Cybersecurity Awareness Month is in its 19th year, though much like the proliferation of the internet, cybercriminals have also flourished because there are more potential victims out there. The month-long observance, initiated as a public-private partnership back in 2004, is an annual reminder that vigilance is the price of immaculate cyber hygiene. This year, Spiceworks looks at the top cyber crime and cyber defense insights by domain experts.
According to the FBI’s Internet Crime Report 2021, the federal agency’s Internet Crime Complaint Center (IC3) received 847,376 complaints (up 7%) last year that caused losses of nearly $6.9 billion. While a 7% rise may seem insignificant, data from the previous five years tells a different story.
Cybercriminal Complaints and Losses Between 2017-2021 | Source: FBI IC3
So there you have it. The surge in cybercriminal activity directly correlates to the increase in the attack surface. “To take a step back, the evolution from an onsite work model to the new paradigm of WFH or WFA, as well as hybrid, wasn’t without its challenges. Perhaps one of the biggest bumps along the way was figuring out how people could WFH not only productively but securely,” Don Boxley, CEO and Co-Founder of DH2i, told Spiceworks.
However, 2022 has proven to be a game-changing year for cybersecurity wherein law enforcement has taken an offensive stance against cybercrime perpetrators. “There does seem to be a successful pushback by law enforcement agencies in that we are seeing some signs of an activity and profit peak from types of cybercriminals, like ransomware,” Roger Grimes, defense evangelist at KnowBe4, told Spiceworks.
“This year, most ransomware gangs readily admit that it’s harder to earn money. Less organizations are paying and most that do pay are paying less. Law enforcement has been better at following the money (i.e., cryptocurrencies), identifying criminals, and identifying and removing otherwise legitimate organizations that partially profited from cybercrime. It’s been a rare, if only moderate, win for cyber law enforcement agencies.”
Grimes goes on to appreciate the coordinated and multi-pronged attack strategy adopted by the Cybersecurity and Infrastructure Security Agency (CISA) and the European Union Agency for Cybersecurity (ENISA).
“We haven’t won. We will never defeat all hacking. But we did see some cracks in the dike. We stopped some of the continued forward progress in rampant, never-ending, ever increasing, cybercrime. It gives me some hope for the future,” Grimes added.
Most common cyberattacks to expect
“What will be the most successful cyber attacks of the future? Same methods of attacks as the last four decades: social engineering and unpatched software. Nothing on the horizon is going to change that anytime soon,” Grimes continued.
“Those two attack methods have been the top two attack methods since the beginning of computers, and it is the world’s inability to correctly focus on them as the top attacks they are that allow cybercriminals to continue to be so successful.”
The Internet Crime Report 2021 noted ransomware and business email compromise (BEC), both of which require some level of social engineering, as two of the most commonly reported cyberattacks. Phishing, data and identity theft, etc., are also up there in the list of some of the most pervasive cybercriminal acts.
On the other hand, lapses in appropriate vulnerability management are a significant concern. The fact that 66% of organizations that Rezilion surveyed had a vulnerability patch backlog of 100,000 bugs is almost akin to laying out a red carpet for threat actors.
See M0re: Moving Cybersecurity Forward: Takeaways from International Cyber Expo 2022
Meet the present-day cybercriminal and understand their motivations
The current threat landscape includes nation-state groups and cybercriminal syndicates whose operational elements increasingly resemble that of for-profit companies. Courtesy of professional hackers, gangs, companies, and nation-states, the current threat landscape is “likely to continue into the near-term future, if not forevermore,” Grimes added.
Chris Clements, VP of solutions architecture at Cerberus Sentinel, told Spiceworks, “The current threat landscape is incredibly diverse with nation state actors, organized cybercrime gangs, and a resurgence of bored teenagers hacking for the lulz. One commonality, however, is the access each has to buy both initial access into their victim networks as well as powerful offensive tools.”
“The LAPSUS$ group showed just how much damage a relatively unsophisticated attacker can achieve just by buying stolen credentials and spamming MFA prompts with little regard for their own consequences. Even well-funded nation-state level actors regularly employ the use of readily available commercial and open-source tooling as part of their operations, after all, why reinvent the wheel when an existing tool works, plus there’s the additional benefit of throwing off attribution by utilizing the same tools and techniques of run of the mill cybercrime gangs.”
Using commonplace techniques, LAPSUS$ could inflict significant damage on Samsung, Microsoft, NVIDIA, Globant, Okta, T-Mobile, Ubisoft, the government of Brazil (Ministry of Health), Impresa, and possibly Electronic Arts.
“One major development in the past several years is the sheer amount of money that cybercrime gangs regularly extort from their victims. This creates a situation where there is a ‘gold rush’ effect for new groups and individuals with hacking skill to join in attacking any organization that’s easy to break into. The incentives are simply too strong, especially in areas of the world where criminal consequences are unlikely to be enforced.
The incredible sums of money also give cybercrime gangs vastly increased resources to ‘reinvest’ into their operations by recruiting talented hackers and developers to increase their effectiveness, but also the means to buy zero-day exploits that can cost hundreds of thousands. After all, if they expect they can leverage a new exploit to extort millions, that’s a great ROI.” – Chris Clements, VP of solutions architecture at Cerberus Sentinel
Spiceworks’ Top Cybersecurity Awareness Month Insights From Experts
Securing network access
DH2i CEO Dan Boxley emphasized the importance of securing network access, especially as remote and/or hybrid work has taken precedence, thus increasing the attack surface.
Boxley said that remote work is something that employees have cherished because of its flexibility, enabling them to have a better work/life balance and be more productive and helping them decrease work-related expenditure. Organizations also have a larger talent pool to choose from, drive greater employee engagement and help in the reduction of overhead expenses.
“It’s really all about the people. However, it’s also all about the technology that we invest in to support our people’s success,” Boxley added.
“At the beginning of the transition, many organizations were forced to depend upon their virtual private networks (VPNs) for network access and security and then learned the hard way that VPNs were not up to the task. It became clear that VPNs were not designed nor intended for the way we work today. Both external and internal bad actors were and are still exploiting inherent vulnerabilities in VPNs.
Instead, forward-looking IT organizations have discovered the answer to the VPN dilemma. It is an innovative and highly reliable approach to networking connectivity – the Software Defined Perimeter (SDP). This approach enables organizations to build a secure software-defined perimeter and use Zero Trust Network Access (ZTNA) tunnels to seamlessly connect all applications, servers, IoT devices, and users behind any symmetric network address translation (NAT) to any full cone NAT: without having to reconfigure networks or set up complicated and problematic VPNs.
With SDP, organizations can ensure safe, fast and easy network and data access; while slamming the door on potential cybercriminals.” – Dan Boxley, CEO and Co-Founder, DH2i.
See More: Cyberstorage: The Data-first Answer to Ransomware
Solidifying storage and backups
Steve Santamaria, CEO at Folio Photonics, told Spiceworks, “Data now represents a strategic asset to almost every organization. Yet, while from IT to the C-suite, it is agreed that the possibility of a cyberattack poses a highly dangerous threat, many would admit that they are probably ill-prepared to fully understand and address all of the threats, in all of their forms today and in the years ahead.”
Santamaria goes on to say that hard disks and tapes traditionally made up the building blocks of storage cyber-resiliency, each with its own set of advantages and drawbacks. Santamaria and Surya Varanasi, CTO at StorCentric, both called on for storage tech that has immutability at its core.
“What’s required is the development of a storage media that combines the cybersecurity advantages of disk and tape. A solution that can ensure an enterprise-scale, an immutable active archive that also delivers write-once-read-many (WORM) and air-gapping capabilities, as well as breakthrough cost, margin and sustainability benefits. Affordable optical storage is the answer, as it is uniquely capable of leveraging today’s game-changing advancements in materials science to create a multi-layer storage media that has already demonstrated the major milestone of dynamic write/read capabilities.
In doing so, it can overcome historical optical constraints to reshape the trajectory of archive storage. Ideal for data center and hyperscale customers, such a next-generation storage media offers the promise of radically reducing upfront cost and TCO while making data archives active, cybersecure, and sustainable, not to mention impervious to harsh environmental conditions, radiation, and electromagnetic pulses, which are now being commonly used in cyber-warfare.” – Steve Santamaria, CEO, Folio Photonics.
“Today, the process of backing up has become highly automated. But now, as ransomware and other malware attacks continue to increase in severity and sophistication, we understand that proper cyber hygiene must include protecting backed-up data by making it immutable and by eliminating any way that data can be deleted or corrupted. An Unbreakable Backup does exactly that by creating an immutable, object-locked format and then takes it a step further by storing the admin keys in another location entirely for added protection. Other key capabilities users should look for include policy-driven data integrity checks that can scrub the data for faults, and auto-heals without any user intervention. In addition, the solution should deliver high availability with dual controllers and RAID-based protection that can provide data access in the event of component failure. Recovery of data will also be faster because RAID-protected disk arrays are able to read faster than they can write.
“With an Unbreakable Backup solution that encompasses these capabilities, users can ease their worry about their ability to recover — and redirect their time and attention to activities that more directly impact the organization’s bottom-line objectives.” – Surya Varanasi, CTO at StorCentric, told Spiceworks.
Plugging internal threats
Verizon’s 2022 Data Breaches Investigations Report (DBIR) revealed that 82% of data breaches occur due to the human element. The breach at Toyota that leaked data of 296,019 customers due to an internal resource leaving server access keys in the source code, which was then publicly uploaded on GitHub, is a recent example.
Carelessness certainly is an undesirable aspect of organizational security, although purposeful insider malice from employees is worryingly on the rise. DTEX Systems detected a 72% increase in actionable insider threat incidents in 2021 from 2020.
Brian Dunagan, VP of Engineering at Retrospect, told Spiceworks, “While external bad actors, ransomware and other malware, are the most common threats, malicious or even careless employee actions can also present cybersecurity risks. In other words, it is virtually a given that at some point most will suffer a failure, disaster or cyberattack.”
See More: The Undeclared War: How Accurate Are the Threats?
Brian Dunagan, VP of Engineering at Retrospect, told Spiceworks, “Given the world’s economic and political climate, the customers I speak with are most concerned about their ability to detect and recover from a malicious ransomware attack.”
Ransomware attacks increased by 13% in 2022, according to Verizon’s 2022 DBIR, which is higher than the last five years combined. Ransomware is also present in 70% of malware breaches in 2022.
Additionally, ransomware gangs are consistently evolving, adding new tools to their tactics, techniques, and procedures (TTPs), from double extortion, ransomware-as-a-service, searchable online databases, and victim help desk, to bug bounty programs.
“My advice to these customers is that beyond protection, organizations must be able to detect ransomware as early as possible to stop the threat and ensure their ability to remediate and recover.
A backup solution that includes anomaly detection to identify changes in an environment that warrants the attention of IT is a must. Administrators must be able to tailor anomaly detection to their business’s specific systems and workflows, with capabilities such as customizable filtering and thresholds for each of their backup policies. And, those anomalies must be immediately reported to management, as well as aggregated for future ML/analyzing purposes.
“Of course, the next step after detecting the anomaly is providing the ability to recover in the event of a successful ransomware attack. This is best accomplished with an immutable backup copy of data (a.k.a., object locking) which makes certain that the data backup cannot be altered or changed in any way.” – Brian Dunagan, VP of Engineering at Retrospect
Appropriate vulnerability management
So far in 2022, Microsoft has patched approximately 1,100 vulnerabilities in its products. At the same time, new vulnerabilities in several IT products and services are being discovered by the day.
Software vulnerabilities were the second-most commonly used attack vector by threat actors, according to Palo Alto Networks Unit 42’s 2022 Incident Response report. Menachem Shafran, VP of Product at XM Cyber, told Spiceworks, “This Cybersecurity Awareness Month, enterprises need to be more aware of the fact that vulnerability management, though critical, is broken.”
“Every company has thousands of vulnerabilities and exposures, many of which have high scores on the Common Vulnerability Scoring System (CVSS), so it’s impossible to fix them all. Risk-based vulnerability management (RBVM) tools theoretically make prioritization easier by clarifying what is exploitable in the wild. However, current security prioritization approaches that combine CVSS scores with RBVM threat intel don’t provide anywhere near optimal results – even after filtering, and looking just at what is exploitable in the wild, you still have too much to handle.”
“My advice is to go even further than RBVM and start understanding what’s actually important and what isn’t in the context of your environment, even if in theory, an issue is high-risk. All you really need to know is whether or not it’s possible for a hacker to access your critical assets. In other words, do your vulnerabilities really matter? If they only affect unimportant machines, i.e., machines that are either non-critical systems or do not generate attack paths toward critical assets, I’d argue that they don’t.
The key to successful vulnerability management is to identify all the ways an attacker can move throughout your network and reach your business-critical assets. Once you have identified these attack paths, you can focus on locking down chokepoints and stopping hackers before they even get started.” – Menachem Shafran, VP of Product at XM Cyber
See More: Microsoft Destroys Russian Cyberespionage Group That Impersonated It in Email-based Phishing Campaigns
Mika Aalto, the CEO and co-Founder of Hoxhunt, reminded us how the threat landscape is still marred by the basics of cybersecurity hygiene or lack thereof. “Every breach begins with a malicious email,” Aalto told Spiceworks.
“Email attacks have evolved with the application of advanced technologies and new cybercrime-as-a-service platforms. We’ve analyzed millions of such phishing attack campaigns globally, and not only are they getting frighteningly slick, but attacks are also being executed both by profit-motivated cybercriminals as well as state-sponsored threat actors. Most organizations take a compliance-based approach to email security and will therefore be unwillingly contributing to the trillion-dollar cybercrime industry. But what if I told you that there is a cyber-risk master switch you could throw that would reduce your greatest areas of risk in unison? Train all your people because all risk comes back to email. As attack emails become more targeted and sophisticated, security training must keep pace. It’s less expanding awareness with behavioral science and integration into your broad security strategy. Ingraining cybersecurity habits in people makes it a reflex for them to outsmart the sophisticated phishing attacks designed to outmaneuver technical filters. Ransomware, business email compromise (or BEC, which remains the kingpin of cybercrime), credential harvesting; every breach begins with a malicious email.
As the attack emails become more targeted and sophisticated, security training must evolve beyond compliance and awareness and into behavioral science and security stack integration. Ingraining cybersecurity habits in people, and linking awareness to the security stack, makes it an organizational reflex to outsmart the sophisticated phishing attacks designed to outmaneuver technical filters.” – Mika Aalto, CEO and Co-Founder of Hoxhunt
Clements highlighted that no “silver bullet” will take care of all security needs of organizations. “With limited resources, organizations will too often look for ‘easy buttons’ for cybersecurity, and the unfortunate reality is that many cybersecurity vendors push their solutions as silver bullets that solve all cybersecurity needs,” Clements said.
“That’s not to say that there aren’t products and services that are crucial for successful cybersecurity programs, but without a focus on the fundamentals of cybersecurity, relying on them alone is like bringing a wiffle bat to the major leagues.”
Clements recommends a mix-and-match approach that includes the following:
- Build a cybersecurity culture and awareness
- System and application hardening: to “drastically restrict an attacker’s ability to operate in an environment,” although this “can break compatibility with older technologies or disrupt user workflows
- Network segmentation: “limit damage from a single compromised user or system’” Clements asserts that segmentation “requires careful planning to ensure the needed network pathways exist.”
- Vulnerability scanning: to “identify low-hanging fruit and other mistakes.”
- Penetration testing: to “identify non-obvious attack pathways.” However, this can be expensive, given it requires highly skilled professionals.
- Continuous monitoring: to “detect and eradicate attacker access before widespread damage can be done.” Again, this can be expensive.
Image source: Shutterstock
MORE ON CYBERSECURITY