Vigilance required in an evolving enterprise threat landscape
Change is the only constant in the cybersecurity environment, where threats continue to appear and evolve. This is a result of the ever-changing threat landscape driven by the evolving intent, tools and approaches of the adversaries and attackers. It is in these circumstances that today’s successful organizations learn and adapt themselves to ensure greater resilience against the threats. Organizations must match current cybersecurity threats by deploying countermeasures that reduce their risk and exposure.
ISACA recently published part two of its State of Cybersecurity 2018 research, focusing on the threat landscape. The results reflect the learning that organizations have experienced in confronting evolving cybersecurity risk and threats. The research provides valuable inputs distilled from the collective experience of multiple organizations in better understanding cybersecurity risks.
Attack Volumes Increase, But Rate Falls
A majority of organizations that participated in the survey report an increase in the volume of attacks. While the volume has increased, the rate of increase was seen to be lower than the previous year, although of course, the rate of increase varies substantially for different organizations. A look at the attack categories indicates that the top three spots are occupied by the same threats as in the past – phishing, malware and social engineering continue to loom as familiar threats. Organizations thus need to maintain efficient solutions and approaches to counter these existing cybersecurity threats.
Some of the attacks are easy to deploy for the attackers while others are more complex and difficult for cybercriminals to launch. Naturally, many attackers will prefer harvesting the low-hanging fruit. Phishing is one such attack where the efforts are lower for the attacker but where the probability of a successful attack is high. Some other attack vectors are more sophisticated but continue to be dominant attack techniques. Malware development is one such sophisticated attack. Different malware may be used as attack vectors for launching various attacks. Thus, even as new attacks and threats are developed, malware continues to be deployed as a vector across different attacks and hence represents one of the top threats.
Cybercriminals, hackers, malicious as well as non-malicious insiders, nation-states and hacktivists have been identified by the survey respondents as the top threat actors, in descending order. The top motive cited by the respondents was financial. The correlation between the top threat actors – cybercriminals and the top motive – financial – seems to signify a logical connection.
During the previous year, ransomware emerged on the cybercrime scene and attracted significant attention due to its increased prevalence. Considering that the financial motive was identified as the primary reason behind the attacks, one may have expected ransomware attacks to have increased. Surprisingly, organizations have reported a lower level of ransomware attacks compared to the previous year. This phenomenon may be baffling; however, this may be explained by a better level of preparedness against ransomware. Organizations have reported that they are now better prepared for these attacks.
Organizations Are Better Prepared as Threats Shift
Implementing strategies and countermeasures, along with increased user education, have prepared organizations to better protect themselves against ransomware. Respondents report that organizations are unwilling to pay ransom in case of ransomware attacks. A better level of preparedness and reluctance to pay the ransom in case of attack may have made ransomware less attractive to attackers. By protecting themselves better, organizations seem to have collectively reduced the potency of ransomware. As attractiveness of an attack decreases for the attackers, the attackers turn their attention to alternate attack techniques. Despite the lower incidences, it is essential that organizations should continue to be vigilant against ransomware, as reinforced by the high-profile ransomware attack that hit the city of Atlanta in the US this year.
Cryptocurrency mining malware has emerged as one of the newer attack techniques. The cryptocurrency mining malware infects the computing systems of the victim. The malware seeks to utilize computing power of the infected systems for Bitcoin mining activity for the attacker. As compared to ransomware, Bitcoin mining malware is likely to stay hidden for a longer time. This type of malware does not generally access or impact the file system. This enables it to remain hidden or stealthy for a longer period. The malware attempts to utilize the computing power of victims’ computers and use it to their advantage.
Computers are increasingly deployed with powerful processors and bigger RAM. In this scenario, where resources like computing power and RAM is available in abundance, surreptitiously diverting part of it for Bitcoin mining may not be easily detected. The attractiveness of Bitcoin mining malware to an attacker may, however, vary over time. As Bitcoin valuation fluctuates and if the difficulty levels of Bitcoin mining increase, the perceived rewards could also change for the attackers.
Knowing Your Threat
Many organizations recognize the importance of threat intelligence in gaining a better understanding of the threat landscape. Awareness of the threat landscape equips organizations to shore up defenses and be ready to face the ever-evolving threat landscape. Such an approach can help to prioritize security activities, including identification of critical countermeasures and software patches. Threat intelligence helps in implementing preventive controls against the threats. Preparing the organization’s security and IT staff to protect against the threats in a timely manner may be considered a passive approach to confronting possible attacks.
A passive approach relies on strengthening the technology controls so that the controls are capable of resisting attacks. Updating malware signatures or updating OS patches represent this approach. An active approach, on the other hand, seeks to divert and defeat attackers by engaging the attack in real time. Some of these methods include deploying honeypots to direct the attack to decoy systems where they can be studied and responded to. Another example is the deployment of sinkholes to divert traffic and collect the malicious traffic in a well-fortified system instead of the targeted devices or computers.
Active defense strategies have been less prevalent. Organizations have attributed this largely to the unavailability of skills within the organization as well as budget constraints. Some organizations also perceive technical challenges in implementing active strategies while others are unclear on the legal implications. Of the organizations that have implemented an active defense approach, an overwhelming majority of them have reported active defense as being successful. The high success rate reported by some of the organizations likely will be encouraging to organizations that are considering deploying an active defense approach.
ISACA Report Provides Insight
The ISACA State of Cybersecurity research has provided nuanced insights to help organizations be better prepared against the latest cybersecurity threats. While the survey indicates an increase in the volume of cyber attacks this year, it also identifies key trends on the threat landscape that can help organizations refine their security strategy and investment. The threat landscape is dynamic, with some traditional threats continuing to show an increase (phishing), other attack types showing a decrease (ransomware), along with some threats that have newly emerged (Bitcoin mining malware). These insights help validate the experiences of many security professionals around the world. Learning from these insights and aligning their security programs accordingly can help organizations enhance their cybersecurity posture.
About the author: Sandeep Godbole has been in the Information assurance/audit/security domain for over 10 years. He holds certifications CISM, CISA, CISSP, and CEH. Godbole has worked across a spectrum of industries including automobile, professional services, airlines and IT, and presently works as Information Security Manager at Syntel. His previous employers include Tata, Deloitte, and Emirates Airlines. He is the past President, ISACA Pune Chapter.