How Unit 42 is thinking about the Olympics

When it comes to cybersecurity during the Olympics, silver or bronze won’t do—you have to go for gold.

Unit 42, a cybersecurity consultancy that’s part of Palo Alto Networks, has aimed to assist organizations in managing cybersecurity risks and executing their threat intelligence along with other missions since 2014. The group recently released a report outlining the different threats to the upcoming Olympic Winter Games in Italy. “There is a lot at stake,” it noted, pointing to the three billion people expected to watch.

Kristopher Russo, principal threat researcher at Unit 42, told IT Brew in multiple interviews that the Olympics spin up the dark web and cyber threat actors because of the publicity and size of the games. He offers some insight into how cyberattackers behave at these large-scale events.

This interview has been edited for clarity and length.

Give us the lowdown on what’s going on in terms of making sure that we understand the cyber threats to the Winter Olympics, especially as it pertains to IT professionals helping defend infrastructure.

We have a pretty substantial experience in this space, including the Paris games where we were onsite, we had a war room, and we were watching and really tracking exactly what we saw happening. What [we] primarily saw fell into two different boats.

So, you have a whole lot of disruption as a focus, and this is your [distributed denial-of-service] attacks. These are some of the kinetic attacks we saw [against] critical infrastructure. The idea is really to both embarrass the hosts and host countries of the games, show unpreparedness, get everybody on edge, and then also to push these individual ideologies.

The other one we saw not as much as we expected, but we still did see a bit on the cybercrime side. We saw some ransomware actors active [and] we saw some scam websites stood up for selling tickets and whatnot. Of course, these actors are always actors of opportunity. For the Olympics—for the same reason that it’s desirable for the first group of attackers—it’s also desirable for cybercriminals just because of the exposure, how big it is, and how there’s so many moving pieces.

Is there an argument here about the need for enterprises to increase their cybersecurity budgets, especially in light of events like the Olympics taking place?

What we’re looking at for cybersecurity budgets and what should be driving these is [a] good, solid risk-management program. When we have a risk management program in our organization, we know the amount of risk that all of the different threats that face our organization create in terms of dollars. How likely is this bad thing to happen? How much will it cost if this bad thing were to happen to us?

We can go back and say, “Okay, these are the different ways that we can treat that risk and this is what each of those ways to treat that risk would cost.” Then we bring all of that back to the business, so the business can make informed decisions on how they want to invest in that risk mitigation.

If you were putting a ton of money into sponsoring the Olympics and really getting your brand name out there, and this is really important [to] the organization because we expect it to generate x amount of dollars, then we have to be comfortable spending a certain percentage of that making sure that this goes off that hitch, that it’s protected, that we have the right cybersecurity controls in place.

How does Unit 42 approach these larger-scale events versus smaller incident or threat analysis projects? What sets the group aside from other responders?

We have multiple sources of information coming in. First and foremost, we have our massive telemetry. So, we have a huge installation across the globe where we’re seeing network traffic, and we’re seeing activity all over the place and all of that is fed back into our intelligence engine. So, that’s half of it. The other half of it is we are monitoring both open and closed intelligence sources. We’re monitoring the clear web and the dark web, and we’re working with our partner organization to pull the information that they see and what they have and then we’re all bringing that together.

We have both a huge hardware install base with our traditional firewall systems. Additionally, we have our software side with our cortex and our XDR products that are watching the processes on the endpoints in real time. So, we’re stitching that data together to get us that whole view.