December 22, 2020 | 11 minute read
2020 kicked off with a bang, literally, as General Soleimani was killed less than a week into the year. This had immediate repercussions with simple website defacements by minor actors ideologically aligned with Iran and concerns of cyber escalations.
That was eclipsed rapidly by forest fires, COVID-19, global Black Lives Matter protests and more. As the world went from working in offices with some remote employees, to complete work-from-home, the attackers surged with the same tools as ever: DDoS, Phishing, Ransomware and the usual suspects.
At Cybereason, we showed our hundreds of customers what “elastic security” meant by quickly extending our services to secure the remote workforce. We also introduced new mobile device security and XDR functionality.
For defenders, it was 2000 all over again as basic connectivity issues loomed large, helpdesk tickets with password and VPN issues roared back to the top issues lists and productivity plummeted and the roared back with hopes of a “new normal.”
In the security world, we had a seat as existential issues were discussed for many companies: confidentiality, integrity and availability were heard in more (virtual) boardrooms more often than they had been in years.
For some, this was a chance for closing the gaps between security and business and a new relationship emerged. For others, it was just a brief spate of attention as defenders learned how to work again arm-in-arm with IT to ensure service and to baseline the new normal.
The attackers have not been idle. Right away, mobile threats resurfaced as COVID-19 formed a new watering hole for everyone. It became the irresistible clickbait, and everything from Smishing to a fake WHO app and the insidious Eventbot entered the scene. We have seen for years the progress to more and more fileless malware and the almost retrograde motion of ransomware. Where advanced attackers have been the stealthy infiltrators, ransomware was a mugging and punch in the mouth.
Now we see the emergence of RansomOps, the convergence of slow, patient, malicious operations and the power of well crafted and mature ransomware in the payload. The cross hairs fell square on those most needing to pay: healthcare, critical infrastructure, cities struggling to maintain services, and even alcohol distribution companies.
2020 became a four letter word in itself and the subject of many memes. However, we did mobilize the largest remote workforce...ever. We have catalyzed how we do business and even managed to burn less fossil fuels. With a change in administrations in the United states, the question now is what will 2021 hold for us all in a globalized, connected and perhaps new-normal world?
Here are a few likely moves from the cyber adversaries in 2021 and where the risk lies.
A major change in the world due to Covid-19 has been a swift and encompassing move to working from home.
This change brought many challenges to IT departments and with those challenges - many opportunities that hackers like to exploit.
We can expect more of the same in 2021 as remote working continues and enterprises permanently downsize their physical space and give employees the flexibility to continue working from home.
The home environment has always been cause for concern for many in the security industry. Home equipment is often unpatched, unmanaged and exploited with no one ever becoming aware.
Home routers are notoriously vulnerable and many routers remain unpatched and in some cases - unpatchable as vulnerabilities aren’t always fixed for older equipment.
Coupled with a challenging home environment where devices are often shared with family members and the rapid change that occurred - there was little time to prepare and that fact has been exploited widely by hackers leveraging phishing attacks and known exploits to penetrate and maintain their hold on the remote environment.
Organizations that have taken their time with the move from home, relying on a perimeter protection approach remain particularly vulnerable to the move to a remote workforce. Many organizations still have not had the time to prepare and upgrade their environments to deal with the new reality.
The positive of all of this is that we’re seeing progress in the adoption of zero trust and a fundamental change in the way IT is viewing cloud workloads, and remote monitoring of devices. There’s an understanding that working from home is here to stay - and this understanding encouraged and accelerated a paradigm shift in IT management and security operations.
Many devices that live on the home network like printers, routers and newer IoT devices that have poor security present perfect opportunities for hackers to gain a permanent foothold into a local home environment. When threats make their way through emerging vulnerabilities such as zerologon to take over unpatched networks - these threats can spread and gain a hold back in the home environment.
The risk of cross infection between environments pushes us to accelerate the adoption of endpoint based protections that increase what you know and see in every environment. Hackers have had to adapt quickly as well, those targeting enterprises now look more at home environments as a lucrative entry point. They too needed time to adapt - and they are adapting fast.
2021 can be a transformational year for global cyber-security - defenders and attackers now live in the same battleground, whereas before many considered the internal organizational network as fundamentally secure - this illusion no longer holds. This shift is a positive development because it promotes a healthier, safer understanding of the true battleground, as well as a healthier and more secure home environment.
Virtual private networks, or VPNs, are the lifeline for many businesses, extending encrypted networks to our homes. To minimize risks, It’s critical to have endpoint integrity checking and strong authentication in place at this stage once the VPN is in place and active.
Once the VPM is secured, turn your attention to mobile, which is the most pervasive and ubiquitous platform in our personal lives. Employees who have to learn new devices and applications will turn to their phones even more than usual because they feel familiar. Most companies have established policies defining what can and can’t be done with mobile phones, but set these policies if you don't already have them. Get ahead of mobile threats before dealing with other devices.
Next, educate your employees on how information can be weaponized. With the availability Covid-19 vaccines coming soon, hackers will continue to take advantage of human weaknesses. For example, in March and April when much of North America went into lockdown, hackers developed a malicious mobile application posing as a legitimate one developed by the World Health Organization. A vulnerable person could easily mistake this malicious app for a real WHO app. Expect hackers to create new scams and new fraudulent apps to trick people into opening them.
Lastly, physical location of employees will continue to matter in 2021. Between routers, printers, foreign machines, devices, gaming consoles and home automation, the average home has a more complex and diverse communication and processing system than some small companies.
Employees might be taking conference calls within earshot of family members or even employees of other companies. Nothing should be taken for granted when it comes to the privacy of employee homes.
Should employees have cameras on or off for meetings? Should they wear earphones? Should they take notes on paper or digital applications? What communications applications are acceptable? What happens when others intrude, see notes or overhear discussions? These questions might seem trivial, but you need to continue to address them up front. Above all, listen and adapt when things aren't working.
Small and medium sized enterprises (SMBs) are very often ‘victims of opportunity’ - a combination of untargeted attack campaigns that happen to include enterprise assets like email or IP addresses.
A vulnerable enterprise security perimeter often leading to a breach that can escalate into causing business impacts, like ransomware or denial of service.
SMBs are often targeted by cyber criminals for the value of the data or services that they provide (e.g. credit card information), when attackers assume that the value of the compromised data will justify the effort in breaching what appears to be an inadequately protected target (“low value for a low effort”).
SMBs that offer managed or professional services for larger organizations are often ‘staging targets’ - they are targeted to serve as a jump off point to provide the attacker with access to their customers’ data or into their customers’ systems.
For SMBs, the biggest security risks in 2021 will involve:
- Mobile Devices
- Accelerated Cloud Services Adoptions
- Increases in attacks on Managed/Professional Service Providers
Mobile technologies, bring your own device, and remote work challenge businesses by amplifying risk and require re-thinking of security architecture and technology Business executives and network operation personnel will represent higher risk, since their access to business critical systems is not commonly restricted by the same higher degree of protections and limits that is imposed on other employees
Mitigation: Adoption of endpoint and mobile endpoint management and protection and response (EPP) solutions will expand in medium and small enterprises, with many enterprises consuming this capability through managed security service providers. Enterprises that are at higher risk due to the type of data they process or services they deliver will likely increase their adoption of managed detection and response (MDR) services to further reduce risk from advanced threats.
Accelerated adoption of Cloud Services to host systems and data will amplify the risk of data breaches and service disruptions in poorly managed enterprise cloud environments. The COVID-19 crisis has accelerated digital transformation initiatives and cloud adoption and we’ll see continued acceleration in 2021, but most small and medium enterprises still lack the security controls, processes and skill-set to ensure visibility into their cloud assets and adequately secure their cloud footprint.
Mitigation: SMBs will seek to increase the maturity of their security program around cloud asset protection, which will include a higher focus on authentication and access controls, cloud native configuration management and vulnerability management. Also, the growing number of security controls and tools in the medium to small enterprise environment and the challenge to manually orchestrate protection, detection and response processes will require medium and small enterprises to better leverage XDR analytics technologies to more easily and efficiently orchestrate and manage security events and incidents across the security stack.
Managed and professional services providers are going to be increasingly targeted because of the type of data they process, services they deliver or systems that they have access to.
Mitigation: This risk will include faster adoption of endpoint and mobile endpoint management and protection and response (EPP) solutions in the SMBs managed service providers’ networks, with many enterprises consuming this capability through specialized security service providers. Managed service providers or professional service providers that are at higher risk due to the type of data they process, services they deliver or systems that they have access to, will likely increase their adoption of managed detection and response (MDR) services to further reduce risk from advanced threats propagating from their networks into their customers environments or impacting their customers’ data.
In 2020, Cybereason continued to see fewer strains of ransomware in total across networks, yet the existing strains raked in more gains. Hackers do this by better targeting and making more money from each target. In 2021, we can expect to see an increase in multistage ransomware embedded into hacking operations.
Hospitals, banks and critical infrastructure providers were at higher risk but many industries faced this threat. Only after hackers place ransomware on every computer in the network and then complete other stages of the attack, including data theft, user password stealing and propagation across the network, will they detonate the ransomware across all compromised endpoints.
The good news, however, is that defenders with a rapid detection and response process to detect the attack at its early stages, can respond effectively before ransomware is able to impact the environment.
To do this, first and foremost, enterprises need to minimize the amount of time it takes to respond to threats. This is best achieved by deploying threat hunting services around the clock.
In addition, resilience and security can no longer be an afterthought. It is very important for next-generation networks to be built with resiliency and security in mind. The design and ongoing operation of the system must take into consideration what security threats will become commonplace in the months and years ahead.
In addition, enterprises should partner with the experts that have vast knowledge of cyber threats with the public and private sectors working closely together to protect the networks of our banks, hospitals, oil & gas companies, aviation industry and other critical infrastructure.
And finally, test, test, test. Tabletop exercises that enable a red and blue team to role play different scenarios and the real time response to those scenarios is critical for enterprises when having to actually have to deal with a threat in real time. Never underestimate the value of tabletop exercises in shoring up weakened defenses and helping executives understand the importance of security.
We are in a new world where recent surveys estimate that in 2021 nearly half of employers intend to allow employees to remotely work from home on a permanent basis. This means employees need anywhere, anytime access while at the same time the quantity and complexity of the cyber attacks we face have ramped up.
Does your enterprise deploy the technologies to stop correlated attacks across all users, devices and endpoints in your network? If you answered no, 2021 could be a rough and tumble year. XDR should allow organizations to be able to readily detect, correlate, and end sophisticated attacks wherever they start on the network. By fusing together endpoint telemetry with behavioral analytics for XDR, security teams can protect users and assets wherever they are in the world.
Finding the right XDR solution doesn’t have to be a painful process if you understand what the solution should look like. First, security begins with knowing what to protect. An XDR solution should empower analysts of all skill levels to quickly dig into the details of an attack without the need to craft complicated queries. XDR is intended to extend traditional detection and response capabilities from the endpoint out to critical SaaS services, email, and cloud infrastructure.
XDR solutions should also deliver superior visibility and enhanced correlations across both Indicators of Compromise (IOCs) and key Indicators of Behavior (IOBs), the more subtle signs of network compromise. XDR detections also need to identify suspicious user access and insider threats.
And last but not least, XDR solutions should make it simple for analysts to understand the full attack story immediately, and remediation actions such as kill process, quarantine asset and remote shell should be automated or accomplished remotely with a simple click. A solution should also offer automation options for immediate remediation of threats and continuous threat hunting.
XDR is a promising approach that can reverse the attacker advantage and return the high ground to the defenders by extending detection and response capabilities across the broader IT ecosystem that makes up modern enterprise environments. This unified detection and response capability can automatically surface Malops across the entire IT stack including endpoint, network and cloud deployments.
Another year and another lament for the security gap. It seems to keep growing in spite of producing more cyber graduates than ever before. It doesn’t have to be this way.
We can do more to bring in new talent from new sources. This starts with continuing trends in diversity that have only really just started: we need more women, more transgender, more neurodiverse, more everything.
We want the most talented people, and we need to make sure that wherever they are, whatever their backgrounds, that they have a chance to join us.
We can also do more to advance the state of the art, to improve curricula and to consciously encourage others to try. We can and should do this morally, but it’s also a competitive advantage. The adversary is diverse, so why aren’t we? In diversity lies flexibility, options, perspectives.
The key to winning will be for everyone to get a shot at cyber if that’s what they want to do or might want to do. In a sense, we have to get more Agile at doing the right thing. For years, we’ve advocated getting more Agile in how we do security. Now we have to get more Agile in how we adapt and move forward.
Why not retrospectives on how it’s going? Why not sprints on diversity? If we burn down tech debt and now security debt, why don’t we burn down that talent gap in the same manner? Let’s do that in 2021!
We banned IoT from the Enterprise. Who knew that the Enterprise would come to IoT! The new Enterprise address space is consumer ISPs, and the bad guys know it. 2021 will contain a resurfacing of old exploits that target out of data printers and routers, repurposing of DLP techniques for the dark purpose of exploring the world around compromised endpoints and bots. Worst of all, the ubiquity of IoT, starting with poorly protected home automation will begin.
The dark side has not been idle and can use commodity voice-to-text capacity to compromise IP stacks in homes to mine for intelligence and spy with the very best cameras, microphones, storage and access. The time is now for someone to create a new business to bring IT-level support, maintenance, security and maybe even privacy services to the home.
If Enterprises will pay 10s of thousands for employees to sit in an office, will they perhaps subsidize and protect employee homes one day through outsource contracts at a fraction of the cost to keep us all safe and productive?
2021 will be about ‘work from anywhere’ and it is very much a moving target for security and privacy professionals. We must understand the adversary is moving into a new normal as well. They may not yet have found ways to exploit all weaknesses or even any given weakness. They too are pursuing the lowest hanging fruit while investing in some longer term R&D as they continue to develop new attacks specifically for the home environment.
Threat actors may be purchasing tools from cybercriminals, mining existing botnets to see what IP is on those already-compromised machines or targeting home automation, printers and routers after triangulating IP addresses and digital locations for targets. In the year ahead, targeting new dimensions of technical diversity and innovating to develop new attack vectors will be the name of the game for the bad guys.
Once upon a time, hackers fell in neat behavioral buckets that made their motivations and goals discernible. Or at least they appeared to do and for the most conformed cleanly. However, over time they have become less clear: nation states like North Korea hack for profit to deal with economic sanctions, cybercrime rent out their services to any and all takers, and ransomware has become a tool of the state too.
To further complicate matters, nation states like Iran publish tools to seed back doors in the criminal world and to provide healthy background noise, and government employees for offensive agencies from China to Russia moonlight or go private, without even taking into account the possibility of false flag operations.
While clear modus operandi are still possible to help guide investigations and make them more efficient, the net result is that neat categorization schema generally and attribution specifically serve less and less use. This trend will continue, so it’s important to prepare for all potential attackers and to some extent to avoid blindspots produced by a false sense of certainty in who the enemy is.
Lior Div, CEO and co-founder of Cybereason, began his career and later served as a Commander in the famed Unit 8200. His team conducted nation-state offensive operations with a 100% success rate for penetration of targets. He is a renowned expert in hacking operations, forensics, reverse engineering, malware analysis, cryptography and evasion. Lior has a very unique perspective on the most advanced attack techniques and how to leverage that knowledge to gain an advantage over the adversary. This perspective was key to developing an operation-centric approach to defending against the most advanced attacks and represents the direction security operations must take to ensure a future-ready defense posture.All Posts by Lior Div