All eyes are on cybersecurity, with news headlines dominated by the recent engagement of technology products and several high-profile ransomware attacks on health infrastructure and services.
However, five new attack techniques have emerged as the most dangerous in the current IT climate, and your organization must act now to protect itself from these threats, according to a group of cybersecurity experts at the RSA 2021 conference last week.
Software supply chain commitments
One of the most sophisticated cyberattacks in history was hit last year by Russian actors threatening to compromise SolarWinds ’widely used IT management software, which endangered tens of thousands of organizations.
According to Ed Skoudis, a cybersecurity expert, founder of Counter Hack and director and member of the cybersecurity training organization SANS Institute, software development is generally based on speed and removal of features as quickly as possible.
“They are not focused on trust and cybersecurity,” he said during the virtual conference. “This is a pretty deep problem, because it makes me think of Zero Trust architectures.”
While the Zero Trust concept helps ensure that every use, every system, and every device must be authenticated, validated, and authorized to access an organization’s network, it is still implemented through software. If this software is updated using mechanisms that do not ensure the integrity of this software, this could be a big problem, says Skoudis.
Essentially, Zero Trust only works if it also applies to the software you use to manage and protect your environments.
“We have now seen several attacks, based on this last year, and I think we will see a lot of attacks in the coming years,” Skoudis says.
It has also been shown that it is possible to exploit vulnerabilities or inject malware into open source projects. One of the security researchers was even able to incorporate code into Apple and Microsoft’s software development environment.
To help defend against such attacks, Skoudis recommends:
- Make a good inventory of your software to find out where a potential compromise can come from.
- Request a Software Materials Invoice (SBOM) to find out exactly what software you are purchasing and using includes.
- Implementation of file integrity management solutions and threat search or contracting with an external provider
Incorrect session management
With the massive movement toward remote work (and now hybrid work), access to resources from anywhere on a myriad of devices offers many opportunities for cybercriminals, says Heather Mahalik, DFIR curriculum manager and director of digital intelligence from SANS Institute and Cellebrite.
Now, IT security professionals need to consider how to protect these mobile apps, how much we trust them, and whether they are even secure.
“When we think of permits: fewer permits require your work environment, it’s dangerous,” says Mahalik.
Meanwhile, single sign-on is only safe in the hands of a responsible user who practices good cyber security and cyber hygiene. Even when paired with multifactor authentication, attackers can be persistent enough and compromise these devices or trick users into giving them the code.
“Honestly, it’s at the mercy of this unique control,” Mahalik says. It’s okay, as long as you’re a responsible employee, control and manage these sessions properly. … What if an attacker has my device? “
As with software compromises, these applications are issued to prioritize speed over security and some may contain known vulnerabilities.
“All these token generators: they want to be the one-stop shop,” says Mahalik. “They want you to use them and you should. The problem is that you just have to verify and make sure that the cryptography is not broken. This is our responsibility, it is the responsibility of our employers to ensure that an adequate quality assurance is guaranteed and measured in what we truly rely on daily to access the most confidential and valuable information about our work. “
To mitigate such attacks, Mahalik suggests:
- Keep your session secure by always logging out
- Use tabs that expire or expel network users
- Be responsible with single sign-on
- Confirm that applications are secure
- Check the permissions of what you are installing
Read below: Gartner: Cybersecurity spending exceeds spending priorities in 2021
Ransomware is becoming more sophisticated
While the concept of ransomware is not new to any imagination, attacks are no longer simply taking data hostage in exchange for a strong bailout.
Now, they use the threat to divulge that data and extort their victims, says Katie Nickels, a certified SANS instructor and intelligence director. This trend started in late 2019 with the ransomware group Maze, and has gained momentum.
“So many different groups have realized,‘ Hey, this extortion works, ’” Nickers says, adding that more than 70% of ransomware cases in the fourth quarter of 2020 involved some sort of exfiltration and extortion.
In the typical chain of ransomware attacks, initial access, recognition, and lateral movement may be easy to capture, but cybercriminals use legitimate file-sharing tools. This can also be easy to spot, but it may be too late.
This exfiltration usually occurs before the last encryption phase, and once it happens, the files and systems are encrypted and users can do nothing about it.
In addition, ransomware operators have been found to post data even after an organization pays a ransom to decrypt their data.
“So it’s so important for people to realize that this is a trend among opponents because you can take advantage of the decision knowing how to expect the unexpected.” “And, of course, that there is no honor among thieves.”
To increase protection against ransomware, Nickels suggests:
- Prevention not only uses offline backups, but also takes other preventative measures, such as banning file-sharing tools that aren’t necessary for your network.
- Invest in proper detection. You cannot rely on the encryption and rescue note to realize that you have been affected by the ransomware.
- Suppose there is a possibility of exfiltration and you will never recover your data.
Machine learning and AI
Current cybersecurity software leverages machine learning and artificial intelligence to detect threats, and is constantly updated so that it can continue to detect new strains and test them against these samples to automatically detect a threat.
However, these same concepts could be used to defeat cybersecurity software, says Johannes Ullrich, dean of research at the SANS Technology Institute.
While there is no evidence that cybercriminals take advantage of machine learning to commit cybercrime, it is possible to compromise the samples that these programs use to form models.
Ullrish gave an example of an attacker developing malware deployed using Office macros, and the organization’s malware detection solution would be formed to detect this type of malware. But at the same time, the attacker is developing malicious software to attack perimeter devices, which is not detected.