At a time when organizations face a long list of cybersecurity problems, which ones should they prioritize? The answer is not simply to assess specific threats (tools, techniques, procedures), but the deeper problems that make attacks more dangerous. In this, recent history is always the most instructive tool.
Ransomware vs the world
There are fewer people these days who see ransomware attack stories as a case of media hyperbole or vendor FUD. Nothing could be further from the truth. In the last five years, the ransomware phenomenon has turned from what seemed to be a straightforward IT challenge requiring more investment into an economic crisis with the potential to undermine whole companies and sectors.
And yet every ransomware exploits the same small clutch of basic weaknesses, including deficient email filtering, naïve employee behavior, endpoint device weaknesses, weakcredential management, lack of authentication, deficient network segmentation, and poorly secured VPN and RDP ports. The challenge is that to counter ransomware requires organizations to monitor their infrastructure in a layered way, starting with endpoint detection and response (EDR) or managed detection and response (MDR).
But simply detecting the threats is no longer enough. Organizations and cybersecurity firms must also have the capability to respond immediately, which today demands integrated EDR/MDR platforms. The struggle here is doing all this without overloading defenders will false alerts, hence the increasing use of automation and remote security operations centers (SoCs).
The fragile supply chain
The 2020 SolarWinds incident marked the moment that supply chain security stopped being a theoretical worry. Cyberattacks targeting supply chains have happened before but SolarWinds underscored how the compromise of a single widely used software partner could end up affecting thousands of victims. Since then, other related examples have emerged, including the Codecov developer auditing tool, Accellion’sFile Transfer Appliance (FTA) appliance (see below), and Kaseya’s VSA remote management system.
There’s no simple technological solution to supply chain insecurity but organizations are not powerless. Getting a third party to carry out a risk assessment which assess third party security risk is one option. Another is mandating assurance by asking partners to provide penetration testing references of their own.
Digital risk prevention (DRP)
The digital attack surface is the risk many organizations don’t realize they have. Some of these risks are old school, such as typosquatting, phishing attacks against customers, and fake products. Others are more recent inventions such as organized disinformation campaigns, mass account hijacking, deep fakes, and threats to release stolen IP and data.
Digital threats are difficult to detect until damage has been done. But even when they are, they can be complex and expensive to manage, involving multiple steps whose workflow (contacting websites, domain registrars, the police) is expensive and time consuming. The answer is to invest in a comprehensive DRP platform, which are usually offered in the form of a service. This brings the different tasks in DRP management into a single system which also makes it possible to detect threats through intelligence feeds.
Nation state espionage
Incidents attributed to nation states have risen consistently every year for a decade or more and yet this issue is still seen as something affecting only larger organizations. As regular reports of nation state attacks targeting supply chains make clear, this is no longer true. As security has improved at traditional targets, nation state actors have turned their fire on supply chain partners as a way of getting behind defenses by the backdoor.
Over time, nation state attacks are transforming from primarily targeting larger organizations towards any company with economic significance. There is no single defense against this class of attacks, but two approaches which help are penetration testing and threat intelligence. The first of these will help organizations assess less obvious vulnerabilities which attackers look for to compromise defenses while threat intelligence is now essential to keep abreast of targeting and MO by specific threat groups.
Rising costs $$
Cybersecurity has never been a cheap undertaking, but evidence shows that costs are rising in several ways. Some of it relates to direct costs such as the size of the ransomwareextortion demands which now start in the tens of thousands, with a knock-on effect on insurance premiums. Mitigation, cleanup, reputation restoration, and prevention bumps this up another notch, as do the skills required to cope with cleanup.
One way to contain costs is to buy these capabilities as a service through managed detection and response services (MDR). This model has the added benefit of moving investment from capex to opex, which makes financial planning easier to justify.
In a perfect world, organizations would pension off older equipment and software when it reaches a pre-defined age. Unfortunately, this rarely happens and, in some cases, can’t happen. The fundamental driver of this is the speed of hardware and software development, which now exceeds the ability of organizations to migrate to new products. If a system is performing its intended job, it is likely it will be left alone for as long as possible.
A common problem is that organizations don’t always know how much legacy equipment they have in the first place. A recent example of this is the zero-day vulnerabilities that were exploited by threat groups targeting a 20-year-old file transfer product called FTA from Accellion. Should companies have been using a product that old? Arguably not. Belatedly, Accellion declared FTA to be ‘end of life’.
Penetration testing is a useful way of identifying which equipment falls into the legacy category, allowing organizations to put in place some mitigations or incremental upgrades that rationalize the risk associated with them. It’s hard not to think that a competent penetration test wouldn’t have identified as a major risk products dating back two decades. What matters is that organizations understand where their weaknesses lie even if that brings forward the difficult migration decision.