Categories

Editor's Choice
Tech Jobs Network
News & Events
Access Control & Identity Management
AI & Data Analytics
Asset Management
Associations
Conferences & Events
Facilities & Building Management
Fire & Safety
Information Security
Infrastructure
Integrated Solutions
IoT & Automation
Perimeter Security, Alarms & Intruder Detection
Power Management
Products & Solutions
Security Services & Risk Management
Smart Home Automation 
Surveillance
Training & Education
Videos
Security by Industry Sector ▾








Print this page printer friendly version

The democratisation of threats

Issue 7 2022 Information Security

Source: Bugcrowd

Cybersecurity breaches captured numerous headlines in 2021, with several high-visibility incidents (for example, the Log4Shell exploit) focusing the public’s imagination on emerging threats such as ransomware, and government policy quickly spinning up in response. Notably, we’ve seen a ‘democratisation’ of such threats due to the appearance of a ransomware economy and a continued blurring of the lines between state actors and eCrime organisations – which, combined with growing and more lucrative attack surfaces, have made for a highly combustible environment. In 2022, we expect more of the same.

Ransomware hits Main Street

Ransomware overtook personal data breaches as the threat that dominated cybersecurity news around the world in 2021. The US Treasury’s Financial Crimes Enforcement Network (FinCEN) reported in June 2021 that the total value reflected in ransomware-related suspicious activity reports (SAR) during just the first six months of that year had reached $590 million, exceeding the $416 million reported for all of 2020.

We are now seeing ransomware gangs applying lean start-up principles to their operations. They begin with skeleton teams making scattergun, speculative attacks and crudely requesting their rewards in cryptocurrency. Following one or two successful attacks, these teams treat the ransoms paid as seed capital, using it to grow their operations and invest in better software, talent and exploits.

At the elite end, ransomware teams run processes that include detailed research to identify targets, advanced communications, media relations to stoke fear and increase the likelihood of a payout occurring, and even IT desks and ticketing systems to allow their clients/victims to get their data back and operations running again. Many attackers now track CVEs to find gaps for exploitation that have remained undetected by organisations that fail to take a proactive approach to their security.

One of the terrifying consequences of the increase in the scale and impact of attacks is that it brings critical national infrastructure and healthcare facilities more into play as targets. In 2021, the Colonial Pipeline attack shut down gasoline supply to half the east coast of the US for several days, pushing prices above $4 per gallon and costing tens of millions of dollars on top of the ransom paid. Research shows that death rates increase when hospitals suffer ransomware attacks, and the tragic case of an infant death in 2019 may have been the first life lost that can be directly traced to ransomware.

Given the economics of ransomware, this problem will not disappear soon: director of the NSA and head of US Cyber Command, General Paul Nakasone, predicts persistent ransomware threats ‘every single day’ for the next five years.

In advance, the Dutch government signalled that it would be countering ransomware with offensive operations, and the head of the UK’s National Cybersecurity Centre said that responding to ransomware would include integrating and deploying a range of tools, including economic measures and military capabilities.

This gradual legitimisation of offensive deterrence follows the ‘release the hounds’ doctrine first proposed by Bugcrowd in 2014 and popularised by Patrick Grey on the Risky Business podcast.

Attack surfaces and supply chains exposed

While security teams have spent countless hours addressing the ‘new normal’ of hybrid work environments (such as the use of home Wi-Fi with cheap hardware configured to default settings), few have budgeted for it in advance. This means that many remote workers have a lightly defended entry point into the corporate network. Advanced attackers are now using these entry points to gain a foothold.

The overall effect is a massive expansion of IT footprints and associated attack surface. Research by the Enterprise Strategy Group found in 2019 that the average organisation’s attack surface was 40% “unknown”. And that was before short-term workarounds to enable working from home that became permanent, and the decision by many organisations to adopt remote working policies.

2021 was also a record year for mergers and acquisitions (M&As). Given that M&A activity is a principal driver of shadow IT and forgotten assets, this will accelerate the trend of vulnerable attack surfaces being exploited by malicious actors.

Acquisition activity and entropy, over time, leads to a reliance on legacy software that is often poorly maintained and more likely to contain vulnerabilities. These can be especially dangerous when there are unmaintained OS components in the mix, as these can enable lateral movement to access high-value assets. Trends associated with the pandemic have accelerated risks associated with unknown and vulnerable assets, a trend that was already observed prior to the start of the pandemic

Supply chains have increased in size and complexity, and with them the attack surfaces that each organisation needs to secure. For example, data from BlueVoyant [1] shows that companies with over 1000 employees share data with more than 1000 third parties on average, and this number is sure to grow. The risk is even higher for vulnerabilities that touch numerous interdependencies, such as the Log4J vulnerability.

This demand has created a thriving industry for scanners and automated tools. However, automation is hardly a silver bullet. Attackers have access to those same tools and can supplement them with domain knowledge, creativity and intuition, and they are also skilled in working through OODA loops (observe–orient–decide–act) quickly during the lag times associated with scanners.

Only an approach that turns that weakness into a strength – by adopting the same tools, techniques and mindset as attackers to uncover vulnerabilities before they do – leads to success.

Use of n-days by APTs

Whereas, in the past, advanced persistent threats (APTs) were defined by state-of-the-art tactics and clandestine operations, this approach is shifting. Diplomatic norms around hacking have weakened to the point where nation-state attackers are less concerned with stealth than they were in the past.

Because APT behaviour is determined by the incentives of free markets, they are figuratively willing to put down their sniper rifles and pick up shotguns on occasion. Lower-level targets are now on APTs’ radars, and they are willing to use ‘n-days’ (simple exploits of known vulnerabilities) and less sophisticated attacks to crack them. The convergence of tactics between APTs and cybercriminals coincides with an increased willingness from state actors to engage in malicious activity for economic gain or camouflage. For example, Crowdstrike has found that Iranian cyber operations were engaging in eCrime to complicate attempts at attribution, while Teiss [2] reported that the main source of revenue for the North Korean state is cybercrime.

Researchers on the Bugcrowd platform have responded by focusing their efforts on commercially available off-the-shelf products, which are being targeted more frequently when n-days drive attacker behaviour.

From penetration testing, to crowdsourced, to multi-sourced

Penetration testing is the oldest outsourced service in security, with traditional penetration testing dating back to the 1990s in its current form. Arguably, penetration testing extends even further back to the UK government’s ‘tiger teams’ of the 60s and 70s, formed to identify and exploit vulnerabilities in computer programs. This evolved into ‘adversarial simulation,’ which became incorporated into the PCI-DSS standard in 2006.

Penetration testing has evolved more over the past three years than over the previous 20, as ownership on the client side has moved from the governance, risk and compliance teams to the security team.

The change in ownership shifted the focus from meeting strictly regulatory goals to also finding vulnerabilities that go beyond the checklist. All this turmoil has caused industry leaders to consider penetration testing from first principles, and to reassess the definition of a penetration test in a world where vulnerabilities can constantly be uncovered by remote hackers.

The traditional model of paying a small team of penetration testers for set-piece projects has evolved, with Bugcrowd now offering a modern ‘Pen Testing as a Service’ solution that integrates the crowd into pen test workflows to replace or complement traditional, compliance-focused testing.

This new approach has broadened the range of models available, enabled rapid launch times, and provided much more flexibility for customers with pen testing needs. Buyers can now consider their needs around compliance, budget, deadlines and physical security, and implement the right pen testing models accordingly.

This article was extracted from The Priority One Report 2022 from Bugcrowd. The full report is available at https://www.bugcrowd.com/resources/report/priority-one-report/ (or via the short link: www.securitysa.com/*bug2)

[1] https://www.bluevoyant.com/resources/managing-cyber-risk-across-the-extended-vendor-ecosystem (or via the short link: www.securitysa.com/*blue1)

[2] https://www.teiss.co.uk/news/cyber-crime-is-now-the-north-korean-regimes-biggest-source-of-income-9016 (or via the short link: www.securitysa.com/*teiss1)





Share this article:
Share via emailShare via LinkedInPrint this page


Further reading:

What are MFA fatigue attacks, and how can they be prevented?
Information Security
Multifactor authentication is a security measure that requires users to provide a second form of verification before they can log into a corporate network. It has long been considered essential for keeping fraudsters out. However, cybercriminals have been discovering clever ways to bypass it.

Read more...
SA's cybersecurity risks to watch
Information Security
The persistent myth is that cybercrime only targets the biggest companies and economies, but cybercriminals are not bound by geography, and rapidly digitising economies lure them in large numbers.

Read more...
Cyber insurance a key component in cyber defence strategies
Information Security
[Sponsored] Cyber insurance has become a key part of South African organisations’ risk reduction strategies, driven by the need for additional financial protection and contingency plans in the event of a cyber incident.

Read more...
Deception technology crucial to unmasking data theft
Information Security Security Services & Risk Management
The ‘silent theft’ of data is an increasingly prevalent cyber threat to businesses, driving the ongoing leakage of personal information in the public domain through undetected attacks that cannot even be policed by data privacy legislation.

Read more...
Data security and privacy in global mobility
Security Services & Risk Management Information Security
Data security and privacy in today’s interconnected world is of paramount importance. In the realm of global mobility, where individuals and organisations traverse borders for various reasons, safeguarding sensitive information becomes an even more critical imperative.

Read more...
Sophos celebrates partners and cybersecurity innovation at annual conference
News & Events Information Security
[Sponsored] Sun City hosted Sophos' annual partner event this year, which took place from 12 to 14 March. Sophos’ South African cybersecurity distributors and resellers gathered for an engaging two-day conference.

Read more...
The CIPC hack has potentially serious consequences
Editor's Choice Information Security
A cyber breach at the South African Companies and Intellectual Property Commission (CIPC) has put millions of companies at risk. The organisation holds a vast database of registration details, including sensitive data like ID numbers, addresses, and contact information.

Read more...
Navigating South Africa's cybersecurity regulations
Sophos Information Security Infrastructure
[Sponsored] Data privacy and compliance are not just buzzwords; they are essential components of a robust cybersecurity strategy that cannot be ignored. Understanding and adhering to local data protection laws and regulations becomes paramount.

Read more...
AI augmentation in security software and the resistance to IT
Security Services & Risk Management Information Security
The integration of AI technology into security software has been met with resistance. In this, the first in a series of two articles, Paul Meyer explores the challenges and obstacles that must be overcome to empower AI-enabled, human-centric decision-making.

Read more...
Milestone Systems joins CVE programme
Milestone Systems News & Events Information Security
Milestone Systems has partnered with the Common Vulnerability and Exposures (CVE) Programme as a CVE Numbering Authority (CNA), to assist the programme to find, describe, and catalogue known cybersecurity issues.

Read more...











SMART Security Business Directory



Published by Technews

»  Dataweek Electronics & Communications Technology
»  Electronics Buyers' Guide (EBG)

»  SMART Security Solutions
»  SMART Security Business Directory

»  Motion Control in Southern Africa
»  Motion Control Buyers' Guide (MCBG)

»  South African Instrumentation & Control
»  South African Instrumentation & Control Buyers' Guide (IBG)



© Technews Publishing (Pty) Ltd. | All Rights Reserved.