Standfirst: The industry has faced many challenges in 2022. They include coming out of pandemic lockdowns, unprecedented supply chain challenges and economic issues. These will continue to shape businesses over the next 12 months. Jonathan Lee, Senior Product Manager, Menlo Security, discusses five key security trends for 2023.
The problem is getting worse, but how much worse?
Attackers are honing their techniques. They know what technologies are out there and what is being deployed by businesses as part of their security stack. Attacks will become more evasive, ingenious, and focused on bypassing existing security defences. Those defences are often inadequate or outdated as adversaries develop new and novel ways of getting around them.
Menlo Security has been tracking the increase in HEAT attacks, or Highly Evasive Adaptive Threats, a class of cyber threats that target web browsers as the primary delivery mechanism. They employ techniques to evade multiple layers of protection, such as firewalls, secure web gateways, malware analysis including sandboxing, URL reputation and phishing detection.
Our Threat Labs team tracked a 224% increase in HEAT attacks in 2021. We expect to see a similar increase this year. Attackers will continue to evolve their attack methods. However, organisations continue to rely on traditional ‘detect and respond’ techniques that are no longer fit for purpose.
Attackers are still getting through the gaps
Basic security failures at even some of the biggest and most well-known organisations continue to provide open doors to attackers.
The attack on Uber in September is one example. However good or sophisticated the technology is, attackers will still find ways around it. In the case of Uber, an attacker gained administrative control over its IT systems and security tools thanks to an exposed PowerShell script that contained admin credentials to a privileged access management platform.
There’s no silver bullet to stopping attacks. However, this shows that attackers don’t have to do clever science-fiction stuff to gain entry. They used social engineering techniques on a contractor, communicating directly with the victim via WhatsApp. Off the back of the Uber breach, MFA push notifications have been shown to be exploitable, and the industry is now saying to get rid of passwords and use FIDO2 passkeys and hardware tokens. Our view is that this is going to be a heavy lift to implement – and attackers will still find the weakest link in the chain.
Industry is waking up to browser security
The web browser is the biggest attack surface, and the industry is waking up to the fact that it is where we spend most of our time. Vendors are now looking at ways to add security controls directly inside the browser. Traditionally, this was done either as a separate endpoint agent or at the network edge, using a firewall or secure web gateway.
Big players like Google and Microsoft are making headway. They are developing and implementing built-in controls inside their respective Chrome and Edge browsers to secure them at the browser level rather than at the network edge. But threat actors remain one step ahead. Browser attacks are increasing, with attackers exploiting new and old vulnerabilities and developing new techniques such as HTML Smuggling.
Remote browser isolation is fast becoming one of the core principles of zero-trust security where no device or user – not even the browser – can be trusted.
Remember, one size does not fit all
One size doesn’t fit all when it comes to security, and bespoke technology combinations and strategies are still important.
Recent reports from Gartner suggest that many companies pursue consolidation strategies. Organisations are focusing on fewer vendors for their security needs, especially in areas like secure access service edge (SASE) and extended detection and response (XDR). The idea is to reduce complexity and improve risk posture. While any effort to reduce risk and shore up security defences should be encouraged, doing it by removing best-of-breed solutions from the security stack will not always achieve the best outcomes, especially for larger organisations.
The rise in weaponised attacks
The threat landscape is becoming increasingly complex. It’s harder than ever for organisations to determine what is a threat and what isn’t. Weaponised files – files that have been altered with the intent of infecting a device – are one of the most interesting techniques being deployed.
Menlo Labs has seen an uptick in template injection attacks that use weaponised decoy documents. These emerged after Microsoft introduced new file formats for Word, Excel and PowerPoint based on the Office Open XML File Format specification in 2007, making it possible to embed resources directly within a document. Attackers have found ways to inject a URL hosting a malicious template into an XML file. Then use this to execute a type of attack that uses legitimate software to perform malicious actions. When opened, the weaponised document attempts to download and execute a malicious template.
What makes these attacks particularly dangerous is that weaponised documents can appear completely benign to security tools with no trace of malicious URLs or exploit markers. These are prime examples of another HEAT technique, Legacy URL Reputation Evasion (LURE), which uses websites with a good reputation to deliver malware.
Menlo Security protects organizations from cyberattacks by eliminating the threat of malware from the web, documents, and email. Menlo Security’s isolation-powered cloud security platform scales to provide comprehensive protection across enterprises of any size, without requiring endpoint software or impacting the end user-experience. Menlo Security is trusted by major global businesses, including Fortune 500 companies and eight of the ten largest global financial services institutions, and is backed by Vista Equity Partners, Neuberger Berman, General Catalyst, American Express Ventures, Ericsson Ventures, HSBC, and JP Morgan Chase. Menlo Security is headquartered in Mountain View, California. For more information, please visit www.menlosecurity.com.
