The Canadian Centre for Cyber Security (also known as Cyber Centre) is Canada’s technical authority on cyber security. Part of the Communications Security Establishment (CSE), they are a single unified source of expert advice, guidance, services and support on cyber security for Canadians and Canadian organizations.
The Cyber Centre works in close collaboration with Government of Canada departments, critical infrastructure, Canadian businesses and international partners to prepare for, respond to, mitigate and recover from cyber events.
They have just released the National Cyber Threat Assessment for 2023-2024 and here are their 5 key judgements:
1. Ransomware is a persistent threat to Canadian organizations.
“Cybercrime continues to be the cyber threat activity most likely to affect Canadians and Canadian organizations. Due to its impact on an organization’s ability to function, ransomware is almost certainly the most disruptive form of cybercrime facing
Canadians. Cybercriminals deploying ransomware have evolved in a growing and sophisticated cybercrime ecosystem and will continue to adapt to maximize profits.”
2. Critical infrastructure is increasingly at risk from cyber threat activity.
“Cybercriminals exploit critical infrastructure because downtime can be harmful to their industrial processes and the customers they serve. State-sponsored actors target critical infrastructure to collect information through espionage, to pre-position in case of future hostilities, and as a form of power projection and intimidation. However, we assess that state-sponsored cyber threat actors will very likely refrain from intentionally
disrupting or destroying Canadian critical infrastructure in the absence of direct hostilities.”
3. State-sponsored cyber threat activity is impacting Canadians
“We assess that the state-sponsored cyber programs of China, Russia, Iran, and North Korea pose the greatest strategic cyber threats to Canada. State-sponsored cyber threat activity against Canada is a constant, ongoing threat that is often a subset of larger,
global campaigns undertaken by these states. State actors can target diaspora populations and activists in Canada, Canadian organizations and their intellectual
property for espionage, and even Canadian individuals and organizations for financial gain.”
4. Cyber threat actors are attempting to influence Canadians, degrading trust in online spaces.
“We have observed cyber threat actors’ use of misinformation, disinformation, and malinformation (MDM) evolve over the past two years. Machine-learning enabled technologies are making fake content easier to manufacture and harder to detect. Further, nation states are increasingly willing and able to use MDM to advance their geopolitical interests. We assess that Canadians’ exposure to MDM will almost certainly increase over the next two years.”
5. Disruptive technologies bring new opportunities and new threats.
“Digital assets, such as cryptocurrencies and decentralized finance, are both targets and tools for cyber threat actors to enable malicious cyber threat activity. Machine learning has become commonplace in consumer services and data analysis, but cyber threat actors can deceive and exploit this technology. Quantum computing has the potential to threaten our current systems of maintaining trust and confidentiality online. Encrypted information stolen by threat actors today can be held and decrypted when quantum computers become available.”
Perspective:
From these 5 judgements I will focus on ransomware because it is a very simple thing to monetize and very difficult to police. Its like if some robbers went into a neighborhood and found that every house had their doors unlocked and nobody was home watching. The problem that they have is that there is simply too much stuff to steal and not enough people to steal it. So what they do is build a network of people that simply go around looking into houses for all the best stuff, and they get a cut of the profits for getting a foot in the door. After the good stuff is stolen, then the robbers will change the locks and leave a note saying “Sorry for robbing you, but we kept your stuff safe. If you want it back, please pay the required fee of 1 Bitcoin (BTC) per item.” This is essentially what ransomware is.
How to respond:
Protecting against ransomware is like protecting against a car accident.
First, make sure your technology works. What’s failed, what’s going to fail if nothing changes, and what’s good. This vehicle inspection checklist is a good example of that.
The analogy: Risk Management
This is akin to knowing your risk exposure across all elements of your operating environment. Do an inventory of all hardware, software, services, supply-chain integrations. Then audit software and firmware versions, configurations, and logical designs for flaws. This would become part your risk register which would help inform you on what you need to fix, the potential impact and mitigation strategy until it gets fixed. The more you live in this, the better your security posture and the less likely you will experience an issue.
Second, is the operator qualified to drive the vehicle? Are they trained in proper operation? What about in emergency situations, off-road, or in high pressure situations, or non-standard maneuvers? Are they tired, distracted, or otherwise engaged with reduced focus?
The analogy: Operational Readiness
I will not mince words about this. Security is a full time job and cannot be effectively split with regular operations teams. There was a time in the past where it was possible, but the threat landscape has dramatically changed in recent years, and requires dedicated expertise to protect against. This is not to say that there must be departmental silos of IT management. Because in many cases this is impossible due to budget, or resourcing constraints. If organizations want to be effective in managing their own Security Operations, it is said that they will need a minimum of 12 dedicated security staff for 24/7 operations. If you are not 24/7, then you are exposed. The alternative is to provide security fundamentals training to operational staff, and allow the SOC to be managed by an MSSP (Managed Security Services Provider).
Third, do you know the terrain you will be driving in? Do you have winter tyres? A snorkel for water crossings? A winch to get you out of tough situations?
The analogy: Threat Intelligence
What you need to prepare for can be a combination of industry standards, which are your basics, vertical or sector threats, and emerging threats. There are a large number of different types of threat actors out there, but they can be lumped into two big buckets.
A) Internal threat actors. These could be because of grievances, ignorance, incompetence, or motivated by financial gain. It could also be a combination.
B) External threat actors. These could be opportunistic based on risk exposure, targeted because of potential value of information, or targeted based on potential financial payout. The larger attacks are known as big-game hunting.
The big-game hunters have financial backing and protections of crime syndicates, and nation-states. They are much higher on radar of government agencies, police and military, so the reward has to outweigh the risk of getting caught and extradited, or shutdown.
The threat actors have identifiable Tactics, Techniques, and Procedures (TTPs). These are the behaviors, methods, tools and strategies that they use to plan and execute cyber attacks. By understanding these TTPs, you can perform attribution of the attack and possibly have insight into the scope and sophistication. An example is if you see a specific set of Indicators of Compromise (IoC), then that may align with a TTP of a particular threat actor campaign. This may allow you to escalate your level of response from what could have originally been seen as a minor threat, to an all-hands-on-deck situation.
Fourth, do you have good insurance to cover you when you destroy your vehicle or damage it considerably? Or do you have money set aside for contingencies that may not be covered?
The analogy: Cyber Insurance / Risk Contingency Budget
I could write several articles on cyber insurance (and I probably will), but I will just summarize why its important. When a cyber attack happens, one of the first things that will generally happen is a business impact triage. ie: what has happened? what is the initial damage and bleeding? and what happens next? Next the insurance company will be called and they will bring in an Incident Response team to clean up the mess. The IR team will recover what can be recovered, negotiate with the threat actors, quarantine and cleanse the environment, and provide a root cause analysis. Cyber insurance covers a lot more than just incident response, but I’m not going to talk about that in this article.
Some things are often no longer covered by insurance companies because the payouts were becoming too common and thus not a good financial model for them. Two of these are ransomware and attacks attributed to nation-state actors. So companies have a plan B for these, which is the Risk Contingency Budget. The amount of money put aside is generally determined by the Expected Monetary Value (EMV) metric.
EMV relies on two basic numbers.
P – the probability that the risk will occur
I – the impact to project if the risk occurs. This can be broken down further into “Ic” for the cost impact and “Is” for the schedule impact.
The risk contingency is calculated by multiplying the probability by the impact.
If you use this technique for all of your risks, you can ask for a risk contingency budget to cover the impact to your project if one or more of the risks occur. For example, let’s say that you have identified six risks to your environment, as follows.
| Risk | P (Risk Probability) | I (Cost Impact) | Risk Contingency P * Ic |
| A | .8 | $100,000 | $80,000 |
| B | .3 | $300,000 | $90,000 |
| C | .5 | $80,000 | $40,000 |
| D | .10 | $400,000 | $40,000 |
| E | .3 | $200,000 | $60,000 |
| F | .25 | $100,000 | $20,500 |
| Total | $1,180,000 | $330,500 |
The above overview of using EMV for a Risk Contingency Budget was “borrowed” from this site. Check it out for a more in depth review.
Engaging with a trustworthy MSSP can help protect organizations against all kinds of threats by:
- Helping secure your environment without additional internal staffing requirements
- Showing you where you are at risk, and how to fix it
- Showing how to identify and protect against active attacks in real time
- Providing Incident Response to get back to a good state after a breach (quickly)
- Reducing your Cyber insurance premiums
- Providing you with a threat intelligence platform supported by AI analytics with a massive training set that grows daily.
Designing Risk in IT Infrastructure 