The software supply chain and our increasing reliance on cloud infrastructure is making protecting IT environments more challenging and leading to cybersecurity burnout among IT professionals, according to a panel of cybersecurity experts held last week in advance of Black Hat USA this week.
Attackers are increasingly leveraging the software supply chain and open-source software to gain access to victim networks, and as more organizations migrate to the cloud, attackers are seizing on misconfigured cloud infrastructure and vulnerabilities, according to panelists from leading cybersecurity and IT companies, including VMware, Immersive Labs and more.
Cloud and supply chain threats wreaking havoc
According to Kevin Breen, director of cyber threat research at Immersive Labs, cybercriminals of all types are leveraging vulnerabilities in the software supply chain to carry out attacks.
“This isn’t limited to advanced persistent threat (APT) attacks,” Breen says. “We’re seeing ransomware operators make use of this.”
Breen says Immersive Lab researchers have also seen open-source developers sabotaging their own code with political statements.
Úlfar Erlingsson, chief architect at Lacework, says the constant shifting to the cloud and within the cloud provides an open door for attackers to leverage that constant change and “sneak in at almost any level,” with the supply chain remaining a prime target.
“That’s very concerning, and the supply chain is definitely a big part of that,” Erlingsson says.
That constant change is also making it easier for attackers to leverage zero-day vulnerabilities quicker than ever, with the notorious Log4Shell bug being exploited in attacks just hours after it was publicly disclosed late last year.
“We were alerting our customers at 5 a.m., the day it was announced,” Erlingsson says. “That was only an hour or two after it was (disclosed).”
The speed with which attackers are jumping on new vulnerabilities and the constantly changing cloud and software industry is making it incredibly difficult for organizations to respond in a timely manner. Now, organizations need to prioritize risk, says Jeffrey Martin, vice president of product at Mend, a developer tool that helps secure code.
While a software bill of materials (SBOM) can provide a useful snapshot of the components that make up a piece of software, it doesn’t do much more than that, Martin says.
“That creates the biggest problem, which is everything is chaos—I don’t know what I have and what I have keeps changing,” Martin says. “I need to be able to prioritize the risks in there, because I can’t eliminate them and I cant prevent them, so I need to be able to prioritize them.”
Log4Shell was a good example of a critical vulnerability that everyone knew about immediately but finding and remediating the bug was no small task. In fact, 30% of Log4j instances remained vulnerable to exploitation two months after it was disclosed, according to cybersecurity firm Qualys.
Identifying what software is running vulnerable versions of Log4j can be very challenging for some organizations, especially when it is in third-party software or dynamically loaded after a piece of software starts running, Erlingsson says.
“Any static scan of the passenger manifest before things took flight would have missed this,” Erlingsson states.
Applying psychology to cybersecurity
For IT and cybersecurity professionals tasked with protecting their organization and fixing things on the fly, the job can be incredibly stressful.
When critical vulnerabilities are released and defenders are under pressure to mitigate and patch, adrenaline kicks in and “rational thinking goes the opposite direction,” says Bec McKeown, director of human science at Immersive Labs.
Essentially, a highly trained expert could succumb to fear and anxiety during a ransomware attack and freeze up when the organization needs them the most, McKeown says.
“It’s noting to do with experience and capabilities—it’s to do wit the fact of the situation that you’re in,” McKeown says.
To help IT and security professionals better operate under pressure, McKeown suggests adapting concepts used in the military designed to help people remain self aware and adapt to challenging situations.
McKeown also suggests IT and security professionals maintain good relationships with their technology vendors so those difficult conversations during a crisis will be easier. As well as rehearsing incident response, tech professionals should also rehearse those vendor conversations.
“When those bad things happen, you don’t get any friction going on because that’s not when you want to be testing relationships,” she says.
Rick McElroy, principal cybersecurity strategist at VMware, says these issues are leading to rampant cybersecurity burnout. With the growing reliance on the cloud, the problem is being multiplied, and skilled cybersecurity professionals are increasingly hard to find.
McElroy touched on VMware’s latest Global Incident Response Threat report, which touched on the burnout issue and the increasing use of deepfakes in cyberattacks.
“This idea that attackers understand who we are at humans and can manipulate us at scale using bots and deepfakes—those are things I think we have to account for in our training and awareness programs, and I’m not seeing us make enough innovation in that particular space.”