As we move towards the summer and the promise of sunnier weather, it’s worth noting that the cybersecurity industry has seen more rain than sunshine recently. A slew of high-profile breaches have had a stark impact on the business landscape and people’s daily lives, from emails exposed in the wake of Microsoft’s email breach, to personal data stolen as part of the MOVEit hack. Regulators have become frustrated and stricter with their requirements and enforcement, with the SEC now laying the blame for security incidents at CISOs’ feet. This is raising the stakes of an already high stakes game, and if the cybersecurity industry continues on this path, the storm will continue.
Analysis of the most potent recent attacks shows that breaches – largely – fall into three distinct buckets. There are the genuinely sophisticated attacks that are conducted by well-resourced adversaries – highly established groups or state-backed attackers. Then there are the industrialized attacks, which require technical skill, but don’t operate on the same level of complexity and tend to be less targeted. Finally, there are the opportunistic attacks, which are often automated and have a low bar for entry.
All three have their own intricacies, and while the methods for defending against them may vary, there is one common theme – ensuring the right controls are in place and have been deployed effectively. In the first of this two-part series, I’ll focus on the sophisticated attacks, before turning to industrialized and opportunistic attacks in the next piece.
The sophisticated attack cyclone
Sophisticated attacks are the hardest to remediate, and often have a broader and longer lasting impact. The Microsoft email hack in July 2023 is a prime example. It was one of the most tenacious attacks of the last few months, which ultimately allowed the adversary access to almost any email hosted on Microsoft 365. This included many government and defense departments globally as well as private businesses – both large and small.
In this case, state-sponsored threat actors were responsible, using a mix of exceptional techniques mixed with traditional Tactics, Techniques and Procedures (TTPs). To Microsoft’s credit, it was initially open about the attack, even detailing how it occurred, shedding light on multiple points of failure, going back as far as 2021. It has since updated this blog, scaling back on its original hypothesis, but still pointing to operational issues as the cause.
The original blog pointed to multiple points of failure – both in the tech and operations – that left the front door wide open to the attackers. This was confirmed by a US Department of Homeland Security’s Cyber Safety Review Board (CSRB) review of the incident, which was conducted due to the global significance of the attack. What remains clear is that there were multiple stages where this devastating attack could’ve been interrupted to limit its impact, or even stop it in its tracks.
But the attack shows that nobody is immune to cybercrime, and that a determined, well-resourced attacker will compromise even the biggest organizations that pride themselves on their security.
Sheltering from the storm
However, even with sophisticated attacks, organizations can take steps to secure themselves by ensuring a zero trust strategy. But achieving zero trust is hard, and can be overwhelming when applied to every individual, and every single device, application and scrap of data the organization owns. So organizations should prioritize the systems that would benefit most from zero trust initiatives first.
Understanding what resources and which users are critical to the business will allow security teams to set realistic goals and outcomes when looking to deploy zero trust initiatives. For instance, zero-trust might not be a priority for the machine displaying menu options in the staff canteen. But it will be for ensuring privileged users with access to business-critical data can still do their jobs.
Organizations’ first goal should be to ensure they have the data to fully understand their landscape, how users interact with it, and where the greatest risks are. Armed with this they can create measurable objectives to roll out a zero-trust strategy, starting where it’s needed the most, showing success and then expanding the initiative.
Inclement weather inbound
While these sophisticated attacks are the rarest due to the skills required to launch them, they are often the most devastating, and the hardest to defend against. But organizations – particularly enterprises – must be prepared for all three types of attack, as they’re likely to encounter them all. In the next piece, I’ll be covering the human-operated and opportunistic attacks that occur more regularly, but are just as potent, and how to defend against them.
About the Author
Nick Lines, Security Product Expert, champions Panaseer’s unique value and ensures they’re helping solve the biggest challenges in cybersecurity. He’s worked for multinational systems integrators and consultancies in roles including developer, technical sales, and offering management, and previously spent a decade at Microsoft. Nick can be reached online at LinkedIn and at our company website https://panaseer.com/.