As organisations attempt to protect against cyber threats, understanding cybersecurity frameworks is a critical initial step. Stefano Maccaglia, EMEA Practice Manager Incident Response at NetWitness, tells Intelligent CISO Africa about the expanding categories of threat actors, and how their practical approach towards cyber incidents differs from other vendors.
One of the key changes in the NIS2 Directive is the inclusion of new cybersecurity incidents that operators of essential services (OES) and digital service providers (DSP) must report to the relevant authorities, could you briefly clarify which category has been added?
Firstly, they have expanded the number of categories in terms of market verticals to include categories like food production services and companies. The [NIS2 Directive] goal was moving from the digital environment to everything that is critical for the existence of the industry’s income and digital civilisation, and this covers sectors like energy, transport, food and even aerospace.
These already integrated categories were improved and new ones like water purification systems were added. Today, every utility is included within the NIS2 compared to the previous directive.
Do you think these categories are relevant and the overall set of categories is enough to address the most frequent attacks and more importantly the critical ones?
Potential victims agree that NIS2 is tackling their challenges and there is a reasonable amount of new market verticals. But from the attacker’s perspective, there is still a lot to do as actual categories focus on basic cyber-criminal activities that are predominant today.
NIS2 does not precisely target the cyber espionage war that is operating with sophisticated actors, and we need to extend definitions, categories, and methods to tackle these artists effectively.
We need more precision with these types of trends as some actors are state-sponsored attackers. This ongoing conflict raises the number of potential exposures to critical services and can be used as leverage to create trouble in other countries.
In the actual global cybersecurity field, do you notice a change in the approach?
An ecosystem has been built from the cybercrime world in the last few years. There is an evolution of actor categories and the cybercriminal world is polarizing towards ransomware.
However, as more actors are becoming ready to sell their services compared to the past, this creates a change in the overall underground communities and heavily impacts the cybersecurity world. We must consider that attack vectors can simultaneously come from multiple actors who are attacking the victim with different goals in mind.
There is a general change in attitude towards the cybercrime environment regarding threats to more technique-based attacks. There have been some exploitations in recent years but no major changes, so we must not be led by fear, doubt, and uncertainty. The bigger concern lies in a constant stream of new techniques and noticing the cybercriminal world is evolving towards a more focused set of attack types which will bring greater risks.
Looking at the main scope of the issue, what are we really lacking to achieve real protection against cyber threats?
We still need to find a common ground on how to protect systems. From the leadership perspective, we are far from achieving the proper mindset behind the decisions on investing in certain technologies or visibility to be on the reactive side.
Another missing aspect is an overall agreement about sharing information between operators. On a country level, sharing does exist and at a European level, we are still far from having common knowledge of sharing about attacks, attackers and proper techniques to face and expel them.
We need to create checkpoints and build authorities responsible for effectively sharing information with operators across Europe. The same can be applied to other continents like America and Asia. We are witnessing some cooperation at the police level, but this alone is not enough effort against the type of actors we face.
Do you think the sharing of information at a global level is a possible solution at least to effectively limit cybercriminal activities?
Sharing information can reduce exposure and buy the time needed to investigate an attack. For example, sharing threat intel feeds between operators can streamline the identification of potential attackers during the first stages of the attack when they are still vulnerable and can allow them to activate an immediate blocking of their activity.Click below to share this article