Physical and cyber security threat convergence still evolving


Today’s threat environment continues to evolve, breaking down risk silos and introducing new vulnerabilities to organisations and their members. Companies increasingly turn to digital transformation strategies to lower costs and increase efficiencies across locations and sectors.

On-boarding new technologies presents organisations with both business opportunities to drive new revenue, as well as business risk as their cyber-attack surface expands. Nefarious actors increasingly rely on multi-domain approaches when attacking or exploiting their targets, such as multi-factor authentication (MFA)-bypassing phishing and encrypted badge cloning. These tactics are on the rise; threat actors can leverage physical penetration techniques to overcome advanced cyber security controls, while cyber penetration techniques can be leveraged to degrade or defeat physical security controls. Bringing together defenders from both the physical and cyber domains in your organisation can be the first crucial step in deterring and mitigating these emerging techniques and protecting your business more holistically.

The following three case studies clearly illustrate the convergence of physical and cyber threats facing organisations.
• In October of 2022, the cybersecurity team of a U.S.-based financial firm identified anomalous activities within one of its network environments. Upon further investigation, the team discovered that the origin of the mysterious activities linked back to a user who appeared to be in two places at once. The employee showed as being logged in from home, miles away from the firm’s offices, but was also logging in from the office itself. The search led the team to the roof of the building where they found a modified drone carrying an adversary-in-the-middle (AiTM) device that allowed it to gain access to the corporate network through the wireless internet (WiFi) network.
• Throughout the 1990s, a U.S.-based cybercriminal, Kevin Mitnick, made a name for himself by gaining illicit access to organisational networks through a combination of hacking and social engineering. Kevin would spoof his phone numbers to appear as if he was calling from within a target company and use these credentials to either gain additional cyber access or physical access to secure locations. In 2017, after switching to the white-hat side of hacking, Kevin showcased his ability to clone and duplicate corporate access cards during a presentation at the annual Data Center World Conference in Los Angeles.
• In 2021 ESET analysed malicious frameworks used to attack networks without any direct connection to the internet or to any other computer connected to the internet, known as air-gapped networks. The study found that every successful attack was perpetrated by physically introducing external storage devices to the target computer system. Each framework leveraged USB drives as the “physical transmission medium to transfer data in and out of the targeted air-gapped networks” during the attack. Whether the external device is designed to deploy a malware payload or extract sensitive information, successfully targeting these critical systems almost always requires physical access to the air-gapped network to overcome their lack of direct connectivity to the rest of the organisation or the internet.

These case studies highlight the disproportionate effect that combining cyber and physical attack techniques can have on success rates of malicious penetration attempts on target organisations. The convergence can also apply to the realm of executive protection where the advent of connected technological devices and the internet of things has expanded the attack surface by which leaders can be targeted by malicious actors. Assessing and understanding the threats posed to executives in the cyber and technical domains is critical to the development of a comprehensive protection plan for those individuals and their inner circle. Today’s environment makes it much easier for threat actors to forego physical surveillance of a target in lieu of technical surveillance – tracking their mobile devices or vehicles.

What can companies do internally to help bolster themselves against these emerging threat tactics? One is convergence – merging physical security and cyber security teams – to create an integrated approach to protecting and defending your business assets and resources. A foundational step in a convergence approach is to develop a common baseline threat to the business that spans across security domains. This requires a mutually understood lexicon around security concepts spanning the physical and cyber domains to enable cross-communication between teams. Additionally, it is critical to develop a common understanding of how threats and risks within one domain have the potential to impact controls and mitigations in the other.

There are three steps your organisation can take to develop this baseline understanding of the interconnected nature of your physical and cyber security postures:
1. Conduct a combined programmatic assessment that assesses both sides of your security program, generating a holistic maturity score and a roadmap for deliberate progress across domains.
2. Implement joint red teaming tests that include cyber network offensive activities and physical penetration attempts against a specific location or targeting deliberate information within the organisation. These activities validate security controls meant to defend against cyber-enabled physical attacks and physically-enable cyber-attacks.
3. Conduct a crisis management exercise to scenario test the combined physical and cyber crisis response and recovery processes. These engagements can help to build muscle memory enabling both domains to develop a joint approach to risk management within the organisation.
Approaching these protection strategies through the lens of convergence can help ensure holistic protection in both the physical and cyber domains.