Saudi Arabia is impacted by the same kinds of cyber attack as the rest of the world. But the geopolitical situation in the region means there is a different set of perpetrators – and they are highly motivated.
Politically motivated cyber criminals targeting Saudi Arabia often focus on fundamental industries. “We see attacks that target sectors such as oil and gas, as well as energy, more than others,” said Safwan Akram, managed security services director at cyber security consultancy Help AG in Saudi Arabia. “These sectors comprise a vital part of the kingdom’s economy, and adversaries utilise these attacks to gain access to confidential information and disrupt operations at a national level.”
According to the World Economic Forum’s Global cybersecurity outlook 2022, the three biggest concerns for cyber security professionals anywhere in the world are ransomware, social engineering, and malicious insider attacks. Of the three, ransomware is the fastest-growing threat.
Malicious entrepreneurs now offer ransomware as a service (RaaS), enabling hackers to easily launch a ransomware attack. RaaS now comes with a triple cyber extortion attack – including file encryption to hold information hostage, data theft to potentially reveal private information, and distributed denial of service (DDoS) attacks to hinder network availability and render infrastructure useless.
Many of the attacks targeting Saudi Arabia are DDoS-related, and they are very much about creating a nuisance for organisations or for the country. Some of the other attacks are more focused around penetrating the defences of an organisation for the purpose of spying. While much of the espionage is very targeted, it often impacts others that are not direct targets.
On top of the global trends rendering most countries more vulnerable to cyber attack, Saudi Arabia has another reason to feel the threat – its accelerating dependence on digital technology. Digital transformation is also a key pillar in the country’s Vision 2030 plan to diversify its economy through increased focus on innovation. While creating new opportunities for the kingdom, this strategy has also introduced increased cyber and operational risks by creating an expanding attack surface.
Role of the National Cyber Security Authority
Fortunately, Saudi Arabia has not been standing idly by as the cyber threat has increased. In 2017, its government established an authority to regulate cyber security – the National Cyber Security Authority (NCA), which mandates certain controls and standards around essential services, security, critical infrastructure, cloud and social media. These measures are being mandated for government agencies and for critical enterprise sectors to help shape the cyber security posture of those organisations. The NCA conducts a yearly review of each entity.
On 8 August 2022, the NCA announced the launch of the CyberIC programme for developing the cyber security sector, which is considered one of the main enablers of the country’s National Cybersecurity Strategy. The aim of the new programme is to improve national capabilities by developing local skills and, ultimately, local cyber security technology.
During the first phase of CyberIC, the NCA will support more than 40 startups through a cyber security accelerator and establish more than 20 startups through a second version of the national cyber security challenge. Also, about 10,000 Saudis in the cyber security sector will receive training through CyberIC.
The Saudi government has also run many bootcamps for fresh graduates to prepare them for the market, to be well versed in different fields of cyber security. They are offered opportunities to specialise in the defensive side of cyber, but also in the offensive side – such as red teaming and penetration testing. There is also specialist training in governance, risk and compliance.
All of these initiatives and programmes are being adopted by the government in order to raise national awareness of cyber security and also to upskill people, enabling them to kick-start a career in an increasingly growing field and contribute to elevating the country’s security posture.
As part of its efforts to improve cyber security on a national level, the NCA has issued regulations and policies in accordance with best international practices. “The NCA has been successful in creating practical approaches to cybers ecurity and developing best practices that enable enterprise organisations and governmental entities to build a culture of security and safeguard their digital roadmap,” said Nicolai Solling, chief technology officer at Help AG.
“One of the unique challenges for Saudi Arabia is that a great number of national organisations are very large in size compared to other countries in the region, with a workforce of hundreds of thousands of people. This sometimes makes it hard to be agile. Solutions have to be bought and installed and the visibility of the organisational network and infrastructure needs to be continuously maintained – and that can be challenging.”
But Saudi Arabia does not stand alone in its efforts to counter cyber security threats – the NCA is working with other countries. In July 2022, just before US president Joe Biden’s visit to Saudi Arabia, the NCA signed a new memorandum of understanding (MoU) with the US to further their existing cooperation through a formal process for sharing more cyber threat information and best practices.
Increasing need for cyber security
Solling reckons cyber security challenges will become more sophisticated and harder to tackle in the short to mid-term. Ransomware is a good example – the region has experienced an increase in ransomware attacks, with 56% of Saudi organisations being targeted in 2021, up from 17% in 2020, according to a Sophos study. Cyber criminals make easy and substantial money on RaaS delivery, which means they will be highly motivated and highly funded to make sure the revenue stream continues, he said.
“If you look at just the economics, it’s a scary picture,” Solling told Computer Weekly. “Organisations have started to understand that if you are in an environment where the threat is always present, and the motivation of cyber criminals continues to grow, you need to start thinking about your cyber security in a different way in the sense that you can no longer focus only on prevention.
“Of course, you need to get all the basics right. You need to implement a solid cyber security strategy and a strong business continuity plan that incorporates security controls at every step, while partnering with trusted security providers that work as an extension of your internal security team. However, you also need to consider the fact that no one is 100% immune, and therefore start to think about how your planning should change to follow a comprehensive and structured approach that incorporates preventive, detective and responsive methods, thereby significantly reducing the impact of any possible threats.”
Solling added: “What we see now is that customers are starting to change their mindset from focusing on preventing everything to preventing as much as possible. But we also need to plan for the impact to be as minimal as possible. It is time to shift from cyber security towards cyber resilience.”
As well as protecting their users and assets, companies and government agencies have to comply with a growing body of regulations around cyber security. This is proving difficult because many organisations tend to focus on their core business and treat cyber security as an afterthought, rather than an essential element embedded by design.
This, coupled with the transition from a product-based to a service-centric model, is making it increasingly lucrative for organisations to outsource security operations to a managed security service provider (MSSP), which will allow them to contract on a service-level agreement (SLA)-based offering. This not only saves them time, but also gives them access to the right and requisite expertise, as MSSPs have been continuously investing in technologies, knowledge and talent.
According to Help AG’s Akram, the main reason why companies seek managed security services (MSS) is cost. The cost of building an internal security operations centre (SOC) entails vast investment in different areas, ranging from hiring security professionals and onboarding technologies to preparing physical facilities and performing continuous security operations.
This leaves companies faced with unpredictable costs related to operational expenditures, upgrades and increases in capacity, which is where MSSPs play a critical role, offering service and budget predictability.
According to Akram, the second reason why companies seek an MSSP concerns finding the right talents within the market. Unfilled cyber security positions currently stand at 2.72 million globally, which makes it more difficult for businesses to run their own SOCs. Partnering with the right MSSP saves security leaders this headache. “We hire security professionals in each and every function,” said Akram. “We have that diversity in our team, so we can deliver our services with the highest quality and while meeting customer needs and compliance requirements. ”
Solling added: “As cyber criminals are becoming more and more professional, the defenders also need up their game. MSS has been around for a long time as a concept, but a growing number of customers are now starting to understand the need for it.
“What we are handling is more sensitive and that is why a large amount of the work we do is building the trust relationship with the client. MSS might be deployed as on-premise, cloud, or a combination of the two.
“We started in the UAE and then we moved to Saudi Arabia. To meet the different compliance requirements, we had to make an investment so that all our services, including analysts, were locally available. Some of the data regulations require us to deliver services within the country to address certain segments that deal with sensitive information – one being BFSI [banking, financial services and insurance].”
Phased-in approach to managed security services
Akram said: “The most basic service starts as 24/7 monitoring, where you monitor the customer environment for threats and malicious alerts. Then you start to have more add-ons to increase your coverage in terms of detection or response – covering endpoints and networks, then moving on to brand protection, or digital risk protection as a bigger umbrella that will monitor your identity as an organisation on social media, the dark web and search engines.
“You monitor the usage of the domains and check for any possible impersonation. You monitor the data leakage of, for example, credentials of the users on the dark web or the internet in general. Then you start talking about advanced services around detecting anomalies in user behaviour, also trying to automate processes.
“We also have an angle where the client outsources the management of the cyber security controls of the project. We do the administration, configuration, maintenance of different cyber security controls of the products that the customer will already have in their environment. Sometimes customers get to the point where they want the MSSP to take care of everything.”
Solling added: “One of the first things customers look for in a service provider is whether the MSSP is approachable. They don’t just want a call centre. They want to be able to communicate with the service provider and talk to them about concerns.
“Customers need to be aware that just because they sign up with an MSSP doesn’t mean they can let their guard down. They are still a target. The only difference is that with an MSSP, the response to an attack is much better than what they could normally do.”
One of the most important services an MSSP can provide is a set of tests to look for holes in an organisation’s cyber security defences. One of the techniques to do this is a red teaming exercise, in which a service provider hires hackers who try to breach the defences. While the red team attacks, a blue team protects and responds. Then the two teams work together to discuss the results. The mixed team is referred to as the purple team – a mixture of the red and blue teams.
“Performing these kinds of tests is an ongoing part of a mature response operation,” said Solling.