Blog

Speed and Scale: How Threat Volume and Velocity Shape Cyber Risk Narratives for Governance Bodies

Posted: 23rd July 2024
By: Levi Gundert

Editor's note: The following blog post originally appeared on Levi Gundert's Substack page.

73d9048e-aeff-4bdd-aa9c-0c1df640918e_1024x1024.webp

Developing stories that instill confidence in governance bodies (GBs) is prominent in many CISO discussions - but not all stories carry the same value. I was recently in Singapore, engaging in a fireside chat with the esteemed John Yong. John, a seasoned expert in security practice, policy, and administration, currently serves in multiple oversight/governance roles. During our conversation, John emphasized that any threat report or narrative that fails to adequately capture “volume” and “velocity” is, in his view, a “C-“ at best. As he put it, “it’s a $10 story.” The security industry, he believes, needs better resources to consistently develop $1M stories.

939e3fca-764d-48a5-8f68-acb2ce2076c9_1600x1331.webp

Volume & Velocity

John’s grading assessment underscores the importance of volume and velocity in convincing readers of the necessity for action. Simply put, volume represents the magnitude of change, while velocity highlights how quickly the change has occurred. As cybersecurity professionals, our data-driven discussions are powerful influencers toward a desired outcome, often leading to buy-in on new security control investments.

Volume and velocity are the two variables that underpin a compelling threat implication. Great cyber intelligence will provide this context, similar to the business intelligence financial traders require to execute trades while monitoring financial markets. Professional traders who ignore volume and velocity do so at their peril. The same applies to cyber security and intelligence leaders, whether they know it or not.

Let’s review a few examples where volume and velocity create different enterprise recommendations.

Arm Exploit Volume

In a recent Bloomberg interview, Microsoft CEO Satya Nadella revealed that Microsoft is all in on manufacturing hardware (personal computers) optimized for GenAI to enable local/edge-accessible capabilities. Others, like Dell, echo their intent to move quickly to the same destination. While this is good news for Wall Street favorites like Nvidia, CIOs should look for the second-order business, technology, and security implications of the proliferation of GenAI-enabled hardware.

One apparent second-order effect is the increased adoption of Arm semiconductors, which is potentially less considered in this local AI hardware movement. What are the potential security considerations as workstations move from using Intel’s traditional x86 architected semiconductors to Arm? Are CISOs developing recommendations? How do volume and velocity factor in? Let’s find out.

97a1458d-6ba1-4483-91e6-ee56f4fc6323_1024x1024.webp

When performing Recorded Future platform searches, specific memory registers and exploit framework library syntax enable differentiated selectors between Arm and x86 semiconductor architectures. The search results represent a sample of instructions or conversations (in multiple languages) related to the technical complexities of hacking ARM-based software (or hardware). In this case, we can remove references to “CTF” (Capture the Flag) events, commercial frameworks, or shared code (i.e., Metasploit or BishopFox) that perform the heavy lifting of exploit development. The remaining results capture less well-known exploit code.

04457ba8-d17e-40d5-9bff-4e8c7e0c4603_1600x734.webp

Image: Comparisons of Arm and x86 exploit code references, respectively, courtesy of Recorded Future.

The prior two years reveal consistent Arm-based and x86-based exploit code appearances, with recent spikes in May 2024. The sample size is relatively small, but visually, the increased volume of exploit references is apparent. Now, more discovery/analysis is needed to understand context and velocity.

c253f5eb-5764-44f2-abc0-912d9986bfe2_1600x364.webp

Image: Recorded Future LLM summarization of Arm exploit results.

The results primarily derive from GitHub and Hackyx, as well as a smattering of different foreign language forums and chat channels.

8c44249f-102e-4f78-a9f7-086605030c0e_1280x1148.webp

Image: A “1000 yard stare” meme overlaid on a buffer overflow example, possibly derived from code found at deephacking.tech.

As referenced in the Intelligence to Risk (I2R) framework, broad consumption of different event types creates more confidence in volume and velocity, which influences a threat implication and potential future associated risk recommendation. Open and closed-sourced code references provide an initial volume signal in this example. Additional data sourcing might also include honeynets and malware sample analysis.

A ninety-day search through Triage for files that match “Linux” and “Arm” tags returns roughly 6000 results. That’s a relatively small number in the pantheon of daily malware processed, but file verdicts provide a different event source to track over time for significant changes in volume and velocity.

Arm taking a greater market share of global computing won’t happen overnight. However, we can already see threat actors taking an interest in exploits, and the volume will likely increase as Arm chips proliferate in mainstream computing platforms. The gradual shift could create security implications that organizations want to proactively address, starting with endpoint defense and a review of commercial solutions.

Network Exploit Velocity

Quantifying velocity is as much about pattern recognition as the time change state between data points. As previously mentioned, China is actively exploiting network appliances for multiple reasons, and more defender effort is required as traditional host-based security solutions (i.e., AV/EDR/XDR) are rendered impotent.

The velocity component is relevant to address as it drives the movement level in attack proximity for any of the five risk impacts. A more significant east/west move in the proximity & resilience graph may drive more operational urgency, depending on the corresponding level of resilience.

25fc129b-23cc-48ee-9386-3aac42b7b03d_1600x1009.webp

Image: An example of a Proximity & Resilience Graph

Cisco network appliances are a recent example of China’s zero-day exploit targeting. The velocity of these exploits is challenging to determine (until it’s too late) without telemetry that extends beyond OSINT.

856ce8f3-02db-434e-924d-cff852027fe9_1189x898.webp

Image: A vulnerability intelligence summary courtesy of Recorded Future.

In the timeline below, the distance between data points roughly represents velocity. In the subsequent graph, a volume change is represented across two different categories of vulnerabilities. A comprehensive search and verified results for applicable vulnerabilities with associated exploitation are a starting point, and ongoing signals from telemetry like darknets/honeypots can also provide more current and timely data toward an accurate velocity representation. Audiences should quickly identify the potential urgency attached to the threat, which dictates the speed of I2R pyramid traversal to ultimately implement recommendations.

184d77f3-1aac-459d-bc5d-537c51cd3695_1600x796.webp

Image: A 2023 - 2024 timeline containing samples of network equipment exploitation courtesy of Recorded Future.

acf6eebb-4735-4b9c-9f1b-9c899bbec413_1200x742.webp

Image: Cumulative cyber attack and exploit references to vulnerabilities divided between network appliances and enterprise software, courtesy of Dylan Davis and Recorded Future.

Similarly, Recorded Future’s Insikt Group recently released a report on Threat Actor Group 100 (TAG-100, which is likely a state-sponsored group from a country that begins with “中” and ends with “国”), which has compromised organizations in over ten countries. The image below helps illustrate attack volume and TTP velocity, specifically with the continuous use of open-source tools like Pantegana.

0c21ad1b-58ce-4f02-ac7a-654a3646791c_1600x630.webp

Image: A timeline of spring 2024 TAG-100 targeting courtesy of Recorded Future.

When open-source attack tools increase in observed velocity, the operational urgency around existing control validation is apparent (even without a full I2R Pyramid assessment). Based on anecdotal feedback, EDR/XDR software sometimes lacks robust detections for offensive open-source resources.

Conclusion

As a security professional, how can you persuade executives to smartly invest? Your role is crucial in this process. Envision a typical enterprise environment: the breaches making the latest rounds of headlines are in different industries. Where’s the fire? The metaphorical moat seems to be holding. Audits passed. The GRC/ERM organization is documenting the risks. The organization has previously invested in “substantial” security controls. Your insights can help shape the narrative and drive action where needed the most (and sometimes, inaction is an equally valid risk management decision).

Intelligence should be sourced from data that creates proactive opportunities to evaluate and communicate threat volume and velocity. These two factors move emerging threats from theoretical to practical—what separates a $1M story from just another presentation slide. As an industry, we need more $1M stories to help build confidence in aligning cyber risk management strategies with business needs and objectives.

Related