Threat Landscape
Cyber threat has become a growing concern with the everevolution of new-age tech that emphasises storage, management and operation of data in the cyberworld and also on automation. An interaction with Michael Joseph, Regional Director, System Engineering,
MICHAEL JOSHEPH, Regional Director, System Engineering, SAARC, Fortinet
How is the threat scenario changing, especially in the SAARC region? Where do you see it going in the next 4-5 years?
Looking back at our threat landscape report of the first quarter of 2019 shows that cybercriminals are not just becoming increasingly sophisticated in terms of their attack methods and tools, they are also becoming very diverse. Attackers are increasingly using a broad range of attack strategies, from targeted ransomware to custom coding, to living- offthe-land (LoTL) or sharing infrastructure to maximise their opportunities, and using pre-installed tools to move laterally and stealthily across a network before instigating an attack.
Ransomware far from gone: In general, previous high rates of ransomware have been replaced with more targeted attacks, but ransomware is far from gone. Instead, multiple attacks demonstrate it is being customized for high-value targets and to give the attacker privileged access to the network. The new ransomware variants demonstrate that security leaders need to remain focused on patching and backups against commodity ransomware, but targeted threats require more tailored defences to protect against their unique attack methods.
Pre- and post- compromise traffic: Research to see if threat actors carry out phases of their attacks on different days of the week demonstrates that cybercriminals are always looking to maximize opportunity to their benefit. When comparing Web filtering volume for two cyber kill chain phases during weekdays and weekends, pre- compromise activity is roughly three times more likely to occur during the work week, while post- compromise traffic shows less differentiation in that regard. This is primarily because exploitation activity often requires someone to take an action such as clicking on a phishing email. In contrast, command-and- control (C2) activity does not have this requirement and can occur anytime.
Majority of threats share infrastructure: The degree to which different threats share infrastructure shows some valuable trends. Some threats leverage community-use infrastructure to a greater degree
Organisations need to rethink their strategy to better future proof and manage cyber risks. An important first step involves treating cybersecurity more like a science – doing the fundamentals really well – which requires leveraging the cyberspace fundamentals of speed and connectivity for defence
than unique or dedicated infrastructure. Nearly 60% of threats shared at least one domain indicating the majority of botnets leverage established infrastructure. Understanding what threats share infrastructure and at what points of the attack chain enables organisations to predict potential evolutionary points for malware or botnets in the future.
Content management needs constant management: Adversaries tend to move from one opportunity to the next in clusters, targeting successfully exploited vulnerabilities and technologies that are on the upswing, to quickly maximise opportunity. An example of new technologies getting a lot of attention from cybercriminals recently are Web platforms that make it easier for consumers and businesses to build Web presences. They continue to be targeted, even associated third party plug-ins.
Tools and tricks for living off the land: Threat actors operate using the same business models as their victims, to maximize their efforts, attack methods often continue to develop even after gaining an initial entry. To accomplish this, threat actors increasingly leverage dual-use tools or tools that are already pre-installed on targeted systems to carry out cyber attacks. This “living off the land” (LoTL) tactic allows hackers to hide their activities in legitimate processes and makes it harder for defenders to detect them.
Organisations need to rethink their strategy to better future proof and manage cyber risks. An important first step involves treating cybersecurity more like a science – doing the fundamentals really well – which requires leveraging the cyberspace fundamentals of speed and connectivity for defence. Embracing a fabric approach to security, micro and macro segmentation, and leveraging machine learning and automation as the building blocks of AI, can provide tremendous opportunity to force our adversaries back to square one.
What are the possible solutions and are they capable of combating threats?
Security has to not only be effective, but actually has to get ahead of the fast-moving threat landscape, a new generation of tools, such as advanced behavioural analysis, intent-based segmentation, automation, machine learning and artificial intelligence will need to be incorporated into everyone’s security strategy. This starts by automating not just detection and protection, but also predictive systems that empower prevention.
We also need machines to identify threats and respond in an appropriate manner. This starts with a predefined set of protocols and a pre-programmed decision tree, which is what most vendors mean when they claim to have embedded AI into their systems. But what we really need is the ability to correlate threat intelligence across a variety of tools such as analytics to identify a complex attack scenario, especially those made up of smaller attack events. This will also require the application of AI solutions to accelerate the process of discovering and responding to events, especially those never seen before.
Securing today’s networks requires automating the identification, detection and remediation of malicious tactics—particularly those techniques designed to evade discovery. And even more challenging, the creation of new techniques for searching beyond patterns in code and malware behaviour.
We have been early adopters of AI, which has enabled us to significantly improve the immediate detection and remediation of global threats with amazing accuracy. And now, that advanced intelligence is being integrated into a growing suite of security devices alongside analytics and intent-based security solutions, for both physical and cloud deployments. This enables organisations to reallocate valuable human resources to other, higher- order tasks, while autonomous tools can detect, prevent, and even predict threats in order to short- circuit attacks before they can cause damage.
What is the level of awareness and acceptance of the large organisations in using solutions?
Security sprawl is a real challenge for most organizations, especially now as networks are expand
ing and evolving rapidly, and security resources are increasingly limited. Most companies, have loaded a hodgepodge of perimetre defences over the years. Most of these tools operate in isolation, watching a particular gateway looking for specific types of threats. You try and keep your antivirus and antimalware systems updated, patch and update your systems with some regularity, and try to stay posted about active threats. Of course, NGFWs, antivirus, spam filters, multi-factor authentication, and a comprehensive breach response plan all have an important job to do. Turn off your traditional Layer 2-3 firewall and see how long it takes for your network to catch on fire. The issue rests with what’s missing.
When addressing threats that are already on the blacklist; those that have been encountered previously and that act in a predictable way, reactive security strategies can be enough. But for expanding threat vectors, emerging attack strategies, sophisticated cybercriminal communities, previously unseen malware, and zero day vulnerabilities and exploits, along with insiders capable of bypassing your edge-based protective measures i.e., reliance on reactive security alone can leave you exposed.
We’re long past the age when being hit with a cyber attack was a once-in-a-blue-moon event or a case of bad luck. The reality is much different. Nearly half of all organisations experienced a cyber attack last year. Smaller businesses, which typically have smaller budgets and staff, had it even worse, with 67% percent of SMBs experienced a cyber attack in 2018. These breaches forced 60% of small businesses to close within six months of an attack.
According to our labs researchers, unique malware variants grew 43% in Q3 of 2018 alone, while the number of unique daily malware detections per firm rose 62%. Even worse, the average time to identify a breach is 197 days, with the average time required to contain a breach after detection is still a whopping 69 days. Most concerning is that according to one report, 73% of organizations have self-reported that they are unprepared for a cyber attack. Clearly, a reactionbased security strategy simply doesn’t work.
Getting out of the trap of reaction-based security requires organizations to rethink both their networking and security strategies. Organisations need to begin by anticipating attacks by implementing zero-trust strategies, leveraging real-time threat intelligence, deploying behavioural analytics tools, and implementing a cohesive security fabric that can gather and share threat intelligence, perform logistical and behavioural analysis and tie information back into a unified system that can pre- empt criminal intent and disrupt criminal behaviour before it can gain a foothold.
Is there a variation across sectors in vulnerability to threats and their acceptance of solutions? Any charts, figures, statistics?
Many Operational Technology (OT) systems are being connected to the outside world for the first time. This trend promises great benefits for organisations, but also exposes OT systems to advanced persistent threats. The “air gap” that protected OT systems from hackers and malware no longer exists at many organizations, and adversaries are increasingly targeting OT systems as a result.
Convergence has exposed OT systems to the same security risks that impact IT systems; and makes OTspecific exploits easier to propagate. Compounding the problem, ICS and SCADA systems have historically operated on a much longer update and replacement cycle than IT systems, meaning that many very old technology systems are now being exposed to today’s advanced persistent threats for the first time. Another challenge is a lack of visibility - 82% of respondents to one survey acknowledged that they are unable to identify all the devices connected to their OT and IT networks.
At many organisations, these challenges have resulted in an unacceptably high rate of security incidents. In a recent survey of OT leaders, 77% of respondents said they had experienced a malware intrusion in the past year, and half experienced between three and ten. The nature of these intrusions is concerning: respondents report events that impacted productivity (43%), revenue (36%), brand awareness (30%), data loss (28%) and even physical safety (23%).
Indeed, adversaries have many incentives to attack ICS and SCADA systems. Criminals can demand a ransom after halting operations at a factory, disabling a badge access system, or taking control of a piece of critical infrastructure. Competitors, often nation-state actors on behalf of state- owned enterprises, can infiltrate systems for the purpose of industrial espionage. And attackers with political aims can target organisations perceived to stand in the way of their objectives by sowing chaos and disruption.
As OT systems become more connected, the trend of increased attacks seems likely to continue. This new exposure requires organisations to adhere to more rigorous security operations and life- cycle management best practices to protect their organisations from major threats to the core of their business.