Cyberattacks are getting more sophisticated, better supported, and attackers are getting more business orientated. Those are just some of the conclusions from a VMware Carbon Black blog that has just been released. The blog looks at the ongoing battle between attackers and defenders, what happened in 2020 and what 2021 will bring.
The blog uses the SolarWinds attack to highlight how cybercriminals are using multiple techniques in a single attack. For example, the software supply chain attack against SolarWinds turned it into a distribution channel for malware. That malware was then used for island-hopping into other companies across multiple supply chains.
“This is not an isolated event,” notes Tom Kellermann, Head of Cybersecurity Strategy, VMware Security Business Unit. “With COVID-19 catalyzing digital transformation and a shift to cloud services, these sorts of attacks will only increase in frequency. Organizations have to realize that it’s no longer simply about whether breaches along their supply chains can be leveraged to attack them, but whether they themselves can be used to attack their customers.”
From isolated groups to malicious enterprises
There is no question that cybercrime has evolved. It is no longer small groups of people looking for targets of opportunity. Today’s cybercrime group has taken a leaf out of the Mafia’s playbook and turned itself into a professional industry. Some groups focus on developing and then selling zero-day attacks. Others write malware that they then rent out to anyone who wants access. Ransomware-as-a-Service (RaaS) is one example of this joint enterprise that has expanded rapidly in the last year.
Greg Foss, Senior Cybersecurity Strategist, VMware Security Business Unit, comments: “Since 2019, we’ve seen e-crime shift from covert shadow groups into these pseudo-legitimate businesses, replete with customer service channels, clear business sites, and increasingly sophisticated attack methods.”
What did VMware Carbon Black see in 2020?
In the blog, the company calls out four areas where it has seen attackers evolve;
- Ransomware attacks are getting increasingly sophisticated: nearly 40% of respondents said double-extortion ransomware was the most observed new ransomware attack technique in 2020. Interestingly, some attackers are simply focusing on extortion, as seen in the recent attack on Qualys.
- A growing number of attackers are fighting back: 63% of respondents witnessed counter incident response (IR) since the start of the pandemic. Security tooling disablement was the most observed technique. Disabling security tools is not a new approach. However, 2020 has seen a significant increase in malware dropping specific packages targeting security software.
- Attackers are leveraging a number of counter IR techniques, the top techniques observed included: security tool disablement (33%); DDoS (Denial-of-service) attacks (26%); Security tool bypass (15%); Destruction of logs (11%). Again, most of this is not new, but it is the scale that is of concern. DDoS attacks are getting larger and more commonplace, while the destruction of logs aims to prevent both detection and forensic analysis of an attack.
- Island hopping is increasingly prevalent, as attackers “hop” from one network to another along its supply chain: Nearly half (44%) of respondents said they witnessed island hopping in more than 25% of all IR engagements; 13% witnessed it in over 50% of engagements. As organisations increasingly interconnect their IT systems with both suppliers and customers, they provide a transmission route for cyberattacks. Think of it as a lesson from the pandemic. As people mix without taking precautions, they spread disease. As organisations mix without securing their systems, they allow cyberattacks to spread.
What is the outlook for defenders?
It’s always easy to say that the attackers have the upper hand. After all, they are not constrained by corporate rules and regulators. But that shouldn’t inhibit a response to the situation. According to the blog:
- This year, the top security priorities for organizations include:
- security for trusted third parties/supply chain (24%);
- remote access security (24%);
- network and endpoint security (22%);
- identity and access controls (21%);
- hardware/physical device security (9%).
Add secure by design, and you begin to see a zero-trust approach emerging. The challenge for IT security teams is both time and cost. Will the board provide the funds to address all these areas, and where will they get the staff?
- Security teams now know it’s not a matter of if they’ll get attacked, but when – and have adopted a proactive mindset: 81% of organizations reported having a threat hunting program. Before you can defend, you need to have some idea of what attacks you are facing. Threat hunting is part of that approach and for large enterprises, running their own threat hunting team makes sense. For other sizes of business, they will rely on Managed Security Services Providers (MSSPs) to help them make sense of the attacks they are facing. Importantly, those MSSPs are changing how they talk about threat. They are now moving toward playbooks that provide actionable intelligence rather than listing the technical details of an attack.
Enterprise Times: What does this mean?
2020 provided attackers with a multitude of targets. As companies struggled to adapt to remote working, they found their security stance wanting. Yet, as the blog writers note: “On the bright side, the pandemic has served as a wakeup call for security leaders as an opportunity to rethink their full security stack. In 2021, organizations will need the right mindset, investment and platforms to stay one step ahead of attackers.”
The question for security teams is, can they be as adaptable as their adversary? It’s a tough ask, especially as most of the work is unseen and, therefore, to the main board, hard to quantify. However, there are options. Finding and retaining skilled staff is tough when vendors, cloud operators and MSSPs can offer better salaries and packages. What companies need to do is decide what they can handle and what they are willing to outsource.
The attackers might have won 2020, but there is still plenty of time for a comeback in 2021, as this blog suggests.