DIGITAL TRENCHES:

ON THE FRONT LINES

OF THE CYBER WAR

TIM HADAR | EDITOR IN CHIEF | OIL & GAS IQ | 2016

 FOREWORD
On June 15th 2016, researchers at Fox-IT presented the results of an extensive study into the
internet spy ring Mofang. The results are collated in the white paper Mofang: A politically-
motivated information stealing adversary.
Mofang is a threat actor that almost certainly operates out of China and is probably
government-aliated. It is highly likely that Mofangs targets are selected based on
involvement with investments or technological advances that could be perceived as a threat
to the Chinese sphere of inuence and projection of power.
This approach is clearly outlined in the report in the guise of a campaign focused on the
government and critical infrastructure of Myanmar. Chances are that Mofang is a relevant
threat actor to any organisation that invests in Myanmar, or is otherwise politically involved
in this Southeast Asian nation.
In addition to the campaign in Myanmar, Mofang has been observed to attack targets across
multiple sectors - government, military, critical infrastructure and the automotive and
weapon industries - in multiple countries.
The Mofang case study underlines Fox-ITs view that cyber attacks are being used by
governments to gain control and valuable insights into a countrys infrastructure, a region, or
regime. Governments that actively make use of cyber attacks are willing to spend millions of
dollars, employing hundreds of technical savvy specialist to develop and build cyber tools
that stay undiscovered for all long as possible and to have maximum eect.
With that in mind, I nd it shocking that, even today, I meet groups of people at conferences
the world over that are still in denial when it comes to the dangers of cyber attacks. More
often than not, it seems that organisations need to be confronted with a major cyber
incident before they are convinced that any company can become a target needs to be
prepared as such.
But how can you prepare? Can you really defend against the might of a nation state with, virtually
unlimited budgets and resources? The answer is yes, but only through a holistic approach
carried out on a continuous basis, grounded in intelligence and government regulations.
A 360 approach based on protection, detection and response solutions and/or services are
key in the ght against cyber attacks. Aside from embracing the technological aspect,
government regulation will help to gain more insight into the volume and make-up of
attacks and assist in building a global defense net to guard against cyber attack actors. This
needs to be a net that not only defends against cyber-attacks but also oers legal
frameworks to start prosecuting organisations or nation states.
Fox-IT aims to make the digital world a safer place. We are recognised by major analysts
across the globe as a cyber security leader: recent publications like our Mofang report and
our Ponmocup report attest to this.
For the third year in a row, we are delighted to be working with Oil &Gas IQ to monitor the
state of cyber security in critical infrastructure realm. As always, this presents a great
opportunity for us to react to your ideas and engineer solutions within a proven and holistic
security approach.

Be prepared!

Ronald Prins
CTO & Co-founder Fox-IT

DIGITAL TRENCHES: ON THE FRONT LINES OF THE CYBER WAR

 PROLOGUE
"And you will hear of wars and rumours of wars,
but see to it that you are not alarmed.....

On the 28th June 1914, the assassination of Arch Duke Franz Ferdinand of the
Austro-Hungarian Empire set in motion a chain of events that would result in the
outbreak of The Great War.
Originating in the heart of the European continent, the web of alliances cultivated
during the 19th century to maintain the balance of power between neighbouring
states would end up drawing the whole Western world into an abyssal of slaughter.
By the end of the conict in 1918, the total number of military and civilian casualties
would surpass 38 million, more than two per cent of the population of Planet Earth
at the time. The world would never be the same again.
In 2016, the weapons of mass destruction that stock the arsenals of the world
powers make the machinery that killed so many millions during World War I look
tame. Yet weapons of physical destruction are not the only ones that menace peace
in our times.
The 21st century has witnessed the exponential development of cyber warfare as an
existential threat to the modern civilisation. And the parallels between the actions of
the First World War a century ago and the Cyber War in 2016 are glaring.

DIGITAL TRENCHES: ON THE FRONT LINES OF THE CYBER WAR

A BRIEF AND CRUDE HISTORY OF WARFARE
IN 16 PARAGRAPHS (10,000 BC TO 1916 AD)
Up until the latter half of the 19th century, warfare was conducted between two on more opposing forces using a
variety of close-combat and ranged weapons supplemented by battle-trained animals from horses to elephants. A
major engagement would usually be fought to a conclusion within a matter of hours. Seldom did a confrontation run
into a second day of pitched combat. Sieges, however, could last for years.
By the time of the Napoleonic Wars (1803-15), gunpowder arms, which had started to supplant the dierent forms of
bow as the main ranged weapon of choice from the 16th century onwards, had gradually reached an accuracy and
range that would make them the primary armament for troops. With a bayonet axed to the muzzle, the musket, and
then rie, would serve as both a ballistics and stabbing implement for the worlds modern armies for centuries.
Then, in the 1860s, the pace of change began to accelerate.

THE AMERICAN CIVIL WAR (1861-65)

When 11 states seceded from the Union and formed the Confederate States of America in 1861, the formerly
United States found themselves on the cusp of civil war, a mere 85 years after the Declaration of Independence.
In the course of the 1,458 days that the conict raged, the technology of warfare would advance at an
unprecedented rate. The American Civil War would see the rst military uses of:

Iron-hulled warships Dirigibles Submarines

Torpedoes (land and naval mines) Repeating ries Gatling guns the precursors
to the modern machine gun

As well as advances in weaponry, the War Between the States also saw
the employment of several relatively new societal advancements in a
battleeld context, such as photography, telegraphy and the railroad.
Despite all of these leaps forward, it was the increase in the range,
rapidity and accuracy of ballistics that would fundamentally change the
character of warfare.
In 1861, a trained soldier armed with a muzzle-loaded ried musket with
a 500 metre range, was expected to re three rounds a minute. Armies
arrayed themselves opposite each other in rank and le to pound each
other with shot until one side gave way under the strain of lead.

DIGITAL TRENCHES: ON THE FRONT LINES OF THE CYBER WAR

The cavalry charge, so often the ultimate shock tactic that would
force a wavering army into rout, would become useless in the
face of superior re power. Injuries and deaths caused by
bayonet wounds accounted for less than one per cent of the total
casualties of the war. By 1865, there was only one thing a soldier
could do to avoid the killing power of the ever-advancing
machines of war: hide.
Trench warfare was born on the battleelds of the Old Dominion
and digging in would become and integral part of the makeup
of modern combat the world over. Battles went from lasting
hours to lasting days. An ineluctable shift had taken place.

SUMMER 1916, FRANCE

If the American Civil War was the dress rehearsal for modern warfare, World War I was the oeuvre itself. A conict that
both sides thought would be over in a few months now dragged on into its second bloody year.
In Northern France, the forces of three empires were dug in around the town of Verdun and on both sides of the upper
reaches of the River Somme. These two battlegrounds would become the focal points of the conicts Western Front,
with 6.1 million troops engaged.
Conservative estimates of the casualties from both battles number 1,681,000 or 28 per cent of all troops engaged, with
a liberal estimate inating that to 2,196,000 or 36 per cent. The world was horried at the unprecedented rate and
degree of the slaughter in a type of warfare that had become all murder.

The machine gun, which had been extant in Primary source accounts tell of German In a conict that saw the emergence of
one form or another for the past half a gunners that stopped ring because they the tank and the aeroplane, cavalry units
century claimed as many as one quarter of were sickened by the eortlessness of were still making frontal assaults on
all of the casualties on the battleelds of the butchery. enemy positions. The technology of
World War I. On the rst day of the Somme warfare was outstripping the tactics of
Oensive, British troops walked with warfare at an alarming rate.
bayonets xed headlong into withering
machine gun re that would claim more
than 50,000 of the 60,000 casualties in one
of the costliest single actions in the history
of warfare.

A century on from the darkest days of World War I, we nd a disturbing

parallel for where we stand in a world where the threat of cyber warfare
poses a similar menace to that of standing armies: in the digital trenches.

DIGITAL TRENCHES: ON THE FRONT LINES OF THE CYBER WAR

THE STATE OF PLAY
OUR ANALYSIS
After the success of our wide-ranging survey and analysis Cyber 9/11: Is The Oil & Gas Industry
Sleepwalking Into A Nightmare? we conducted a follow-up sounding into the state of the industry,
with an even broader remit. What follows is our dissection of the results.

ELEMENT 1

A recently-published cyber
security report shows that there
are four categories of assault:
Confident - 9%

hacktivism, cyberwarfare, cyber

Somewhat confident - 48%

espionage and cybercrime. How

Not confident - 39%

condent are you that your

Do not know - 4%

current defence mechanisms can

handle/detect these threats? -2%
2015 results
3% vs. 2014
-1% Percentage
Change
-2%

It is a simple fact that in most areas of endeavour, people
tend to overestimate their own capability until they have
hit a snag. This overrating will often lead to complacency
with regards to the elements of the game that they think
they are playing in a satisfactory or more than satisfactory
manner.
The space of one year has not provided for a drastic
change in the perception of companies towards the way
they feel about being able to deal with these Four
Horsemen threats, which is actually something to be
lauded.
In the space of twelve months, absent some vast
technological breakthrough, these numbers should
not be showing any marked movement in the positive
sense.
Given the intrinsic tendency towards an optimistic
estimation of ones abilities, those who are somewhat
condent and condent, whilst still making up more
than half of the respondents in this survey, are probably
less justied in their assuredness than the 39 per cent
that are not condent about their defensive capabilities.

"...in most areas of endeavour, people tend to overestimate

their own capability until they have hit a snag.

DIGITAL TRENCHES: ON THE FRONT LINES OF THE CYBER WAR

ELEMENT 2
How condent are you that your
defense mechanisms can handle/
detect state actors/APTs?
(APT=Advanced Persistent Threat)
We tend to associate the capability of state actors
and APTs with the mostly highly advanced hacking
techniques and cyber weapons around. However,
there is a blurriness in the denition of what
constitutes an APT. Attacker groups may well act as
APTs, using very common inltration techniques,
but could they also fall into the state actor category
if they are all centrally regionally-based? Or could
APTs act as an umbrella term to refer to lone-wolf
of more generic hacking groups?
State actors and APTs distinguish themselves
because they are highly-motivated to attain their
goals, and can sometimes draw on a central source
of funding and pool of talent to achieve their
mission. The two thirds of respondents who are
not condent with their abilities to handle these
attackers are justied in their disquiet and the
lucidity of their weakness is a positive trait.
"...these threat actors may not be using the most
sophisticated tools, but hit a wall with a hammer enough
times and it will come down.
DIGITAL TRENCHES: ON THE FRONT LINES OF THE CYBER WAR
Confident - 5% -3
2015 results
Somewhat confident - 30% 25% vs. 2014
Not confident - 65% 38% Percentage
Change
Do not know - 0% 0
In APT, the P is the most telling part of the
acronym: these threat actors may not be using the
most sophisticated tools, but hit a wall with a
hammer enough times and it will come down. The
problem with APTs is precisely the fact that
consistent failure will not cause them to desist. In
fact, their assiduousness may cause them to up the
ante, to use a bigger hammer or to try and locate a
specic part of the wall that has structural faults
and concentrate blows in that region - whatever it
takes to accomplish what they have at hand.
For that reason, the 65 per cent that are not
condent should probably be higher, because
behind that wall there could be entire dedicated
teams of people working on a cyber warfare
initiative planned in ongoing structured campaigns.
ELEMENT 3
What controls do you have in place to prevent malicious commands or data being sent to the OT from
your IT infrastructure?
48% 26%
56%
While it is good that you see that there are precautions
in place to try and avert any kind of contamination
owing from OT to a companys IT network, the
percentages are worryingly low. Only one of the four
options came in at more than 50 per cent and two
barely touched one quarter of respondents.
Flipping the stats to appreciate the disregard of
organisations for some of these control mechanisms,
in the cases of only permitted from selected physically
secured zones and the Four Eyes Principle, 74 and
78 per cent respectively of companies do not employ
these techniques.
More worryingly, the two methods of control favoured
by our respondents are probably the two which are
easiest circumvented by keen and able attackers. In
the case of strong authentication, an attacker may
have already obtained the adequate credentials to
inltrate a network by foul play, or might have found
another route to acquire the information or do the
damage they want.
...the two methods of control favoured by our
respondents are probably the two which are easiest
circumvented by keen and able attackers.
DIGITAL TRENCHES: ON THE FRONT LINES OF THE CYBER WAR
Strong authentication of employees
permitted to do this.
Only permitted from dedicated selected
workstations not used for other purposes.
22% Only permitted from selected physically
secured zones of the office environment.
The Four-Eyes principle.
Whilst assigning dedicated workstations is a sensible
move, in the aftermath of recognising a breach has
happened, many companies have discovered
connections owing to and from both networks.
Although the security teams may have initially set up
computers in isolation, in order to facilitate easier
working conditions, these systems may have been
linked together.
Combined with the fact that these systems often have
older, unpatched versions of operating systems and
applications that render them more susceptible to
exploitation, authentication is not the best way sure up
your defences.
Physical security is denitely the preferable option,
and the stats pointing to companies not engaging in
multiple, simultaneous control methods puts into
perspective their lack of condence in dealing with
APTs.
ELEMENT 4
9%
17%
61%
13%
Digital forensics is the branch of forensic science
which covers the retrospective recovery and
investigation of material found in digital devices in
relation to cyber incidents.
Whilst we see that 61 per cent of organisations do
not run in-house or external digital forensics
investigations, the 13 per cent that are unsure of
the benets of such methodologies are equally
unlikely to be using them. Therefore, we can, with
some certainty, deduce that almost three quarters
of respondents do not run digital forensic
enquiries.
The question is: why? If a crime has been
committed, you would certainly want the
authorities to try and piece together what exactly
happened, who did it and how. To think that
A cyber security strategy should comprise the quadral
of prevention, detection, monitoring and response.
DIGITAL TRENCHES: ON THE FRONT LINES OF THE CYBER WAR
Is your organisation using digital
forensics to interpret digital traces?
Yes, we have in-house digital
forensic capabilities
Yes, we outsource digital
forensics research
No, we do not
Not sure of benefits
organisations do not conduct the appropriate
exercises to be able to answer crucial questions
that stakeholders and regulators would want to
know the answer to is mind-boggling.
A cyber security strategy should comprise the
quadral of prevention, detection, monitoring and
response. A possible factor underlying an opt-out
of digital forensics might be the fact that
companies are concentrating their attention and
funds on the rst two facets of the security trinity,
rather than doing the legwork into what exactly
happened. Rather than seeing a value in the details
of the crime, they see the value in making sure that
it is either stopped or at least noticed.
ELEMENT 5

Yes, we have
Are you monitoring Dont network IDS 2015 results
your network?
vs. 2014
52%
know (IDS = Intrusion Percentage
22% Detection System) Change
-6%
23% 2%
Yes, 17% No 0%
we have -6%
host IDS
42% 2% 4%
15%
Yes, we use honeypots,
Yes, we use a SIEM (a honeypot is a trap set to detect, deflect, or,
(SIEM = Security Information in some manner, counteract attempts at
and Event Management) unauthorised use of information systems)

The rst thing that comes to attention here is the information and not specically to actively detect
sobering fact that almost one in ve oil and gas any signs of incidents or intrusion.
companies still do not have an network IDS, even
The key is to be able to deal with the amount of
after all of the serious incidents, from Stuxnet to
information that these systems generate. The false
Shamoon, that have attacked industrial
positive rate or the number of events that are
infrastructure. It is no surprise that the energy
generated is so high that it requires the daily
sector has been continually signalled out as one of
operation of skilled sta to do the system justice. It
the most vulnerable in world business. Add to that
is debatable whether that 52 per cent can leverage
the fact almost a quarter of those surveyed were
the technology to the extent where it can help to
unaware of whether they were monitoring their
mitigate or at least contain incidents from growing
network or not, and this is a serious cause for
after initial detection.
concern.
The statistics we see here would lend to the trend
More than half of companies are employing an IDS,
emerging in companies concentrating and
which is a large increase on the gures recorded a
spending more on prevention and less on the
year ago, and is somewhat encouraging. Within
detection and response aspect of the security
that, there is the concern that technologies are only
quadral.
being used for the collection and aggregation of

...one in five oil and gas companies still do not have an

network IDS, even after all of the serious incidents, from
Stuxnet to Shamoon...

DIGITAL TRENCHES: ON THE FRONT LINES OF THE CYBER WAR

ELEMENT 6
16%
8%
18%
44%
14%
Straight o the bat, it is evident that almost one
quarter of respondents do not have any real visibility
into what is happening in their networks, a quite
frightening number. The positive spin on the results
of this question would be that at least three out of
every four respondents surveyed do have a vision of
the activity that is owing through their business.
Of the 44 per cent that are using monitoring tools,
the question is: what are they being used for? In
many cases these tools are used to maintain the
visibility of systems to ensure business continuity is
upheld, and not to specically monitor for activities
that are directly attributable to cyber threats. Those
who have visibility of the threat matrices that could
be developing in their IT infrastructure will represent
a much lower percentage.
An encouraging statistic is the 14 per cent of
respondents that have an operational SOC in place.
Even if monitoring is carried out 24/7, without the team
and analytical framework around that to crunch the
numbers, any output is nigh on useless.
DIGITAL TRENCHES: ON THE FRONT LINES OF THE CYBER WAR
How visible is what is going on your
network to your organisation?
I'm unsure
I barely have visibility
Our system engineers have this as an
additional task
We are using monitoring tools
We have a fully operational SOC
(SOC = Security Operations Center)
The implementation of a SOC is not only a nod to
having monitoring tools in place, but also that those
monitoring tools are being interpreted by a group of
trained professionals guided by a web of processes
to put the information gathered into context.
Even if monitoring is carried out 24/7, without the
team and analytical framework around that to
crunch the numbers, any output is nigh on useless.
In the example of the 18 per cent of organisations
that add network monitoring to the job
specication of their systems engineers, the extra
workload and number of false positives will
become so overwhelming that any meaningful
analysis could be lost in the mire.
Simply plugging in tools without the correct
capacity to derive cogent data from those tools will
result in negligible benets for most companies.
ELEMENT 7

In the last three years, how often have you been confronted with a serious ICT cyber incident?
(ICT = information and communication technology)

Never - 26% 45%

Once - 29% -10% 2015 results vs.
2014 Percentage
Twice - 6% -4% Change
More than Twice - 39% 39%

In cross-industry gures, the number of companies
that have experienced a serious ICT cyber incident
is around one in three. From the statistics here,
that number is more than doubled, at almost three
in four.
Of course, the categorisation of a serious ICT
incident is going to be largely subjective, based on
the size, duration and relative impact of the attack
on an individual business. The fact that more than
one third of companies have suered an incident
of this type more than twice in the past 36 months
is a testament to the intensication of malicious
worldwide cyber operations.
Of the 26 per cent of respondents that say they
have not been attacked at all in the past three
years, we have to draw an unfortunate but
indisputable conclusion: many simply will not have
realised it yet.
In reality, most companies still discover that they
have been compromised between two to six
months after the initial breach has taken place. A
majority of those that do nd out will stumble
upon the hack by accident or through external
notication of abnormalities. By that stage, any
malicious activity could have been embedded and
under way for as much as half a year.

Of the 26 per cent of respondents that say they have

not been attacked at all in the past three years, we have
to draw an unfortunate but indisputable conclusion:
many simply will not have realised it yet.

DIGITAL TRENCHES: ON THE FRONT LINES OF THE CYBER WAR

ELEMENT 8

Does your organization have a CERT team or CERT provider?

(CERT = Computer Emergency Response Team)

No - 23%

Yes, we have an in-house CERT team - 41%

Yes, we have an external CERT provider whom

we involve on an ad hoc basis - 15%

Yes, we have an external CERT provider that

we have on retainer agreement - 4%

Dont know - 17%

At a time when most of a companys assets will be
either digitised or in the process of being digitised,
the fact that a combined 40 per cent of
respondents do not have, or have no idea if they
have a CERT or CERT provider, should be a cause
for consternation.
The 23 per cent of respondents that have no CERT in
place corresponds almost exactly to the 26 per cent
in our previous segment that that believe they have
not suered a cyber attack in the past three years.
Without being frightened into action, it seems that
around one quarter of companies do not see the
need for emergency methods. As discussed
previously, many of the 26 per cent that believe
they have evaded a cyber breach, simply may not
know it yet.
It should become a necessity for the continuity of
business to have a CERT team, be it in-house or
external. A good CERT or CERT provider will help
with prevention as well as response. They will
practise for forensic rigour and make sure that
there are regular drills and scenarios to replicate a
real-world attack and promote readiness.
Being unprepared for disaster because you have
not succumbed to disaster is a sure-re way to fail
in the face of disaster. Every organisation should at
least have a CERT capability on retainer and close
at hand should an emergency arise.

Being unprepared for disaster because you have not

succumbed to disaster is a sure-fire way to fail in the
face of disaster.

DIGITAL TRENCHES: ON THE FRONT LINES OF THE CYBER WAR

ELEMENT 9

Does your organisation have an incident response plan

(IRP) in place?

No - 26% -14 2015 results

Yes - 33% -27% vs. 2014
Percentage
Yes and we do dry runs 12% Change
on a regular basis - 12%
I am unsure - 29% 29%

The statistics here reveal a quite startling disconnect
between experience and common sense.
According to the numbers in previous segments, 75
per cent of organisations have suered at least one
cyber attack in the past three years, yet even with
the gures combined, less than half of companies
have an IRP in place and do dry-runs to simulate
attack scenarios. Taken in isolation, whilst 75 per
cent of companies have been attacked, only one in
eight of those organisations do any kind of
preparatory war-gaming.
It must be remarked that it is inconceivable that a
company that has oshore rigs, for example, would
not drill for a worst-case scenario, such as a loss of
containment or on-board explosion. It is equally
dumbfounding that only 12 per cent of data-reliant
organisations do not practice for situations where
their data may be compromised. Practice does not
make perfect, but it does make better.
Those who are unsure about whether they have
an IRP in place may simply be unaware because
this capability is outsourced to an external
provider and it is not in their interest to know one
way or the other.
A positive aspect of the results here are that at least
those that do not have an IRP in place are down by 14
per cent from last year. Given that the gures showed
that two out of every ve companies last year were
IRP-less, a trend towards more awareness is
favourable but the statistics could still be improved.

Practice does not make perfect, but it does make better.

DIGITAL TRENCHES: ON THE FRONT LINES OF THE CYBER WAR

ELEMENT 10 & 11

Is your organisation using a managed Are you condent that your employees and/or
security service provider (MSSP) to MSSP (if applicable) are up-to-date on the latest
monitor your network? cyber threats and methods?

42%
39% 28% 10%

Yes Do not know

33%
No

48%
Confident Somewhat confident Not confident

Taken in conjunction, less than 40 per cent of oil and Whilst the 48 per cent who are not condent with
gas companies are using an MSSP to safeguard their the competency of their MSSP is dismaying, the
organisation, and of that number, almost half are positive aspect of that group of professionals is
not condent that they are doing a good job of it. that at least they have the lucidity to see the gravity
of the situation at hand. Hopefully, the members of
Obviously, this is a particularly worrying statistic
this tranche will be making the noise and creating
and drives at the heart of a very serious problem: if
the urgency within their respective organisations to
you are employing a team to keep your network
push top management for the buy-in and funding
safe yet do not have any belief in their ability to do
to take them to that top ten per cent.
their job with any kind of benecial eect, why
employ them at all? In playground terms, it is like It is almost more concerning to be part of the 42
picking the fat kid to be the goalkeeper because he per cent that are somewhat condent in the
is the last person and simply has to be picked, no ability of their MSSP. Whether those in this
matter his prowess. segment are quietly condent, quietly disconsolate
or plain ambivalent, they are unlikely to push for
The ten per cent who are condent in their MSSP
major change inside their organisations to move
is probably a fair reection of the truth: being on
up to the next rung of certainty.
top of the evolving threat landscape is an
increasingly taxing task, which only a handful of
companies will be able to manage with any degree
of acuity and consistency.

In playground terms, it is like picking the fat kid to be the

goalkeeper because he is the last person and simply has
to be picked, no matter his prowess.

DIGITAL TRENCHES: ON THE FRONT LINES OF THE CYBER WAR

ELEMENT 12

25% 10% 31% 23% 11%

Less than Between 100,000 Between 500,000 Between 1,000,000 More than
100,000 and 500,000 and 1,000,000 and 10,000,000 10,000,000

If you had to make an estimate of the costs

involved to recover from a cyber-attack, what
3% -16% 5% 2015 results vs. 2014

estimate would you give?

-8% 9% Percentage Change

The statistics gathered in this section point to a
year-on-year increase in cyber attacks that have
aected companies on both the lowest and highest
ends of the cost spectrum. This would indicate two
particular attack patterns: one which uses many
small, stabbing attacks and one which relies on
large, one-o and well orchestrated bludgeoning
manoeuvres.
The cost of an attack grows with the size of the
organisation: if you have an infrastructure of ten
localised systems that needs to be investigated and
recovered, it will be a cheaper recuperation than if
you are a target with thousands of systems dotted
across several continents.
One of the up-shots of this trend is the move of
small to mid-sized enterprises (SMEs) towards
greater cover from their insurance companies, as
they are unable to bear the type of nancial
punishment that an encounter with a few small, or
one large cyber attack could visit upon their
organisations. This will, most probably, result in
insurance companies increasingly providing
something approaching tactical cyber attack cover
as part of their main business oering in the
coming months and years.
We are now living at a time when a cyber attack
could actually be a company-killing event for many
global organisations. The fact that this reality has
not been echoed in previous segments with a more
stringent and widespread adoption of detection
and response controls is, perhaps, one of the most
depressing outcomes of this entire cyber security
investigation.

We are now living at a time when a cyber attack

could actually be a company-killing event for many
global organisations.

DIGITAL TRENCHES: ON THE FRONT LINES OF THE CYBER WAR

 EPILOGUE
In the nal analysis, we can group the ndings of this inquest into the state of cyber security
under several rather unattering nouns that circle in a self-perpetuating feedback loop:

HUBRIS
We can see that in some areas, our respondents have
displayed an overestimation of their ability to counter
the threat posed by the current generation of cyber
attackers. It is this kind of misplaced condence that
can have drastic consequences. We are probably all
familiar with the case of Icarus and the Sun

UNPREPAREDNESS
In some of the most fundamental areas of business
protection, our respondents companies are woefully
under-prepared for the kinds of munitions that cyber
assailants are ring at them on a regular basis. This extends
to the realm of war-gaming, drill and scenario planning
which are not given the credence that they deserve.
Tacked on to this, we can also add that most companies
do not have the correct sta in place to be able to react
to, let alone prevent, injurious cyber events.
COMPLACENCY
Linked to hubris but less about overarching condence and
more about nonchalance, companies are opting for the
easiest xes in terms of security, rather than choosing to go
the full nine yards and instate a more extensive, but
expensive, holistic protective framework.
Even after having seen some of the most damaging cyber
attacks in the histroy of modern commerce befall industry in
the past half-decade, a large percentage of organisations
display little or no drive to shore up their defences.

UNAWARENESS
In our survey, the average percentage of those that
answered I dont know/am not sure to the questions in
which that was an option was 16 per cent. Is it acceptable
that four out of every 25 people working in the cyber
security eld is that unaware of some of the most
elemental parts of a their cyber security infrastructure?

These four symptoms, united and entwined, are the underlying causes which continuously impede companies across
the global sphere of business from having the basic cyber security framework to safeguard their livelihoods. These
are the bacilli from which the infection of inadequacy is allowed to spread.
In the Great War, for the rst time in the history of pitched combat, battleeld injuries were the greatest causes of
death to the belligerents involved. In the only pan-European comparator to this conagration, The Napoleonic Wars
of a century earlier, more than 70 per cent of fatalities were inicted away from the battleeld.
Yet from the Somme to Verdun, Passchendaele, Ypres and countless other major and minor battlegrounds across
Europe from 1914-18, one third of all deaths that occurred were not caused by bullets, bayonets or land mines, but by
infectious disease.
It is evident that in we are losing the cyber war to an evermore sophisticated and persistent foe. In the digital
trenches, perhaps the rst measures taken should be to prevent, detect, monitor and respond to the disease lurking
latent in the shadows before the bullets even begin to y

...Such things must happen, but the end is still to come.

DIGITAL TRENCHES: ON THE FRONT LINES OF THE CYBER WAR