The threat landscape presents an ever-changing and more complex set of challenges to IT security teams. A new report from SANS Institute found that malware continues to be the leading cause of reported breaches, but more than one-third of known attacks are advanced persistent threats (APTs) or multistage attacks, indicating increasingly sophisticated approaches to cybercrime.
We asked our network of security experts what concerns them the most about external cyber threats in the enterprise. Here’s an edited collection of their responses.
1. Threats are outpacing enterprise defenses
One of the biggest challenges for security professionals is simply keeping up with the constantly shifting threat landscape.
“What concerns me most about external cyber threats is that our current response model doesn’t fit the existing world,” said Alan Webber (@AlanWebber), an IDC research director who leads the firm’s National Security and Intelligence research program. “We are responding to an asymmetric threat with a symmetric response, and we are behind.”
There’s often a gap between “how focused the external threat actor(s) are compared to companies’ resources to defend against an attack,” said Kyle F. Kennedy (@Kyle_F_Kennedy), chief information security officer (CISO) at Cyber Security Network (CyberSN).
“I am concerned that an organization’s ability to protect itself from cyber miscreants lags behind constantly evolving attacks,” echoed Steven Fox (@securelexicon), senior cybersecurity officer at the U.S. Department of the Treasury. “We must invest more in understanding our adversary and anticipating their strategies and tactics.”
Borrowing from the sports world, Andrew Hay (@andrewsmhay), CISO at Data Gravity, Inc., says organizations need to shift from a man-to-man defense to a zone to address a broader attack surface.
“[Security teams] need to secure their organizations from a multitude of external threats that may see individuals working in concert with one another or may have conflicting agendas and motivations,” said Hay. “This can result in an organization becoming quickly overwhelmed by the varying tactics, techniques and procedures (TTPs) employed by external threat actors.
“Employing a ‘zone defense’ – a system of defensive play in which each player guards an allotted area of the field of play and guards an opponent only when the opponent is in his area – is likely a better strategy for dealing with external threats and ever-changing TTPs,” Hay added.
The threats take many forms, from phishing and mobile malware to ransomware and the relatively unknown risks introduced by Internet of Things deployments.
“Two-factor authentication/verification is coming under attack via more ‘man in the middle’ attacks, and worse mobile SIM compromises,” said Robert Siciliano (@RobertSiciliano), CEO of IDTheftSecurity. “Compromising a SIM is a relatively easy process when all a criminal has to do is pose as the phone’s owner and clone a SIM card. During the time when the SIM is activated, the criminal can do untold damage.”
Phishing attacks employing malware, especially ransomware, is a top cybersecurity concern of Chuck Brooks (@ChuckDBrooks), vice president of government relations and marketing at Sutherland Global Services. “Anyone and everyone is vulnerable,” he said. “The expanding interconnectivity of our devices and the Internet of Things also makes malware a network threat. And with these kinds of phishing attacks, it is often quite difficult to find and prosecute the perpetrators.”
Eric Vanderburg (@evanderburg), director of information systems and security at Jurlnnov, also sees a growing threat in ransomware. “Ransomware attacks … have greatly increased in precision and speed over the last few years,” he said. “Many individuals and organizations have paid the ransoms, making this a profitable area for attackers to invest more money.
“What hasn’t happened yet, but is likely, is the use of ransomware to demand not money, but actions on behalf of the victim,” Vanderburg added. “Hacktivist groups would be the primary actors in this form of attack. I see the hacktivists shifting away from DDoS and more towards this type of ransom hacktivism.”
For Greg Martin (@gregcmartin), CEO and founder of JASK, password compromise is another enterprise threat. “Today thousands of user passwords will leak online or onto the dark web, many who work at large American companies and utilize the same password for their personal email accounts,” he said. “It’s trivial for attackers to take that information, deduct where the victim works, and log into a corporate email or VPN server by re-using those stolen credentials. Companies are very vulnerable because detecting this attack with signatures is completely ineffective. In my opinion, passwords are the new exploit.”
2. Attacks are becoming more targeted
As cyber attacks become more sophisticated and targeted, businesses and consumers are at greater risk of breaches and extortion, said Brooks. Vulnerabilities stem from both personnel and technology.
“More and more external threats now exploit victims by leveraging internal resources, be that exposed servers, open networks, or unwitting accomplices,” says Jeff Reich (@JeffReichCSO), chief security officer at Barricade.io. “All three of these vulnerabilities should be in better shape than they [currently] are.”
“Increasingly external threat actors are targeting the human, with an array of new tactics aimed at all employees, from the receptionist to the CEO,” said Darren Argyle (@D_Argyle), CISO at Markit. “No one is immune, and if one company has the means to defend itself, the criminals will simply move on until they find a softer target.”
Small businesses are becoming an attractive “soft” target of cyber criminals looking for poorly defended perimeters – and, often, access to much bigger fish.
“Without a dedicated CISO, a security team, and a 24×7 SOC, [small businesses] stand little chance of defending against the latest waves of attacks,” said Argyle. And if you’re a big business partnering with smaller businesses, “you need to know your supply chain risk and be able to manage that ecosystem dynamically,” he said. “You’re only as strong as the weakest link.”
It’s important to understand the motivations of different types of cyber criminals in order to defend properly against the various threats. “Phishing and spear phishing, ransomware, malware, malicious code, software vulnerabilities, etc., aren’t just created out of thin air,” said Kennedy. “There is a person or group of people behind the external cyber threats that happened to be motivated by different desires to do what they do.”
Threat actors, Kennedy explained, include criminal syndicates, who operate as a business, choose their targets with precision, and seek a good return on investment for their activities; hacktivists, who seek targets that they perceive as doing something they consider morally or politically wrong; state-sponsored hackers with geopolitical motivations; and lone-wolf hackers, who are the most unpredictable type of cyber criminal.
“It is very dangerous to combine these threat actors together under a broad category of ‘external cyber threats’ when discussing organizational cybersecurity strategy and action plans,” said Kennedy. “Cybersecurity is a very complex problem and overreacting can result in negative value to the organizations we are championed to protect.”
Despite their differences, these threat actors share at least one trait.
“My biggest concern about external cyber threats is the single-minded goal of the hackers,” said Ed Featherston (@efeatherston), senior enterprise architect at Collaborative Consulting. “All of their time, money, resource, and energy is focused on one thing, and one thing only: finding a way in.”
And once they’re in, their activities can go undetected for long periods.
“Once settled in the network, [hackers] can compromise confidential data, IP, login credentials, etc.,” said Scott Schober (@ScottBVS), president and CEO of Berkeley Varitronics Systems. “They will continue to exploit zero-day attacks until IT staff and CSOs discover and remove all traces of their malware and existence.”
Too many enterprises still lack a sense of urgency about threats
Ongoing skills shortages and resource constraints can make it difficult for security teams to keep up with the need to detect ever-evolving threats.
“We are living in a reality that large-scale understanding of threat modeling and risk handling is still in its infancy, therefore we are dependent on digital cowboys to protect our front lines,” said Erin Jacobs (@SecBarbie), a partner at Urbane Security.
Advanced techniques such as threat modeling are well beyond the grasp of organizations that still struggle with basic protections to mitigate a steady stream of cyber threats.
“The biggest risk is not the sophistication of external threats, but organizations not focusing on or practicing fundamentals,” said Jon Oberheide (@jonoberheide), co-founder and CTO at Duo Security. Those fundamentals, he said, include deploying strong user authentication, keeping devices up to date, embracing the cloud, and eliminating legacy infrastructure.
“The number of external threats that convert to internal threats continues to rise,” said Mike Loginov (@AscotBarclay), CEO of Ascot Barclay Cyber Security Group. “Once adversaries are on the inside, the game changes.”
For some organizations, the challenge runs deeper than skills or budgets.
“Despite evidence to the contrary, there are still organizations of all sizes who have the stance of ‘it won’t happen to me,’” said Guy Bunker (@guybunker), senior VP of products at Clearswift. “Accept that a cyber event is a matter of ‘when’ not ‘if’ and have a plan that gets you back to running your business as quickly as possible – not having to use all your resources in dealing with the aftermath.”
The SANS study found that 76% of respondents have dedicated internal incident response (IR) teams, but 65% acknowledged those teams have a shortage of skilled personnel. And just 58% said they devote time to periodically reviewing IR processes.
“Businesses have to balance cost and risk assessment in their efforts to protect against a breach while still focusing on running their business,” said Featherston. “They have to protect themselves from breaches, but more importantly, be able to identify and react in a planned fashion when a breach occurs.”
Organizations also must continue to emphasize security awareness training for all employees. “The non-technical threat posed by social engineering, when successful, can allow nearly unfettered access to internal resources with no alarms sounding,” said Barricade’s Reich. “Without question, good technical housekeeping needs to be maintained. Education of all users helps support those controls.”
Lax security practices make the internal cyber threat more worrisome than any external threat, said, S. Vaughan-Nichols (@sjvn), contributing editor at CBS Interactive/ZDNet.
“An outside attacker must make use of an internal problem to be effective most of the time,” he said. “That security hole may be an office assistant using ‘12345’ as a password or a CTO who’s not been keeping OpenSSL updated, but at the end of the day real security starts in the office, not outside.”Posted by Rob O'Regan Posted on 06 Jul