All eyes are on cybersecurity, with news headlines dominated by the recent compromise of technology products and several high-profile ransomware attacks against infrastructure and health services.
However, five new attack techniques have surfaced as the most dangerous in today’s IT climate, and your organization needs to act now to protect against these threats, according to a panel of cybersecurity experts at RSA Conference 2021 last week.
Software supply chain compromises
One of the most sophisticated cyberattacks in history was accomplished last year by Russian threat actors by compromising widely used IT management software from SolarWinds, which put tens of thousands of organizations at risk.
According to Ed Skoudis, a cybersecurity expert, founder of Counter Hack and a director and fellow at the cybersecurity training organization SANS Institute, software development is typically based on speed and pushing features out as quickly as possible.
“They’re not focused on trust and cybersecurity,” he said during the virtual conference. “This is a pretty profound problem, because it makes me think about Zero Trust architectures.”
While Zero Trust concept helps ensure that every use, every system and every device has to be authenticated, validated and authorized to access an organization’s network, it is still implemented via software. If that software is updated using mechanisms that don’t ensure the integrity of that software, that could pose a big problem, Skoudis says.
Essentially, Zero Trust only works if it is also applied to the software you use to manage and secure your environments.
“Now we’ve seen several attacks, over the last year based on this and I think we’re going to see many attacks in years to come,” Skoudis says.
It has also been proven possible to exploit vulnerabilities or inject malware into open source projects. One security researchers was even able to get code into the software development environment sof Apple and Microsoft.
To help defend against these kind of attacks, Skoudis recommends:
- Taking good inventory of your software so you know where a potential compromise could come from.
- Ask for a software bill of materials (SBOM) so you know exactly what goes into the software your purchasing and using.
- Implementing file integrity management and threat hunting solutions, or contracting with a third-party provider
Improper session handling
With the massive movement to remote work – and now hybrid work – accessing assets from anywhere on a myriad of different devices presents a lot of opportunity for cybercriminals, says Heather Mahalik, DFIR curriculum lead and director of digital intelligence at SANS Institute and Cellebrite.
Now, IT security professionals have to consider how to secure those mobile applications, how much we rely on them and if they are actually even safe.
“When we think of authorizations: the fewer authorizations that are required by your work environment – that is dangerous,” Mahalik says.
Single sign on, meanwhile, is only secure in the hands of a responsible user who practices good cyber hygiene and credential security. Even when coupled with multi-factor authentication, attackers could be persistent enough and either compromise those devices or trick users into giving them the code.
“It’s honestly at the mercy of that single sign on control,” Mahalik says. This is fine as long as I am a responsible employee, I control it, and I manage those sessions properly. … What if an attacker has my device?”
Like with software compromises, these apps are pushed out to prioritize speed over security, and some can contain known vulnerabilities.
“All of these token generators — they want to be the one stop shop,” Mahalik says. “They want you to use them, and you should. The issue is you just have to verify and ensure crypto is not broken. That is the responsibility of us, that is the responsibility of our employers to ensure that proper quality assurance is taken and measured on the things that we truly rely on everyday to access our most confidential and precious information in our casework.”
To mitigate against these kinds of attacks, Mahalik suggests:
- Keeping your session safe by always logging out
- Use tokens that expire or kick users off the network
- Be responsible with single sign on
- Validate that applications are secure
- Look at the permissions for what you’re installing
Ransomware gets more sophisticated
While the concept of ransomware isn’t new by any stretch of the imagination, attacks are no longer simply holding data hostage in exchange for a hefty ransom.
Now, they are using threatening to release that data and extort their victims, says Katie Nickels, certified instructor and director of intelligence at SANS. That trend started in late 2019 with ransomware group Maze, and it has caught on.
“So many different groups have realized, ‘Hey, this extortion thing works,’” Nickers says, adding that more than 70% of the ransomware cases in the fourth quarter of 2020 involved some kind of exfiltration and extortion.
In the typical ransomware attack chain, initial access, reconnaissance and lateral movement can be easy to catch, but cybercriminals use legitimate file sharing tools. That can be easy to detect as well, but by then it may be too late.
That exfiltration typically happens before the last phase of encryption, and once that happens, files and systems are encrypted and there’s nothing users can do about it.
Further, ransomware operators have been found to release data even after an organization pays a ransom to decrypt their data.
“So it’s so important that people realize this is a trend amongst adversaries because you can gain the decision advantage by knowing to expect the unexpected.” “And of, course that there’s no honor among thieves.”
To boost your ransomware protection, Nickels suggests:
- Prevention by not only using offline backups, but also taking other preventative measures like disallowing file sharing tools not needed for your network.
- Invest in adequate detection. You can’t rely on the encryption and ransom note to realize you’ve been hit with ransomware.
- Assume there’s a possibility of exfiltration and that you’ll never get your data back.
Machine learning and AI
Current cybersecurity software leverages machine learning and artificial intelligence to detect threats, and it is constantly updated so it can continue to detect against new strains and testing against those samples so it automatically detects a threat.
However, those same concepts could be used to defeat cybersecurity software, says Johannes Ullrich, dean of research at SANS Technology Institute.
While there are no proof of cybercriminals leveraging machine learning to commit cybercrime, compromising the samples that these programs use to train models is possible.
Ullrish gave an example of an attacker developing malware deployed through Office macros, and the organization’s malware detection solution would then be trained to detect that kind of malware. But at the same time, the attacker is developing malware for attacking perimeter devices, which goes undetected.