The threat landscape is evolving rapidly, but that doesn’t have to be a problem. Companies that follow NIS2 and the cyber fundamentals framework remain protected. After all, new threats still follow the old kill chain.
The threat landscape is evolving quickly. New zero-day bugs are popping up like mushrooms, phishing and social engineering are aided by AI, and malware is becoming more sophisticated by the day.
“The time of amateurism is long gone,” says Ron Nath Mukherjee, Cybersecurity Consultant at Eset. “Cybercrime today follows industrial processes. There’s a whole developed chain behind it.”
Mukherjee is supported by other cybersecurity experts present at the roundtable discussion on NIS2, organized by ITdaily. “It is now the biggest business worldwide,” adds Patrick Banken, Business Development Manager at Kappa Data. “The annual cost of cybercrime is already estimated at $10.5 trillion by 2025: half of the US GDP.”
The time of amateurism is long gone.
Ron Nath Mukherjee, Cybersecurity Consultant Eset
Mukherjee and Banken are joined at the table by Sabine van Hoijweghen, Head of Sales and Partner at Secutec, Bart Loeckx, Director Networking & Security at Telenet Business, and Johan Klykens, Cybersecurity Certification Authority (NCCA) at the CCB.
New Attacks, Same Kill Chain
Then the question arises of how companies can protect themselves and to what extent regulations like NIS2 can be relevant in such a rapidly changing landscape. “We hope to release an update this year with adjustments to our guidelines around NIS2,” says Klykens. “And what turns out: we haven’t had to change anything about the kill chain. It remains exactly the same.”
To refresh: a successful cyberattack consists of seven steps:
- Reconnaissance: research and identification of potential targets
- Weaponization: building a payload with malware
- Delivery: transmission of the payload to the target
- Exploitation: activation of the payload
- Installation: integration of a persistent backdoor, through which criminals can maintain access
- Command & control: communication through the backdoor with the criminals
- Actions and objectives: here the criminals achieve their goals (stealing data, activating ransomware…)
Even with advanced tools and other techniques, criminals follow that kill chain. Organizations trying to protect themselves must break the chain before the seventh step, where the hackers succeed. “That’s why we focus on the places where we can do that,” says Klykens.
MFA and Zero Trust Break the Chain
That means very concretely that the best practices do not change either. Klykens: “People don’t like hearing me talk about MFA anymore because it’s becoming cliché, but we do see the effect. Without MFA, credential theft led to a major incident; today, with MFA, it’s a smaller problem for which standard response plans are in place.”
“The concept of zero trust is also being better and better understood,” notes Banken. “You can no longer just trust anything that goes over the network. You have to verify everything again.”
The concept of zero trust is also being better and better understood.
Patrick Banken, Business Development Manager, Kappa Data
Klykens confirms. “Credentials may be stolen, but if they are unusable, then we’re doing well. We need to see what is possible for a hacker after such an incident and limit that secondary damage.”
In this way, the kill chain is broken. An incident may occur, but it does not lead to major problems. “We will never be able to completely stop cyberattacks, but we can make ourselves more resilient and at least ensure that the cost-benefit ratio for criminals is not as positive as it is now.”
In the Name of Business Continuity
“We now have the NIS2 regulation, and we must not forget what it is for and why it was created,” adds Loeckx. “It’s not about rules, but about business continuity. Cyber resilience is the foundation and prevents economic disasters.”
NIS2 is not about rules, but about business continuity.
Bart Loeckx, Director Networking & Security Telenet Business
The Cyber Fundamentals framework, which Klykens helped develop, was written with that purpose in mind. He emphasizes: “We developed it even before NIS2 existed.”
Caught in Speed
The fundamental approach to threats does not change, which is why the NIS2 regulation remains highly relevant, even in an evolving threat landscape. However, there are some significant changes to be observed in attack techniques. Although the kill chain does not change, attackers are sprinting through it more frequently.
“We find that the time attackers spend inside a company is becoming shorter again,” says van Hoijweghen. “A year or two ago, we saw attackers present in a network for weeks or months.” The time between steps six and seven in the kill chain was thus long: hackers familiarized themselves with the network and tried to gather as much information as possible before taking real action.
We find that the time attackers spend inside a company is becoming shorter again.
Sabine van Hoijweghen, Head of Sales and Partner Secutec
“That is no longer the case,” says van Hoijweghen. “Usually, it’s about hit and run attacks, not targeted campaigns. Automated bots get in where they can, and hackers no longer bother with deep network analyses. This is only different in severe and targeted attacks.”
Bots Looking for Opportunity
Loeckx emphasizes this automation. “We really need to make people aware that they are not individually targeted. You are simply attacked by an automated machine.”
“There is a clear parallel with classic burglaries,” he believes. “Do you have the house in the neighborhood where a ladder is in the garden and the window is open? That’s what it’s about in the digital world too.” Opportunities are exploited by automated bots. Those who do not present themselves as an easy target for the first step of the kill chain will save themselves a lot of trouble.
“It is also very important to look from the outside at what can be found about your organization,” van Hoijweghen wants to add. “That’s what bots and cybercriminals find. Yet many companies focus exclusively on internal asset management and have no clear view of it.”
Break the Chain, save the Furniture
The NIS2 regulation provides a tool for companies large and small to focus protection on breaking the kill chain and ensuring business continuity. That is relevant for everyone.
Loeckx: “Companies really should no longer think ‘what would they come looking for with us’. Initially, it is not a physical person looking for a leak, but bots that come along. And everyone has important data. I remember the story of a catering company that fell victim to an attack around Christmas and no longer knew what to deliver to whom. Business continuity is essential for everyone.”
It is specifically SMEs that are at high risk; for them, it’s really about survival.
Johan Klykens, Cybersecurity Certification Authority (NCCA) CCB
“It is specifically SMEs that are at high risk,” concludes Klykens. “For them, it’s really about survival. What if a ransomware attack stops your cash flow for a certain period? There are companies that do not survive that.”
That attacks are evolving and AI is in play today is not a big problem according to all the experts at the table. The fundamentals for good protection remain the same.
This is the third article in a series of three following our roundtable on NIS2. Click here to visit the theme page with the other article, the video, and our partners.