Slow Moving Platforms and Fast Moving Attacks
From a cyber-security perspective, the latest, global ransomware attack demonstrated several crucial truths.
First and foremost: if organizations keep their systems up to date with the latest software patches, their likelihood of being penetrated is significantly reduced.
However, this shines an unfortunate spotlight on those platforms that are out of date and do not enjoy ongoing software updates and patches. These systems are completely exposed – as proved to be the case with Windows XP in the current attack.
But Windows XP is not the only operating system no longer fully supported by its original vendor. Indeed, there are a multitude of outdated legacy systems and embedded software that continue to run some of our most critical infrastructure – including utilities, power plants and medical devices – in hundreds of millions of locations around the world. Those installations and devices were often designed with minimum hardware requirements – often to reduce costs and increase longevity – under the assumption that proprietary hardware and minimalistic operating systems are good enough to support the very specific applications these devices and systems offer.
The problem is that in recent years, these legacy systems have been connected online, using standard internet protocol. This type of connection, of course, exposes them to the latest, most sophisticated type of cyber-attacks. Because their out-of-date operating systems don’t have the ability to be upgraded with software defense mechanisms, they are not shielded from the increasingly ferocious brand of hacks we continue to witness. This is further complicated by the fact that it is simply not financially feasible to create new patches for most of these legacy systems.
So how do we protect our critical and incredibly vulnerable systems? Clearly, a very different approach is necessary. The good news is that while we don’t have a single silver bullet to protect such systems, there are several innovative approaches that can provide us with an increased level of protection.
One method is to constantly monitor network traffic to and from those devices and installations in order to identify anomalies which might indicate that an attack is in the works. This is the approach taken by several successful cyber companies including Claroty, CyberX and SCADAfence (a JVP portfolio company).
A second approach is to set up traps (e.g. honeypots) within communication networks that will serve as decoys to attract incoming attacks and keep the intended target intact. This method is used by such companies as CounterTack TrapX, and Illusive Networks.
Another extremely effective approach is to create what is known as “moving target” defenses that obfuscate the processes running on legacy devices to effectively hide them from incoming attacks. This approach is used to great effect by JVP portfolio company Morphisec.
As we have seen in this latest global hack, attackers have clearly set their sights on these non-upgradable legacy platforms, often in the heart of many of our mission-critical systems, and will no doubt continue to prod them, either for financial gain as in this latest ransomware attack, or, in the case of nation-states, to advance whatever geopolitical strategies they deem worthwhile for such activity.
In many ways, the scope of the latest attack can be seen as a failure of the cybersecurity community, accompanied by typical finger pointing. Vendors are saying that targets were not quick enough to adopt the latest patches, while corporate victims are claiming that the technical solutions are too cumbersome and difficult to implement. The good news is that we’ve been seeing several startups emerge that provide a good balance between security levels and ease of implementation, with the aim of helping the good guys one step ahead of the curve in the event of future attacks.