The job of the CISO and the security staff never stops. The security lifecycle requires constant attention through monitoring and analysis, responding to threats, and improving policies and protocols. The trick is to always stay one step ahead of cyber-criminals who are relentlessly targeting your infrastructure and resources.Sometimes however, we are our own worst enemies.
74 percent of respondents to a recent survey of global executives and IT leaders say that careless employees are the most likely source of a cyber-attack. While 56 percent of respondents named criminal syndicates as the main source of cyber-attacks, 52 percent also identified malicious employees as a significant risk. Clearly, with IT professionals identifying insider threats to represent nearly as high a risk as professional cyber crime syndicates, perimeter security measures are not enough.
Inadvertent insider threats are often the result of a general lack of security knowledge and neglect, such as employees falling victim to phishing and social engineering attacks. However, they can also come from employees storing or sending sensitive data on insecure applications that IT is not aware of, something that is referred to as Shadow IT. For example, if an employee sends a data set to a personal email address or cloud storage site like Dropbox in order to work on it from home, that data is at higher risk because it is no longer protected within the confines of the secured network.
Fortinet just released its Global Threat Landscape Report for 2Q. Much of the data it provides is just what you’d expect.
Hot and cold exploits
Rather than spending resources on building new zero day attacks, cyber-criminals are increasingly focused on simply exploiting known vulnerabilities. WannaCry targeted a Microsoft vulnerability for which a patch had been available for nearly two months. Targeting recently announced vulnerabilities is something we refer to as ‘hot exploits’. As with zero-day attacks, the idea is to take advantage of the window of opportunity between the announcement of a vulnerability and when an organization applies the patch.
Ideally, that window should be as narrow as possible. But it’s not. NotPetya not only followed on the heels of WannaCry a month later, but also successfully targeted the exact same vulnerability. Even with the global impact of the first attack ringing in their ears, far too many organizations failed to take action.
Unfortunately, that’s just a symptom of a much larger problem. During 2Q, a full 90 percent of organizations recorded that they had been the victims of exploits targeted at vulnerabilities that were three or more years old. And worse, 60 percent of firms experienced successful attacks targeting vulnerabilities for which a patch had been available for ten or more years.
Well, like most problems like this, the reasons are complicated. Networks are growing rapidly and span across a variety of highly distributed and extremely elastic ecosystems, including physical, virtual, and cloud environments. In such an extreme landscape, it can be easy to lose track of devices or maintain a systematized patch and replace protocol.
But whatever the reasons, because so many organizations fail to patch or replace devices and systems with known vulnerabilities, cyber-criminals simply assume that they are going to be able to get in. So they are shifting resources away from developing new ways to break into networks and are focusing on developing automated and intent-based tools designed to deliver more sophisticated payloads.
The challenge of hyper-connectivity
In today’s digital economy, speed and efficiency are essential, and access to data is king. Which is why, more and more, everything is connected to everything else.
This explains why we are seeing so many organizations supporting peer-to-peer (P2P) and proxy applications. However, we also see that organizations that allow P2P applications are reporting seven times as many botnets and malware as those that don’t. Similarly, organizations allowing proxy applications report almost nine times as many botnets and malware as those that don’t allow them.
2Q saw nearly three billion botnet detections from about 250 unique botnets. 45 percent of firms detected at least one active botnet in their environment during the quarter, and about three percent reported being simultaneously infested with 10 or more unique active botnets.
Exploits are smarter than ever
With so many organizations figuratively setting out the welcome mat to cyber-criminals, attackers now have the luxury to build increasingly complex and sophisticated exploits.
Once malware has gained entrance, sophisticated, multi-vector intelligence enables malware tools to automatically identify a device or operating system, determine what vulnerabilities exist for that system, and then select the appropriate exploit from its advanced toolkit of options. Then artificial intelligence-like capabilities enable the malware to avoid detection through a variety of sophisticated techniques, such as learning and mimicking traffic patterns and speeds in order to effectively blend into the background.
For 2Q, FortiGuard Labs recorded 62 million malware detections. Out of these, seen were nearly 17,000 malware variants from over 2,500 different malware families. The most common functionality among top malware families is the downloading and uploading of files, followed by dropping other malware onto an infected system.
What you can do
Lets get back to the basics. Organizations need to start by identifying all critical assets and services on their network combined with actionable threat intelligence services. Next, restart or double down on efforts to identify and patch vulnerable systems and replace older systems that are no longer supported. In today’s environment, that may mean implementing some sort of asset tracking and management tool. Then one can build proper mitigation solutions and incident response plans around that.
IT teams will also need to take a hard look at the impact that analyzing high volumes of encrypted traffic will have on the performance of current security devices and platforms. Not only expecting to see the volume and percentage of encrypted traffic to continue to rise, but to also see advanced malware purposefully target the limitations of security devices by exploiting CPU-intensive areas like unstructured data.
Network segmentation must also become a critical part of one’s digital business strategy. As one considers adopting things like risky apps, IoT devices, and encrypted data, one needs to ensure that they are separated as much as possible from the rest of the network. Proper segmentation will drive security deep into the network so infected devices and malware can be detected and isolated anywhere they occur, and before they can spread. Segmentation combined with regular data backup is also an effective way to combat ransomware.
Mitigating the risks posed by employees
Organizations need to adopt the principle of least privilege or zero trust policies, which give employees access to the minimum number of resources needed to do their jobs, while promoting in-depth monitoring of data movement across the network. And since privileged users have access to the most valuable data, security best practices dictate that these accounts are monitored more closely.
Finally, attacks are not only coming faster, they are also designed to reduce the time between breach and impact. The smarter ones can even learn how to avoid detection. One can no longer afford to hand correlate threat data between devices to detect threats, or respond to attacks at anything less than machine speeds.
In the ongoing cyber-war, one must be able to fight automation with automation, which means one can no longer afford to deploy isolated devices or platforms. Instead, onehas to develop an integrated expert security systems that can automatically collect, correlate, share, and respond to threats in a coordinated fashion, anywhere across the distributed network ecosystems.
(Fortinet India and SAARC Regional Vice President Rajesh Maurya)