In the first part of this series, I discussed sophisticated cyberattacks, analyzed an example, and offered advice on how to remediate against such an attack. But the cybersecurity storm doesn’t stop there.
While sophisticated attacks may be the hardest to defend against, they’re also the rarest, requiring a level of skill and knowledge usually limited to state-backed adversaries or well-established cybercrime groups. Because they have a lower bar for entry, the majority of attacks we see fall into the categories of human-operated industrialized and opportunistic attacks – which are often automated. But that doesn’t make them any less dangerous, and they often have long, destructive tailwinds. However, research shows that 98% of attacks could be prevented with basic cyber hygiene, and in this second installment I’ll show how this applies to both industrial and opportunistic attacks.
Industrial attack inundation
Industrial attacks are operated by humans and require some level of technical skill. But either the initial exploit or the lasting impact is exacerbated by poor cyber hygiene. There are multiple examples of such attacks from the last few months, but the biggest was the MOVEit attack in June 2023. At the latest count, the attack has impacted close to 2,800 organizations and almost 95 million individuals. Sadly, education and healthcare institutions were most affected.
The main perpetrator was the infamous Cl0p cybercrime gang, which industrialized an SQL injection vulnerability within MOVEit to distribute ransomware widely. The attack was so damaging that the SEC is currently investigating Progress Software – the maker of MOVEit. But whilst the initial breach of MOVEit was down to a tenacious human effort from the attackers, organizations are still falling victim to it almost a year later. This could be avoided by patching MOVEit.
Another recent industrialized attack is the Okta support system breach in October 2023. This was caused by stolen credentials rather than a highly skilled exploit. While the initial attack on a support system may seem innocuous, it prevented Okta from releasing updates to customers for 90 days. The lesson here is that every system – no matter how insignificant – must be considered as an entry point, and that the right controls have to be in place to prevent infiltration.
Opportunistic overflow
The last attack type is opportunistic. These attacks target low-hanging fruit and are the easiest to execute, often relying on vulnerabilities that have existed for years being exploited by automated adversaries. Log4J is a prime example of an opportunistic attack. Disclosed in late 2021, the vulnerability was so damaging because Log4J – an open-source logging library – was widely used in organizations of all kinds. It’s estimated that 93% of enterprise cloud environments were impacted.
Checking for known vulnerabilities, knowing where they are in your code base, and addressing them would confine the Log4J vulnerability to the annals of history. However, as recently as December 2023, two years after the exploit was discovered, a third of applications were still using an unpatched and thus vulnerable version of Log4J.
Similarly, Microsoft Exchange continues to be a rich source for automated attacks, as the UK’s Electoral Commission found to its cost in August 2023. Data from the ShadowServer dashboard shows there are more than 88,000 publicly accessible Exchange servers that possibly have critical vulnerabilities. Some may have been mitigated, but when you consider that keeping up to date with patches could remediate these vulnerabilities, it’s a frightening figure.
Turning a downpour into a drop
With attackers tending to pick off the easiest targets, focusing on security fundamentals, better cyber hygiene, and ensuring the right controls and policies are in place will help head off almost all industrialized and opportunistic attacks.
Yet, having policies and controls is only half the battle. The shifting, evolving IT landscape makes security a moving target. Organizations need total and continuous visibility over where and how controls have been implemented, to identify whether they are working as they should be, and close potential coverage gaps.
Too often organizations are relying on incomplete, siloed and even contradictory information. Security tools can be unreliable witnesses; they only report on what they alone can see, not the whole picture. This leads to conflicting reports, allowing undiscovered vulnerabilities and threats to hide in the fog. Overworked and stressed security teams are drowning in data but lacking insights that can drive change.
Overcoming these problems is a big data challenge. CISOs need a validated system of record they can trust that gives total visibility over coverage gaps and their true control status. Trusted data allows businesses to assess risk in the context of their business. This enables security teams to identify and take action on high risk issues to mitigate them instead of focusing on the wrong things, such as reporting, fixing yesterday’s problems, or just dealing with indicators of compromise instead of solving the root causes.
As it’s the root cause of so many attacks, let’s take patching as an example. Ensuring every single asset on your network is updated is a daunting task. But with the right contextual data to show which machines represent the greatest risk, security teams can focus on the highest priority assets first. This targeted approach will drastically reduce risk exposure and improve the efficiency of overstretched security practitioners.
Brighter skies ahead
Sophisticated, industrialized, and opportunistic attacks all differ, and remediation tactics vary from ensuring zero trust to patching. But there is one key thread woven throughout the approach to defense against each – data. Without it, security leaders and their teams are left in the dark, unsure which assets are critical and require immediate attention, and which can be prioritized for now.
Those organizations that can harness the power of the data at their fingertips will be well equipped to ride out the cyberattack storm. Whilst those that continue to ignore this invaluable resource will remain caught up in the never-ending downpour of attacks.
About the Author
Nick Lines, Security Product Expert, champions Panaseer’s unique value and ensures they’re helping solve the biggest challenges in cybersecurity. He’s worked for multinational systems integrators and consultancies in roles including developer, technical sales, and offering management, and previously spent a decade at Microsoft. Nick can be reached online at LinkedIn and at our company website https://panaseer.com/.
