Today’s threat environment continues to evolve, breaking down risk silos and introducing new vulnerabilities to organizations and their members. Companies increasingly turn to digital transformation strategies to lower costs and increase efficiencies across locations and sectors. On-boarding new technologies presents organizations with both business opportunities to drive new revenue, as well as business risk as their cyber-attack surface expands. Nefarious actors increasingly rely on multi-domain approaches when attacking or exploiting their targets, such as multi-factor authentication (MFA)-bypassing phishing and encrypted badge cloning. These tactics are on the rise; threat actors can leverage physical penetration techniques to overcome advanced cyber security controls, while cyber penetration techniques can be leveraged to degrade or defeat physical security controls. Bringing together defenders from both the physical and cyber domains in your organization can be the first crucial step in deterring and mitigating these emerging techniques and protecting your business more holistically.
Convergent Threats
The following three case studies clearly illustrate the convergence of physical and cyber threats facing organizations.
- In October of 2022, the cybersecurity team of a U.S.-based financial firm identified anomalous activities within one of its network environments. Upon further investigation, the team discovered that the origin of the mysterious activities linked back to a user who appeared to be in two places at once. The employee showed as being logged in from home, miles away from the firm’s offices, but was also logging in from the office itself. The search led the team to the roof of the building where they found a modified drone carrying an adversary-in-the-middle (AiTM) device that allowed it to gain access to the corporate network through the wireless internet (WiFi) network.
- Throughout the 1990s, a U.S.-based cybercriminal, Kevin Mitnick, made a name for himself by gaining illicit access to organizational networks through a combination of hacking and social engineering. Kevin would spoof his phone numbers to appear as if he was calling from within a target company and use these credentials to either gain additional cyber access or physical access to secure locations. In 2017, after switching to the white-hat side of hacking, Kevin showcased his ability to clone and duplicate corporate access cards during a presentation at the annual Data Center World Conference in Los Angeles.
- In 2021 ESET analyzed malicious frameworks used to attack networks without any direct connection to the internet or to any other computer connected to the internet, known as air-gapped networks. The study found that every successful attack was perpetrated by physically introducing external storage devices to the target computer system. Each framework leveraged USB drives as the “physical transmission medium to transfer data in and out of the targeted air-gapped networks” during the attack. Whether the external device is designed to deploy a malware payload or extract sensitive information, successfully targeting these critical systems almost always requires physical access to the air-gapped network to overcome their lack of direct connectivity to the rest of the organization or the internet.
Merging physical and cyber security
What can companies do internally to help bolster themselves against these emerging threat tactics? One is convergence - merging physical security and cyber security teams – to create an integrated approach to protecting and defending your business assets and resources. A foundational step in a convergence approach is to develop a common baseline threat to the business that spans across security domains. This requires a mutually understood lexicon around security concepts spanning the physical and cyber domains to enable cross-communication between teams. Additionally, it is critical to develop a common understanding of how threats and risks within one domain have the potential to impact controls and mitigations in the other.
There are three steps your organization can take to develop this baseline understanding of the interconnected nature of your physical and cyber security postures:
- Conduct a combined programmatic assessment that assesses both sides of your security program, generating a holistic maturity score and a roadmap for deliberate progress across domains.
- Implement joint red teaming tests that include cyber network offensive activities and physical penetration attempts against a specific location or targeting deliberate information within the organization. These activities validate security controls meant to defend against cyber-enabled physical attacks and physically-enable cyber-attacks.
- Conduct a crisis management exercise to scenario test the combined physical and cyber crisis response and recovery processes. These engagements can help to build muscle memory enabling both domains to develop a joint approach to risk management within the organization.
Approaching these protection strategies through the lens of convergence can help ensure holistic protection in both the physical and cyber domains.