sandboxing environment where anomalous links or executables – which have hidden malware – can be detected. If sandboxing is not used, businesses require better implementation of hard quarantine rules to remove potentially harmful links from user visibility, otherwise the risk remains. Any smart email attack that makes it through can compromise the security of a company if opened by an unsuspecting or curious employee.

Question #5

Are there more attacks aimed at disrupting your business operations?

One-third (32%) of the CISOs (scored 5-10) we spoke to have recognized an increase in the direct attacks on their business operations.

The most visible attacks are against internet-facing applications and the network itself. The growth in digital channels – to gain knowledge and buy goods – has also increased cyber criminal activity on internet-facing portals to target employees. CISOs are having to counter replicas of internet-facing portals that are being used to redirect the user and then scrape login details, personal information and financial data.

The implementation of more ‘defense-in-depth’ frameworks has increased the effectiveness of security infrastructure spanning all other areas of the business operations. This reinforces the point that, although there may be continuous attacks against their business, very few of these actually turn into incidents. This is a difference compared with attacks against individuals, which are seen as an easier route for the cyber criminal’s intent.

"The distraction of a security incident cannot be overstated, especially as geopolitical tensions increase. We expect to see more attacks against business operations."

- Matt Stamper, CISO, Evotek

All cyber attempts and those resulting in actual incidents are focused on an organization’s internet-facing websites, portals or the networks that form the critical infrastructure for company communication and data flows. All other business targeted attacks are primarily motivated by data theft or financial gain. These may disrupt the business but not its operations.

Those CISOs who have seen attacks and incidents against business operations have identified a diverse range of DDoS as the primary route attempt. Such an attack is intended to temporarily disrupt efficient engagement with internet-facing services and internal communication and data flows. CISOs reported the use of diversionary attacks, where DDoS is deployed to distract the security and network teams from mitigating other malware or ransomware infections.

"Ransomware disrupts business operations alongside the growing issue of DDoS attacks, but we need a better understanding if it’s a real attack or an IT issue (bug).”"

- Mauro Israel, Corporate CISO, ORPEA Group

Many CISOs believe that if geopolitical tensions continue to increase, they will see more attacks directly focused on business operations intended to hamper their country’s economic capability. CISOs emphasized that the intent of a security incident should never be understated. Many respondents believe that the efficiency of their security architecture ensures they can mitigate criminal intent to stop business operations. However, in many cases, CISOs never get to fully understand the ‘end’ motive of the cyber actor.

"DDoS and supplementary attacks are aimed at core destruction.”"

- David Lello, CISO, Burning Tree

Question #6

Have you been directly impacted by attacks coming indirectly from business partners?

There is no definitive agreement from CISOs regarding attacks from business partners.

Only 28% of respondents that scored between 7-10 indicated any recognizable impact coming from external business partners, whereas 64% scored between 1-4, which suggests that while they may be experiencing sporadic attacks (where business partners have been found to be the source), very few are successful due to existing security tools.

"We have strengthened down on social engineering and spoof emails, where an attacker is pretending to be someone of trust."

- Nathan Reisdorff, CIO, New England Law

Not surprisingly, the majority of attacks use business partner or customer email as the transportation method of choice, executed via a compromised account of trust in an attempt to socially engineer with phishing or spoofing. A few CISOs have experienced business partners being exploited using BEC, where the partner has transitioned to cloud-based applications and has overlooked deploying all the necessary security controls, opening possible connections to their organization.

Increasing the number of network connections to partners places a significant burden of responsibility on the shoulders of the CISO. There needs to be more mutually agreeable due diligence in practice between the parties prior to engagement to ensure that the basics will be adhered to. That means agreement on security audits, penetration-testing, multi-factor authentication and real-time common vulnerabilities and exposures (CVE) testing are enforced. Regular two-way communications and even cross-party audit checks are essential to ensure that everyone is adequately security hardened to the satisfaction of each CISO.

"A big concern is that many business partners are not protected well enough. Mandate due diligence for anything they buy from IT companies and enforce security audits for all partners."

- Mauro Israel, Corporate CISO, ORPEA Group

Question #7

Where would you place the motivation of cyber criminals against your company?

Every CISO knows that a cyber criminal’s primary goal is financial reward

Our CISOs also recognized that the initial attack may not appear to fit the model of financial motivation. While it is accepted that all organizations rely on data to run their business, each industry’s data value is seen differently by cyber criminals. The split in opinion here is that 77% of CISOs saw the cyber criminals motivated by immediate financial reward. The remaining 23% of CISOs scored lower than the 7.4 average, suggesting that they view data as a greater motivating value for cyber criminals.

Today, cyber criminals want immediacy of payment using more direct attack vectors such as DDoS and ransomware that will result in the juxtaposition of operations, demanding instant financial payments. This has a more immediate effect on businesses compared with the more traditional methods of financial criminality, where the data was stolen or published on the dark web, and threats and consequences were issued unless a random was paid or the targeted organization performed another required action (take websites down, stop working with a government or commercial business, etc).

When systems and consumers are impacted, immediate and direct involvement of both security tools and security specialists is required to minimize damage and wider business exposure. But, as has been experienced in recent incidents, the cyber actors do not always release the networks or provide the necessary encryption keys after payment. An attack is criminal in the first place, but there is no guaranteed honor when it comes to unscrupulous commercial cyber criminal activity to deliver the antidote after they have achieved what they set out to do.

"I see two motivations: #1 to get money – $100-$30,000, and #2 set up botnets to attack other organizations."

- Nathan Reisdorff, CIO, New England Law

Payment consequences for financial damage

Continuing the theme around the immediacy of payments, BEC that initiates or redirects financial payments appears to be another growing attack vector. It is often executed under the category of socially engineered payment fraud. Additional use cases disclosed include instances where privileged knowledge is exploited as cyber actors nurture the media headlines by stealing data impacting company valuations during a known or intended merger or acquisition.

Paying a cyber criminal is causing the CISOs increased stress as they accept that their company, cyber insurance partners and intermediaries now have to tread a fine line. As more governments issue advisories regarding payment of ransomware to sanctioned persons or organizations, the company is at risk of suffering a triple-hit: revenue loss from the attack; payment to the cyber criminal; and being fined by the government for breaching sanctions. Ignorance of who is, or who is not, sanctioned is not a reasoned defense.

Question #8

Has your belief of what ‘good security’ is changed over the past two years?

Well-secured organizations are defined as companies that have alignment with risk-tolerance.

The 71% of CISOs that scored the average of 5.8 or above say that their belief of good security has changed, either in part or substantially. Although when all the CISOs contextualize their scoring, there are opposing corners.

"In the past, security tools, practices and initiatives were quite specific, but now it’s more about fundamental practices that integrate and scale across business."

- Simon Goldsmith, APAC Information Security Officer, Adidas

In one corner, 29% believe that good security is still fundamentally the same as it has always been: focused on a risk-based discussion rather than just relying on security technology. They believe that if you continue to approach security with old-fashioned common sense and accept that the weakest link will always be the human, you always need to keep a healthy sense of awareness of your environment and enforce the application of strong security basics (hyper hygiene).

"No real change, as I’ve always believed in the secure-by-design approach, which continues to be beneficial."

- Chani Simms, CISO, SHe CISO Exec

CISOs continually zoned in on the human element, appreciating the need that employees and consumers should be taking a greater level of personal responsibility for their actions.

In the opposing corner, others believe that good security has positively transitioned internally, with more peers and employees recognizing its importance. Much of this has been achieved with appropriate levels of training and awareness of various security incident possibilities. Using a strong approach to people, process and technology, and a ‘secure-by-design’ approach will produce the benefits. These CISOs believe that they are in a good position to continually challenge the attacks and incidents, and not be distracted into following fads or hype.

"My belief has substantially changed. It’s now the endpoint that is key. In the past, it was the perimeter."

- Mauro Israel, Corporate CISO, ORPEA Group

A strong message from all CISOs was the belief that they and their teams need to take more responsibility and ownership of any cyber incidents that affect the business and accept that fault may lie with the security team. Core to this is the acceptance that good security is about how you do things and less about what you do. The wider appreciation and influence of cyber security has meant that interactions with a wider diversity of business teams, partners and external parties (such as regulators) has increased and raised the stakes when providing security. In the past, there were minimal specialist teams that had a focus on security outside of the core team. But now we have many new disciplines that must be considered, including DevSecOps, app security, cloud security, and IoT security.

"It’s about good, old-fashioned common sense. If you keep a healthy sense of awareness of your environment, you won’t need to respond to an email for banking information, etc."

- Todd Gordon, Director, Information Security, EisnerAmper LLC

Information system boundaries have evolved and disappeared (perimeterless) due to the externalization of operations to the cloud, which has increased the threat ‘inside’ the new network. Cloud-based services, mobile working practices, and the increased adoption of digital projects has changed the scale that security is having to manage across the business.

"Information system boundaries have evolved due to externalization to the cloud, which have increased the threat ‘inside’ the network. We have to protect the ‘core infrastructure’ like Active Directory, hypervisors and backups."

- Florent Cottey, Operational CISO

CISOs singled out the greater emphasis on the endpoint as opposed to more traditional focus on the perimeter. These CISOs also look past the ‘here and now’ to envisage what good security needs to address for the future. They acknowledge that, due to the emergence of more advanced threats and nation-state actors/terrorists with the capability to destroy an organization, good security needs to be elevated. Additionally, greater accessibility of more advanced security tools such as threat analytics, isolation capabilities, biometrics, and many more that claim increased response times and proactive cyber attack mitigation are evolving the maturity of their security tools.

No longer just addressing cyber security from a technology perspective, the CISOs’ changing attitudes toward security frameworks such as  MITRE ATT&CK are bringing in more structure, providing visibility of gaps in their organization’s security posture that cyber criminals exploit. This is encouraging security teams to approach cyber security effectiveness from a technology and collaborative best-practices perspective.

The F-Secure Countercept perspective

If there is such a thing as a cyber crime ecosystem, then it is thriving. There has been much talk of a service industry for cyber crime – and plenty of evidence that it’s taking place.

Affiliation models and services make threat groups new and old more operationally effective; they are now able to share mature tooling and offensive knowledge to conduct attacks. Another draw is financial reward: high profile success of ransomware and extortion attacks has drawn more threat actors to focus their attention in this space, and are moving from other types of cyber crime as a result.

Engaging in some form of often expensive arms race may keep defenders current, but we’d argue that organizations working more closely together in the face of common threats represents the best value for money in the long term.

The state of the art

We expect phishing to remain a popular and fruitful avenue of exploitation for threat actors. Social engineering techniques rely on human nature, and phishing capitalizes on this. Malicious email content will always be interacted with, to some extent.

F-Secure suggests a number of approaches to mitigating risk:

  • Technological solutions can filter out the obviously ‘malicious’ email content before it reaches users, so they never have the opportunity to interact with it. Sandboxing, reputation-analysis and attack surface reduction through blocking esoteric file formats can all help.
  • User training is an evergreen – a well-informed workforce will better understand the key role they play in security. But training shouldn’t just focus on not clicking the link; it should also stress the importance of reporting links so Security Operations teams can find other users who received the link and contain any resulting compromise.
  • SaaS/endpoint-detection capabilities reduce the impact (and therefore cost) of any intrusion that results from an interaction with malicious email content. The real cost to organizations is what happens after interacting with malicious content, not the interaction itself.
  • The supply chain answer our interviewees gave may be different following last year’s Solorigate/SolarWinds incident, since the interviews predated it. Supply chain attacks will continue to be relevant but will most likely only generate tangible risk for highly targeted organizations.
  • Cloud and other technology adoption has changed, and will continue to change, the concept of ‘good security’ in the industry. One tenet of technology and, consequently, how it is secured, is constant change and evolution. As a result it is important that CISOs and organizations keep up to date with the latest and best guidance in the industry, rather than relying on outdated viewpoints for strategy – something the interviewees stressed in their responses in Chapter 1. Those organizations that succeed in this environment are those that can be agile and respond to these changes. Their chances are better than those that struggle to communicate and act upon evolutions in the field.

A way forward

Collaboration among hostile actors to improve attack capabilities set a rather dark example of how defenders should go about improving their own technology, tactics and procedures. Long gone are the days when having better safeguards in place than your neighbor worked as a defensive strategy; stragglers from the herd were only the prey when cyber security was an exercise in pace and resources. Survival of the fittest – or at least the ability to hide in the center of a herd while predators picked off those at the fringes – no longer applies when attacks are targeted and when active collaboration can make a massive, positive difference.

Defender collaboration is hardly ever a zero-sum game in this environment; it is also worth noting that attackers often share or trade information on targets, techniques and technologies. Information-sharing of this type has helped financial institutions[2] tackle organized cyber attackers, fraudsters and money launderers.

Managed threat hunting service with 24/7 coverage with F-Secure Countercept

Research methodology

The author of this research is Kevin Bailey (an independent cyber security analyst from Synergy Six Degrees on behalf of Omnisperience) and it is published by F-Secure. F-Secure funded the report while all interviewees contributed on a voluntary basis.

The qualitative interviews for this research have been conducted independently from the sponsors of the work. All editorial control has remained with the author.


Twenty-eight interviews were undertaken between July and September 2020. A total of 23 interviews were conducted one-on-one and five interviewees provided their responses via the qualitative questionnaire, all on a confidential basis. At no time was the sponsor aware of the full interviewee list. All call-out and respondent listing attributions were sought by the author following completion of all interviews. This approach was adopted to encourage candid contributions. The setup and questioning approach has been designed to avoid bias, and where there has been risk of bias, this has been explicitly discussed in the interviews. Only three of the interviewees were existing F-Secure customers at the time of the research. Each interview lasted at least an hour, with most lasting around 90 minutes and many leading to follow-up conversations to discuss the conclusions of the research.


The cohort of interviewees were approached based on their depth of expertise and were selected to build a balanced set of inputs.

The author had no commercial connection with the interviewees.

The participants were assured that the report was not intended to directly, imply or intimate that they endorsed or validated any sponsor products or services. The roles covered in the cohort include CISOs (or equivalent title), Head of Cyber Security, Director of Information Security and Head of Threat Intelligence.

Financial services is the most strongly represented cohort.

Research methodology

Twenty-eight qualitative interviews supported with targeted quantitative data points to achieve a grounded theory of the research objective.

Research period
July - September 2020

Europe - 14
US - 14

Commodity Trading
Digital Platforms
Cyber Security

CISO - Chief Information Security Officer
CSO - Chief Security Officer
CIO - Chief Information Officer
Director of Security & Privacy
Director IM and Security
Director Information Security
IT Director
IT Security Manager


Chapter #1

An effective security leader

Our panels most pressing priorities over the last 18 months

Read now

Chapter #2

A reality check

With great power comes great responsibility - and a to-do list

Read now

Chapter #4

Cyber triggers influence change

How changing threats force change on companies and CISO

Read now