Breaches happen – here’s how CNI organisations can build resilience to cyber attacks

By Raghu Nandakumara, Head of Industry Solutions, Illumio

From energy and water supply to transport and healthcare, there are multiple industries that fall under the banner of Critical National Infrastructure (CNI) that not only function as private organisations, but are also essential to the fabric of our society and economy. While less obvious than physical infrastructure, the invisible flow of capital and commerce through the financial sector underpins our daily lives.

Disruption to CNI providers can have a huge impact on a national or even international scale – and organised cyber criminal groups are preying on this weakness.

In a conversation with Raghu Nandakumara, Head of Industry Solutions at Illumio, we discuss exactly why cyber criminals are targeting CNI organisations with a vengeance, and how this increasingly vulnerable sector can bolster cyber resilience to remain safe and keep operations up and running.

Why are Critical National Infrastructure organisations an appealing target for cyber criminals, and how vulnerable are financial organisations specifically?

Most cyber attacks are motivated by profit. As a result, attackers have traditionally focused on sectors like hospitality and retail that hold a lot of personal and financial data for criminals to easily exploit and sell onto others.

However, more recently, organised groups are adopting ransomware as their primary money maker. The aim is to cause as much disruption as possible in the hopes of pressuring the victim into paying a ransom demand to restore their systems quicker.

CNI organisations are particularly appealing targets for this tactic because of the critical role they play in society. If a CNI organisation suffers an outage due to ransomware, they’re more likely to pay a ransom in order to restore operations quickly – because so many individuals and organisations rely on their services.

Savvier groups have also started using a “double extortion” approach, where they not only deploy disruptive ransomware, but also exfiltrate valuable data to use as blackmail or to sell on the dark web.

Many firms in the financial sector are unfortunately a perfect target for both goals – they hold large amounts of valuable personal and financial data, and underpin the economy by facilitating payments and providing access to capital. Repeated disruption to these services will cause issues that ripple far beyond the business itself.

So, securing finance and other CNI is not just about withstanding a single attack. Providers need to be resilient enough to survive multiple attacks while keeping essential services online and protecting critical assets. With the right cyber security architecture and technology, not every cyber attack needs to be a disaster.

How do ransomware attacks within the financial sector unfold?

Attacks usually follow the same common tactics, regardless of sector.

Historically, attackers have used a ‘spray and pray’ method where the threat actor sends out malicious links and files to a large, unrefined list of targets via email (this is also known as a “phishing” attack). The hope is that enough recipients will unknowingly enable the malware (i.e., by clicking on a link or opening a file in the email) and lack the right protection to stop the attack from moving throughout their organisation.

Today, attacks are far more targeted as more advanced tools and techniques have spread through the cyber criminal community. . Attacks start with the attacker gaining initial access and can originate from a variety of vectors. Then once in, attackers will execute their malware, steal credentials and move throughout an organisation by by elevating their privileges.

When they have everything in place, the intruder will finally strike, deploying a devastating ransomware attack that can lock the firm down from the inside out.

The primary objective will be shutting down access to essential data files or disabling critical services. In financial organisations, the most important files will be the customer, transaction, and deal data that’s essential for normal business activity. With these files encrypted, the operation grinds to a halt. Compromising this data goes beyond operational delays and puts the reputation of the financial institution on the line. The financial services industry is based on trust – if you lose trust, you lose everything. Once a ransomware attack spreads to reach critical data, organisations often have no choice but to pay.

How can financial organisations protect themselves – and the wider economy – from ransomware?

Ransomware attacks are built around causing the maximum amount of damage in the shortest time frame with minimal effort. With this in mind, defences need to be geared around making it as difficult as possible for intruders, whether human threat actors or automated malware, to move across an organisation’s hybrid IT estate and infrastructure.

Zero Trust Segmentation is one of the most effective ways of achieving this. With Zero Trust Segmentation, the IT infrastructure is divided into separate sealed-off sections, preventing unauthorised movement from one area to the next without proper verification. It’s predicated on the Zero Trust principles of “assume breach” and “never trust, always verify.”

This makes it incredibly difficult and cumbersome for attackers to move, preventing them from reaching their intended goal. In one scenario, organisations leveraging Zero Trust Segmentation were able to stop attacks in 10 minutes, nearly four times faster than detection and response capabilities alone, and the attacker was not able to progress beyond the first infected system.

In order to glean the most value from Zero Trust Segmentation, organisations need to prioritise securing their most critical and vulnerable assets first.

Effectively applying Zero Trust policies relies on having visibility into access rights and user behaviour across the environment from the start. With that information, organisations can determine what is most important to protect immediately, and begin deploying segmentation policies around those points. Customer data and transaction systems will be the top priority for most financial firms. It’s also essential that organisations understand their attack surface and pinpoint the most likely points of entry. From there, security teams can block the attack paths intruders are most likely to follow.

This approach shifts away from more traditional schools of thought. Where once the focus was only on building a strong defensive perimeter to “keep bad actors out,” today’s hyperconnected world has shown us that breaches are bound to happen. In fact, for most organisations, threats are already lurking in data centres, cloud environments, or on endpoints. In order to build resilience and minimise impact, organisations (especially those in CNI sectors) must proactively prepare to be breached.

What is the ‘assume breach’ mindset, and how can financial firms put it into practice?

Our world of hyperconnectivity and hybrid work has brought with it an abundance of new threat vectors for bad actors to take advantage of. In fact, in the last two years alone, 76 percent of organisations were hit with ransomware. “Assume breach” is built on the idea of accepting that, inevitably, a threat actor will breach external defences, no matter how robust they are. This then naturally leads to building out defences that contain that breach to the smallest possible footprint.

Around five years ago, security teams began to accept that breaches occur even with the best preventive measures in place. Then, they started to focus on detecting and responding to a threat, rather than just trying to prevent it. The challenge is that breaches still move, often undetected to reach valuable assets. While it’s still important to find and respond to breaches, many organisations are moving to a more proactive approach that puts “assume breach” into practice by stopping attacks from spreading automatically.

This is the era of “breach containment,” where security teams focus on stopping attacks from moving throughout the network by default to minimise their impact and reduce risk. Strategies like Zero Trust Segmentation stop attackers in their tracks by default, so critical data remains safe and business operations can continue unfettered, even after a breach occurs.

This approach makes financial firms resilient to cyberattacks. And by extension, when CNI organisations implement tools like Zero Trust Segmentation, they also bolster the resilience of the wider economy and community relying on their services.