Cybersecurity is Swimming Among a Sea of Black Swans

For centuries, it was believed that all swans were white. However, on January 10th, 1697, Dutch explorers travelled up a river, now called the Swan River in Western Australia, and discovered black swans, overturning 1500 years of Western understanding in a highly unexpected and rare occurrence.

The “black swan” has since become a metaphor, originally coined by author Nassim Nicholas Taleb in 2007 to describe an event that is both unexpected and significant in impact. Using this metaphor, Taleb argued that the predictability of events tends to be overestimated and the potential impact of rare and unlikely events underestimated. Taleb succinctly summarised the central idea of the Black Swan event, writing that “rare events cannot be estimated from empirical observation since they are rare”.

Although traditionally employed by financial and economic commentators, the notion of a Black Swan event is becoming an increasingly appropriate analogy for modern cybersecurity challenges. Black Swan events have a disproportionate impact on our understanding of the world and the way we make decisions. Cybersecurity has become so besieged with such events in recent years, that it has practically been swimming among a sea of Black Swans.

Cybersecurity Black Swans: A Taxonomy of Recent Events

The inundation of cybersecurity Black Swan events in recent years is not an artifact of the news cycle, which frequently reports the rare and rarely reports the frequent; on the contrary, many of these events have shaped the industry. To make this point, let us revisit some cybersecurity Black Swan events from the last ten years and highlight what made them so unexpected and significant.

• 2014 – A cyber-attack against a German industrial steel mill caused massive damage to the mill and resulted in physical damage to equipment. This incident was notable as one of the first cases of a cyber-attack causing significant physical damage in the industrial sector.
• 2015 and 2016 – In an attack on the Ukrainian power grid, hackers were able to gain access to the control systems of multiple power distribution companies and cause widespread blackouts. This incident was significant as one of the first successful cyber-attacks on a power grid.
• 2017 – The Triton/Trisis malware attack on a petrochemical facility in Saudi specifically targeted the facility’s safety systems and had the potential to cause a catastrophic release of toxic chemicals. This was one of the first instances of a cyber-attack being used to specifically target the Safety Instrumented System (SIS) of an industrial control environment.
• 2017 – The infamous WannaCry ransomware attack affected an unprecedented 200,000 computers in 150 countries, causing widespread disruption to businesses and government organisations worldwide.
• 2020 – The SolarWinds supply chain attack was a cyber-espionage campaign that involved the compromise of software updates for the SolarWinds Orion IT management software. The attack was notable for its level of sophistication and coordination in targeting and accessing a significant number of government and private sector organisations.
• 2021 – The cyber-attack on the Colonial Pipeline resulted in a shutdown of a major oil pipeline supplying fuel to the east coast of the United States. The attack was significant due to the extent of the disruption and the reaction of the populace to the fuel shortage.

Although this brief taxonomy of Black Swan cyber events is by no means exhaustive, it serves to illustrate the point that the increasing digitisation of the world has led us into an uncharted territory of risks. However, technological progress is not the only driver of cyber-risk in the modern context.

The Father of Invention

The Black Swan event that was the COVID-19 pandemic had a significant impact on cybersecurity. The increased use of remote access technologies and cloud-based services has expanded the attack surface for cyber criminals, and many organisations have had to quickly adapt their cybersecurity measures to protect against new threats.

Furthermore, a combination of three occurrences in 2022 might be considered the latest Black Swan event impacting cybersecurity: a spike in interest rates, a widespread disruption in supply chains, and a war breaking out in Ukraine. This combination has led to a severe global economic downturn and geopolitical instability, fuelling fears of catastrophic cyberattacks in the near future.

In the modern interconnected world, it appears there is little in the way of unprecedented events that does not impact cybersecurity in some way. Even the term “unprecedented” seems to have lost its utility as a descriptor of the challenges we continue to face. But as Kenneth Kaye, a researcher of conflict resolution stated, “if necessity is the mother of invention, conflict is its father”. Just as the pandemic challenges led to new opportunities for organisations to improve their security, the latest Black Swan events will surely spur innovation to combat what are now called the Gen V cyber threats.

Cyber-Threats: The Next Generation

Generation V (Gen V) is a term used to describe the next generation of cyber threats, which are characterised by their increased complexity and sophistication. The Gen V attack surface refers to the various entry points or vulnerabilities that attackers can exploit to gain access to a network or system. These entry points may include traditional attack vectors such as web applications, email, and endpoint devices, as well as newer technologies such as cloud computing, the Internet of Things (IoT), and artificial intelligence (AI).

The Gen V attack surface is constantly evolving, as attackers develop new techniques and technologies to bypass security controls. For example, attackers may use advanced persistent threats (APTs) to infiltrate a network and remain undetected for long periods of time, or they may use machine learning algorithms to evade detection. Additionally, as more and more devices and systems become connected to the internet, the Gen V attack surface continues to expand.

To protect against Gen V threats, organisations need to adopt a comprehensive security strategy that includes multiple layers of defence, such as network segmentation, intrusion detection and prevention, and endpoint security. They also need to be proactive in identifying and mitigating vulnerabilities in their systems and applications. Furthermore, security teams must be adaptable and stay up to date with the latest threats, trends and best practices in cybersecurity.

Adapting to the Unpredictable

It is anticipated that in the near future, organisations will need to adopt a more proactive and holistic approach to tackling Gen V threats. As was reflected in the Global Economic Forum’s recent Global Cybersecurity Outlook 2023 report, this will likely involve a combination of advanced technologies, best practices, and well-trained cybersecurity professionals.

Artificial Intelligence and Machine Learning are poised to play a crucial role in detecting and responding to Gen V threats. These technologies can be used to detect and respond to anomalies in network traffic and identify threats that traditional security solutions may miss. These technologies will greatly enhance behavioural analytics used to identify and respond to threats by analysing the behaviour of users, devices, and systems on a network. Cloud security solutions are also likely to play a key role as more organisations move their operations to the cloud.

Cloud security will need to focus on threats such as data breaches, account hijacking, and malicious insiders. In addition to cloud security, automation of security processes will be crucial to tackle Gen V threats. Automating certain tasks such as incident response, vulnerability management, and threat intelligence management will help security teams to respond to potential threats more quickly, freeing up resources for professionals to keep abreast of the latest threats.

Crucially, cybersecurity skills development will need to be more widespread and accessible and encourage a more diverse cohort to become involved. As threats become more sophisticated, it will be essential to have sufficient well-trained cybersecurity professionals to identify, respond to, and mitigate these threats. It is important, however, to recognise that resisting the evolving cyber-threat landscape is not entirely dependent on emerging technologies. There is much that can be done today to safeguard assets from the Gen V threats.

Do Not Leave Until Tomorrow What Can be Done Today

Contrary to popular belief, it is possible for organisations to prevent or lessen the impact of new exploits such as Log4Shell or highly advanced attacks like SolarWinds. This can be done by organisations making the most of their current security infrastructure, implementing specific hardening measures, and utilising built-in security features that can be activated easily without the need for additional expenses.

One simple yet effective method to improve cybersecurity is to prevent servers from sending out Internet traffic. Although this may seem like a basic security measure, many organisations still fail to implement it. By blocking servers from accessing the Internet, it prevents or slows down attackers who rely on the server to establish a connection to the attacker’s command and control infrastructure.

Implementing specific security improvement plans can also help make the environment more resistant to techniques used by attackers to move laterally and gain higher levels of access. This will prevent attackers from using their initial access points to reach important assets. Additionally, this approach will give defenders more time to identify and remove attacks in their early stages.

This highlights the importance of basic security controls and how they can stop sophisticated attacks like the SolarWinds supply chain attack and mitigate vulnerabilities like Log4Shell. By studying the tactics, techniques, and procedures (TTPs) used in recent breaches and exploits, organisations can gain valuable insights on how to improve and prioritise their defences to prevent future exploits. In addition, study of TTPs can help to prioritise vulnerability patching.

When a new vulnerability is discovered, the most common solution suggested is to patch the affected systems, as if it is the only course of action organisations can take to address the risk. While patching is important, it can take some time for large organisations to fully assess their exposure and apply patches in production environments. This is particularly pertinent for Industrial Control System environments. Additionally, sometimes new vulnerabilities are found shortly after patching cycles are complete. As a result, patching is not always able to completely close all vulnerabilities.

It is therefore prudent for organisations to understand how the exploit works, and what dependencies it relies on to execute in order to respond to such events. What may seem like a temporary solution to mitigate the vulnerability can sometimes be the key to protecting the organisation.

There have been so many significant societal, geopolitical, and technological Black Swan events impacting the character of cybersecurity in the last ten years that the unexpected must now be expected. The ever-increasing digitisation of the world has led us into an uncharted territory of risks. Generation V cyber threats are increasing in complexity and sophistication, and this trend is likely to continue with the pace of technological innovation. To paraphrase a childhood rhyme, “if you build a better mousetrap and put it in your house, before long your adversaries will build a better mouse.” It is therefore essential that organisations ensure they are doing all that they can today, while awaiting the next iteration of the cyber-arms race, and the next Black Swan.