How the war in Ukraine has been a catalyst in private-public collaboration

Security practitioners, policy makers, law enforcement professionals and other experts from various countries will gather in Warsaw, Poland, tomorrow to discuss how the public and private sectors are dealing with increased cybersecurity risks following Russia’s invasion of Ukraine last year.

On the eve of the event, called ESET European Cybersecurity Day (EECD)we caught up with ESET Principal Threat Intelligence Researcher Robert Lipovsky to talk about the security challenges facing critical infrastructure systems in particular and what ESET is doing to help protect critical systems and services around the world.

Q: In recent years, but especially since the start of the war in Ukraine, we’ve seen different countries create new laws to enhance their cyber defense capabilities. What is really at stake here?

A: Indeed, I believe both public and private organizations are taking cyber risks more seriously and they feel the need to address this. But while most organizations need to secure perimeters, endpoints, networks, all of these typical “things,” governments and private companies that manage critical infrastructure have different responsibilities. Attacks on critical infrastructure can damage power grids, jeopardize the normal work of hospitals, or impact the financial sector, or the security of our transportation systems.

With critical infrastructure, the stakes are higher – both from an institutional and ESET perspective. That’s why the responsibility to protect them is higher, not only for certain government organizations, but also for ESET.

In this context, how do you view the government’s readiness to collaborate with the private sector and companies such as ESET to deal with this threat?

From what I can see, the situation has improved in recent years, and those in charge of cybersecurity in the organization are taking this issue more seriously. The situation in Ukraine has also been a catalyst for private-public collaboration; they can see the possible consequences of cyber attacks, and, at the same time, Ukraine has also shown how cyber security and defense can be done right. So, many of those attacks have since been stopped – and many of them could have been much worse were it not for the concerted efforts of cybersecurity vendors such as ESET, defender of the state, SOC personnel and CERT.

This trend is also visible on a global scale. On the one hand, there has been an increase in cyber threats, and on the other hand, ESET has also done important work to increase risk awareness through our research and threat intelligence. But cybersecurity is always an ongoing journey, not just a one-time activity of ticking all the boxes and thinking “okay, I’m done, I’ve secured my organization”. This is an ongoing effort: it is software, threat intelligence, employee education…. There is always room for improvement, as is the case with private organizations.

ESET is responsible for the cybersecurity of organizations around the world. How does ESET manage the sensitive information it collects to provide threat intelligence?

We collect a lot of threat intelligence that we don’t make public; instead, we disclose relevant information privately Threat Intelligence Report. While they do not contain confidential information that would harm the victim, they do provide additional technical information and details on top of what is publicly available.

But some information may be publicly known, and certain details can only be communicated to the local CERT. It is common, for example, that CERT Ukraine discloses some of this information, which then allows us to publish our research. But if there is an outage, the public understands that some sort of incident has occurred and information about the attack is entering the public domain, so the option of not disclosing cannot be considered.

There are also some legal requirements that our clients need to be accountable to, so it is up to them to decide what information to disclose and how.

You mentioned private organizations. One of the challenges is that all types of critical infrastructure depend on networks of SMEs and other small organizations to meet their needs. Does ESET detect this kind of attack?

A lot of resilience work does depend on the capacity and skills of dedicated staff and budgets for cybersecurity defense, so large organizations are more likely to have a security operations center (SOC) and be able to absorb threat intelligence provided by multiple providers, such as us. Smaller organizations have fewer resources and so rely more on managed service providers (MSPs).

But APT groups don’t just attack power plants or pipelines. What we’re seeing is that state-sponsored APT groups are also targeting smaller companies in the supply chain if they know that this will extend to their primary targets at the end of the chain. So protecting critical infrastructure is a complex issue. It’s not just about protecting the organization itself but keep in mind that some suppliers can be compromised too. ESET has detected an increasing number of supply chain attacks, mostly in Asia. This is a trend we warned about in 2017 when the fake NotPetya ransomware spread via the same attack scheme and led to the most destructive cyber incident in recorded history.

ESET recently published its first public APT report. How different is this report from a personal one?

We published our first public APT Activity Report in November 2022 and the reason why we did it is because there were so many attacks going on that we believed we needed to increase public awareness of such threats. But it only offers a fraction of the cybersecurity intelligence provided in our personal APT reports, providing more of a snapshot of what we’re seeing happening in the wild.

Personalized reports contain in-depth information about attacks and are structured to provide actionable threat intelligence. They serve a dual function: informing our clients of current threats, detailing the activity of a particular APT group, and also providing compromise indicators, mapping the attacker’s TTP to MITER ATT&CK tables, or other bits of data. This information can then be used by organizations to search for known and identified threats in their systems, so they can detect and respond to them.

How does ESET link attacks to specific groups?

We group APTs by different nation-states, and we do this in two steps. Based on technical findings from our research, we tried to attribute attacks to specific groups of APTs, such as the well-known “Sandworm” APT. This is followed by geopolitical attributions, based on information from intelligence agencies from various countries – the United States, Britain, Ukraine or the Netherlands. Once we match technical and geopolitical attributions, we can conclude with some degree of confidence that an attack was carried out, for example by Sandworm – a unit of the Russian military intelligence agency GRU.

This synergy between the public and private sectors comes as a much needed reaction to the growing number of cyber threats you see every day. How does this flow of information between ESET and government agencies work?

I’ll highlight the relationships we’ve maintained with several CERTs which, in effect, serve as hubs to ensure that information gets to where it needs to be and in an efficient manner. This is a relationship that has been built over many years. I would even say that the entire cybersecurity industry is built on trust, and trust is the driving force in sustaining this collaboration.

And while our primary responsibility is to protect our clients, when we collaborate with CERT, we also extend that responsibility by helping other organizations that are not our users. And cases like that have happened many times. For example, a CERT charged with investigating cyber intrusions can contact us for support. From the opposite perspective, we might initiate contact if we see an ongoing attack, even if we have never had prior contact with the targeted company.

Apart from CERT, we have long established other partnerships around the world and, most recently, we have become a Trusted Partner Cybersecurity and Infrastructure Security Agency (CISA) via Joint Cyber ​​Defense Collaboration which plays a critical role in maintaining US critical infrastructure. We are always open to collaborations and similar initiatives that make cyberspace safer and more secure for everyone.

Research has been at the core of ESET’s work since its founding; how does this help improve our technology?

We are very research oriented; it’s in our DNA to go deep. It’s the information we use to train our models that makes the difference. Our position as a dominant industrial player in many European countries gives us an excellent advantage in detecting cyber threats. The observed information is then fed back to our systems to enhance our capabilities or used as the basis for the development of new detection layers, helping us identify future attacks and train our detection models.

It’s not about mass attack processing but about knowing what the attack is about and understanding how the attacker evolves. We can then leverage that knowledge and offer our customers and customers high-quality threat intelligence services that enhance their cybersecurity protection.

And along with that, we also published our research on WeLiveSecurity and @ESETresearch in twitter. The content there tends to focus on specific campaigns or single malware. In addition to the ESET APT Activity Reports, we also publish regular ESET Threat Reports which are a great way to compile the different types of threats we see in each period.

One of the difficulties with cyber threats is that they are often invisible, even more so if cyber defenses work to mitigate all the visible consequences. How do we raise awareness of this need for sustainable work of which you speak?

A good example is the entire industry recently commenting on developments in cyber warfare in Ukraine. It’s true that attackers haven’t proven to be as resourceful as one would hope, and they’ve made mistakes on numerous occasions, but the real damage has been done. There are some cyberattacks that cannot be ignored or underestimated. At the same time, the reason why there has not been a more severe impact is the resilience of Ukrainian cyber defenders and because ESET and other partners in the industry have provided them with threat intelligence and other forms of assistance. Also, we have to remember that Ukraine has been the target of heavy cyberattacks since at least 2013, so they have built up their capabilities and resilience over the years, which brings me back to my starting point: cybersecurity is an ongoing endeavor and Ukraine is today. leading in that field, inspiring other countries.

Thank you Robert for taking the time to answer my question.