As cyberwarfare has emerged as an ongoing threat to critical infrastructure, cybersecurity professionals might want to revisit Stranger Things to learn a thing or two (or eleven). In an ongoing battle between good and evil, there are a startling number of parallels between the show and the modern threat landscape.
A Cold War backdrop is used to raise the stakes of the show, but in reality, the risk of cyberwarfare has never been higher. Russian-linked cyberattacks on EU utilities and Chinese-linked cyberattacks on U.S. critical infrastructure reveal a geopolitical theater with far greater stakes than any Netflix series.
According to Armis’ research, 87% of IT leaders are concerned about the impact of cyberwarfare on their organizations.
While 81% of IT leaders say moving to a proactive cybersecurity posture is a top goal for their organization, many security teams are not acting in the face of these threats until after they have been compromised.
That’s because the visibility and segmentation challenges are still hampering so many organizations. More often than not, attackers infiltrate organizations’ IT infrastructure, covering their tracks and then sleuthfully pivoting to infiltrate OT environments to jeopardize critical infrastructure.
Therefore, organizations must shift “left of boom,” focusing on zero-trust architecture, preemptive prevention and more. This cybersecurity paradigm is particularly imperative in critical infrastructure sectors, where nation-state threats show no signs of slowing down.
How Threats Keep Shape-Shifting
In 2010, Google disclosed evidence of Operation Aurora, one of the first high-profile advanced persistent threats (APTs) launched by Chinese threat actors. These attacks targeted the source code of several technology companies, a preview of supply chain attacks to come.
Ten years later, one of the most notorious examples of supply chain attacks was the SolarWinds breach. Just like the Soviets built a secret base under the Starcourt Mall in Stranger Things, the SolarWinds compromise enabled Russian threat actors to have secret access to the U.S. government.
These two incidents illustrate how threats evolve, but there are even more examples of APTs beyond them.
Even though every APT is unique, they tend to have a few things in common: they seek to establish initial access, evade detection and establish persistence (just like the Mindflayer possesses its victims’ minds). The difference lies in the tactics, techniques and procedures (TTPs) they employ to achieve these goals.
For example, a threat actor might gain initial access through phishing or dumping cached credentials, but they may also be able to gain access through exploiting vulnerable devices.
It is important to understand that there are a multitude of attack vectors, and basic cybersecurity fundamentals focus on creating a more defensible architecture to reduce risk.
No Psychic Abilities? Then Visibility Matters
Spoiler alert: In the fourth season of Stranger Things, it is revealed that Eleven accidentally opened the gates to the Upside Down by using her psychic abilities.
When it comes to critical infrastructure, many organizations don’t understand what is happening in their network.
How can we protect what we don’t know?
Threat actors will always seek to exploit unknown vulnerabilities, and these visibility gaps are the root cause of initial access and lateral movement.
Many organizations currently react to threats rather than proactively managing risks. They must shift their focus to understanding their environments, identifying potential risks, addressing early warning signs and prioritizing the closure of security gaps.
Heroes at Work in Cybersecurity
If heroes persevere in the face of adversity, then there are many heroes in cybersecurity.
For instance, after Google was targeted by Operation Aurora in 2010, it began developing its BeyondCorp initiative, a major influence on the creation of zero-trust architectures.
Today, organizations can turn to frameworks like NIST SP 800-207 for guidance on how to implement zero-trust.
Some core zero-trust principles include developing an asset inventory, strong authentication and authorization controls, and implementing network segmentation.
While zero-trust frameworks were initially designed for IT environments, there has been significant progress in adapting these principles for Operational Technology (OT), cloud and IoT systems, particularly when taking a holistic, organization-wide perspective.
Many organizations struggle to create and maintain an up-to-date asset inventory because they rely on spreadsheets and manual processes, which are often incomplete and outdated.
However, as organizations adopt AI-enabled solutions to monitor for behavioral anomalies, they can extend this visibility to continuously discover all of the devices on their network.
Comprehensive visibility and control of all network traffic and devices is particularly important for critical infrastructure sectors, as OT networks tend to contain vulnerable legacy systems that can have real-time kinetic effects if exploited.
Full situational awareness of the attack surface is a superpower that enables organizations to shift cybersecurity “left of boom” so that they can close the gaps and focus on preemptive protection.
By focusing on early warning signs instead of responding to threats, these organizations might seem to have psychic powers of their own. Sometimes the truth is stranger than fiction.