Yep, cybersecurity's moving at warp speed! It's kind of weird seeing some companies stick to their old value proposition around the classic pillars while clients’ needs changed. I might be on the other edge; I'm all about embracing new challenges and shake-ups. So, forget about the latest craze, nope this article is not about AI – let's chat about the OG hype: Crypto!
If you think crypto's gone stale, think again! Fortunately, those days where business people were assuming the blockchain could solve every problem are long gone. Sure, it’s still kickiing with the whole Web 3.0 vibe, especially in gaming but, amongst the most successful use cases, the winner is “finance”. Crypto finance and DeFi still raking in billions and are seriously considered as alternative investment, especially these geopolitically dicey times. Crypto's not just a phase, folks. As the banking industry is adapting and embracing the crypto finance, regulators are there to secure the business, crypto is here to stay.
Need a more reliable take than mine? Check out AIMA (The Alternative Investment Management Association). I stumbled upon their Digital Asset Custody Industry Guide, penned by one of my colleagues – pretty cool, right? I read (data from 2021):
“40% of nearly 300 clients interviewed by Goldman Sachs declared that they currently have exposure in some form to cryptocurrencies, with 61% expecting their holdings to increase over the next 12 months. 21% of hedge funds are currently investing in digital assets with 26% of hedge fund managers, who are not yet investing, confirming that they are in late-stage planning to invest or looking to invest.”
Decentralised finance and crypto finance are seriously complex stuff! Wrap your head around the ecosystem and the players in this space, and you might need some time. Bottom line, it all boils down to one thing: digital assets.
Now, here's the deal: If I can snag my hands on the private key of a wallet, the connected assets are practically mine; I can sign transactions, do whatever I want. In general, this is valid for all crypto based applications: keys are the 'holy grail'.
While keeping the 'holy grail' safe from hackers is a technical problem, the entire Custody business which can be part of your provider or banking entity, or externalised somewhere else (even run by yourself), entails a business and a process complexity which is not negligible.
But let’s stay technical.
I've been fortunate enough to dive into this industry through cyber security assessments, and based on my experience, I'll attempt to offer a Threat and Exposure Management-inspired approach to tackling security for Custody solutions in this write-up.
At the end of the day, it's all about business as usual: to be on top of your game in today's cyber realm, you've got to know what threats you're up against and fully grasp the problem at hand.
So, AIMA lays out a set of considerations and requirements for what a Custodian should bring on the table. Amongst the others: asset safekeeping, cyber security, insurance, accessibility – they're all on the list. But here's the kicker: it's basically a high-segregation requirement use case. You can't just stash those assets on a vault (or HSM) attached to corporate networks that hackers can waltz into.
That's where AIMA talks about "cold storage" or "air-gapped storage." Sure, a custodian could tuck those keys away in an underground bunker with armed guards at the door, but what about accessibility? I see a snag when it comes to getting hold of those keys quick enough to process a transaction.
Custodians are rolling out some seriously impressive tech – warm gapped systems or wall-ed, to be exact. Now, when I say "warm," I mean there's no network connection (that's the air-gap part), but there must still be some kind of secure communication method in play.
Warm-gaps aren't totally isolated, so keeping that communication channel secure is crucial. Let's break down the potential threats if a hacker manages to breach the connected edge of the air-gap:
That's why any warm air-gap solution needs to stick to super high security standards and tackle those threats head-on (not just brush them off with mitigation). And ultimately, it all comes down to risk-oriented considerations.
Assessing the risk of an air-gap solution requires a comprehensive approach: a solid methodology, specialised skills, reviews of design and crypto, checks on software and development processes, and of course, thorough testing through static and dynamic assessments (that's where a team of pentesters swoops in).
A Custodian runs its business just like any other, with IT support. But here's the twist – we shouldn’t tackle the typical corporate attack surface here. The air-gap solution is designed to keep its distance from classic corporate assets and be resilient to any shenanigans happening in the corporate environment, hopefully including a compromise of the IT side of the network.
Now, let's dive into the nitty-gritty. For the Custodians, we're expanding on the classic 3-pillars Attack Surface model with some air-gap-specific aspects:
Now, why does this matter? Well, by using the attack surface as a way to aggregate risks and throwing in specific threat use cases tailored to the Custody business, we can tease out risk indicators to guide further assessment. And hey, it's not just for technical hardening – it's a handy tool to help clients navigate the risks and even get the lowdown on the insurance risk model.
Gartner's Continuous Threat and Exposure Management (CTEM) offers a solid foundation for tackling the issue, starting with scoping and uncovering the attack surface. The deal? don't just stop at mere discovery, even though it's crucial for classifying and prioritising Tools Techniques and Procedures (TTPs) relevant to the custody business.
We're all about taking it up a notch – let's "enrich" that data and step up our security game. We want to supercharge Threat Detection to sniff out and detect potential attacks specific to our setup, and ensure our Incident Response plan is fully equipped to handle air-gap and custody attack investigations and response; perhaps here bother Security as Code and Response as Code in the AI world of fancy automated processes?
Taking a threat-informed approach adds another layer of validation to the process. We're talking about putting those countermeasures through their paces with thorough "specialised" pentesting (please no generalist Nessus scans). And once we've gathered all that intel, alongside design reviews, it's time to roll up our sleeves and get to work on treatment and optimization. That means mobilizing to fix up any weaknesses we've uncovered along the way.
Basically, we're diving deep into the world of threat-informed security, custom-tailored for crypto custodians - hey MITRE Engenuity, you could extend :) with a meaningful new domain.
Here's the game plan using a CTAM approach:
Oh, and one more thing: This isn't a one-and-done deal. It's all about cycling through this process continuously, keeping our security game tight as we go.
We are after something special: a talented team of experts, offensive research and tailored technical expertise, adversary-focused security, intelligence, tools, and technology for clients and partners.
