The 2022 Adversary Infrastructure Report recently published by Insikt Group, Recorded Future’s research team, was full of technical trends goodness. The crunchy data and charts illustrated increases in open source tool sets being used by adversaries, malicious code command and control hosting distribution, and plenty more.
The primary takeaways:
China and the United States were the big hosting winners (or losers depending on the perspective). Which means those are the geographic locations where servers reside acting as a home for malicious code.
Cobalt Strike was, by orders of magnitude, the most popular “offensive security tool.”
PlugX remains successful operating in victim networks and thus remains popular with various adversaries.
While the intelligence is useful for operational defenders, where’s the executive relevance to risk?
There are two somewhat related evolving forces defining the “So what? Now what?”
The SEC could accelerate the need for cyber experience in the boardroom.
Cyber insurance policies are experiencing a renaissance.
First, the SEC’s proposal on Cybersecurity Risk Management includes the following:
The proposal also would require periodic reporting about a registrant’s policies and procedures to identify and manage cybersecurity risks; the registrant’s board of directors' oversight of cybersecurity risk; and management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures. The proposal further would require annual reporting or certain proxy disclosure about the board of directors’ cybersecurity expertise, if any.
Financial services have historically led the private sector on cybersecurity and risk management. The SEC’s proposal (when it is codified as a rule) may be the catalyst for a longer trend toward industry-agnostic increased cyber experience and sophistication within executive positions and board officer ranks.
My own unofficial CISO survey reveals that the governance oversight questions are already improving and revealing a sustained interest in cyber risk management. Naturally, insurance is a historically popular tool for transferring all types of risk.
This brings me to our second condition. Cyber policies (evolving from a mix of property/casualty, general liability, terrorism, etc.) are experiencing a renaissance, after years of obscene price increases (generally due to ransomware successes), fueled by partnerships and well capitalized start-ups. Companies like Cowbell Cyber, Coalition, and Onda are redefining profitability with a focus on new policy underwriting that involves coverage nuance, data, and innovation. The days of IT surveys and attestations may be ending in favor of ongoing analytic rigor.
Insurers want (or they are going to want in the near future) data-driven evidence that the most popular and prolific adversary tools are being detected in near-real time when they appear in a prospective insured’s environment. The “install EDR and forget it” mantra is unlikely to fulfill an insurer’s long-term requirements for coverage. Boards are becoming valuable forcing functions for improved security, and in this case control validation, as cyber insurance is a valuable risk mitigator.
Regardless of whether insurance coverage is necessary, executives still need confidence that a cyber corollary to the 80/20 rule is covered. So after reviewing 2022 adversary trends, evidence is essential to validate that Cobalt Strike and PlugX in various forms and functions are unlikely to subvert layers of detection and ultimately cause one or more risk impacts.