What lessons can POST CyberForce experts learn from 2021?
“The most striking event of 2021 was undoubtedly the reporting and malicious exploitation of the log4j vulnerability,” says Jean-Marie Bourbon, Head of CyberForce Offensive Security at POST Luxembourg. In many ways this vulnerability resembles the cyberattack on SolarWinds, which was a large-scale threat that hit the world a year earlier.
Log4j is an open source logging library programmed in the Java language. As log4j is extremely common and present in a wide range of software, the vulnerability presented a considerable threat to many users. “Threats of this kind often follow a similar pattern. Hostile actors exploit the work of an IT security researcher who has updated a vulnerability”, explains Olivier Antoine, Head of Information Security Management at POST Luxembourg. “It’s usually a Friday, just before the weekend when minds are starting to drift, when these vulnerabilities are reported and exploited.”
Zero Day vulnerability: getting ready
For teams at POST, an operator with a sizeable market presence, the emergence of these new vulnerabilities calls for a rapid response. We talk about a Zero Day vulnerability, i.e. the exploitation of a flaw that had been off the radar, which must be patched before any compromises can be made. “The challenge is being able to respond to this type of attack as quickly as possible”, says Alain Hirtzig, Head of Telecom Security at POST Luxembourg. “We need to minimise the time between the vulnerability being updated and a patch applied. But we also need to know whether or not a business is exposed, and whether its systems use the features that have this vulnerability. Companies often don’t have lists of the various components on which their solutions are built. And even if they have an inventory, it’s impossible to foresee every eventuality.”
Indeed, flaws come in many forms. Technology is constantly evolving, leading to new vulnerabilities. “We should all work on the assumption that, sooner or later, our systems could show a vulnerability and be affected. In terms of cybersecurity approach, what we need to work on is our ability to detect, react and respond to an incident”, explains Olivier.
Adopting a new approach
We must be able to rely on a team that is capable of identifying flaws and risks, as with a Security Operations Centre, and make preparations for an attack of any kind. “Perimeter protection, which aims to build defences around systems, as has often been used in the past, doesn’t work,” says Jean-Marie. “We must now consider other approaches, and start by asking ourselves whether we are actually ready for any eventuality. Are the right procedures in place for containing an attack, limiting the damage and, if necessary, restoring systems and data?”
Businesses must therefore be prepared to face increasingly sophisticated threats. Sooner or later they will have to tackle a crisis. POST CyberForce experts are clear: anyone who really wants to compromise infrastructure will manage to do so one way or another. Meanwhile, businesses are under constant fire from more opportunistic but nonetheless well-planned attacks. Phishing attempts, for example, are becoming more elaborate to deceive users and harvest information.
People: the other attack vector
“The main attack vectors nowadays are Zero Day vulnerabilities, and people, through phishing attempts”, explains Régis Jeandin, Head of CyberDefense at POST Luxembourg. “Between 2020 and 2021, more and more attacks exploiting new vulnerabilities were carried out. We’re talking about an increase of more than 200%. Given the key role played by human error, it is essential that we educate and raise awareness among all teams. Human error can never be eliminated entirely, though, so the risk of compromise through this vector remains high.” Regular exercises carried out at companies, to test staff and raise awareness, confirm this. On any team, there’s always at least one user who will click on a link sent in a scam e-mail.
Drill and test
Facing the possibility of an attack, every organisation should drill, and test its systems using realistic scenarios. A RED TEAM, for example, can be tasked with challenging companies on the basis of their real attack surface (not a well-defined perimeter as would be the case with a penetration test). The idea is to regularly expose the company to near-life situations, simulating realistic attacks that could exploit the physical security of buildings, the IT system and human error through phishing or social engineering approaches. “Generally speaking, attacks may be coordinated, and may exploit various points of entry and different channels to reach a target,” Jean-Marie explains. “Such exercises are used to test the responsiveness and effectiveness of the procedures in place, with a view to improving them. It’s like with a fire drill. We need to consider every eventuality to be able to provide an effective, coordinated response in a crisis situation.”
Raise awareness among employees working remotely
2021 was another year of COVID-19. Many staff carried on working remotely. “Teleworking is ripe for phishing attacks”, says Régis. “At home, where the boundary between work space and the private realm is blurred, people tend to lower their guard. We don’t take as much care. For cybersecurity teams, it is hard to manage security inside every home.” This means there has been a surge in phishing attacks. So it’s important to keep up communications and increase awareness, reiterating good practice and basic security rules.
Rising numbers of mobile attacks
“We have also seen a rise in attempts to hack in to mobile phones”, says Jean-Marie. “Links will often be sent in private messages on LinkedIn or Twitter, to gather confidential information stored on the phone. Mobiles, which now contain large amounts of valuable data, are increasingly being targeted by hackers.”
Telecom networks are also targeted
Telecom networks may also be attacked. As a historic operator whose business is often seen as critical, POST is responding appropriately. “This means introducing early warning tools to identify unusual usage of the SIM cards that we provide, such as the launch of a phishing attack on other users,” Alain explains. “Fraud techniques are evolving. We need to stay on guard to counter any attempt at exploiting our infrastructure or services for malicious purposes.” POST CyberForce teams have done a lot of work on the introduction of 5G, which presents new security challenges. “The challenge for us was to create a secure environment for users of the next generation network”, Alain continues. “To do this, we must be able to build in detection and security capabilities right from the start, during the network design phase. Technological developments require us to go further. For example, the challenges surrounding 5G and security have led to research projects – LIST in particular – financed by the Ministry of the Economy.”
Always go further
Another project is under way with ESA aimed at guaranteeing trust in communications by confirming the authenticity of contacts and shared content (see our article on Proofile, page 26). “Our team is constantly seeking to offer advanced security and service solutions that will help prepare our customers for any attacks, and support them in their response”, Olivier explains. “This involves advanced anomaly detection technologies, especially for the Defensive Security team, and major attack simulations, which can mix several problems to assess resilience to each one. These approaches result from what might be called a ‘Fukushima precedent’. There are also research projects to create long-term value, to take us further and widen our range of solutions.” As a key player in Luxembourg, the POST CyberForce team is cooperating at national and European levels to heighten the response to any coordinated attack against our company, and improve international cybersecurity regulation.
