Written by Stuart Peck
2019 has been an eventful year, with a never-ending barrage of high-profile breaches, large scale malware campaigns, change in the tactics of ransomware, all leading to a ramp up in criminal and fraudulent activities.
2019 has been an eventful year, with a never-ending barrage of high-profile breaches, large scale malware campaigns, change in the tactics of ransomware, all leading to a ramp up in criminal and fraudulent activities.
The third-party attack vector has been leveraged more this year than,
say, in 2018, with a massive increase in the abuse of third-party libraries,
namely Magecart. However, as stated last year the attack vectors remain vastly
the same as they have always been - human error, configuration issues,
weaknesses in the supply chain and, unsurprisingly, patching problems!
Although there have been improvements in detection and response
capabilities in many organisations, mistakes are punished by attackers
leveraging automation and bots, to quickly and efficiently utilise known
weaknesses at scale, allowing for a foothold on their target’s assets.
So, as I attempt to do my best Nostradamus impression, and predict what
2020 has in store for us, it is important to note that while attackers are
constantly changing tactics and procedures to keep us all on our toes, at the
core they stick to what works, because if it’s not broken, why fix it?
Here are
my top 3:
Cloud Security Misconfiguration (Here Again for 2020)
Although great strides have been made to improve the security of
critical assets in the cloud, organisations still haven’t fully embraced the
protection available, or worse, have misconfigured environments allowing
attackers to capitalise on this.
There have been many incidents in 2019 that highlighted this: with
Capital One in the US being one of the biggest victims. We are still seeing
open repos with vast amounts of customer data unencrypted and available to
anyone, weak admin credentials with no MFA, private keys posted in GitHub
repositories… the list goes on.
Human error is a factor that the cloud sadly won’t fix, only expedite,
with significant consequences for organisations that don’t embrace the Sec in
‘DevSecOps’! With increased governance around protecting the privacy and security
of PII (Personal Identifiable Information), those fully adopting the benefits
of the cloud also need to fully enforce the security controls.
Ransomware Punishing Victims More
2019 saw less volume of ransomware variants than in previous years, but
a change in tactics by
attackers, focusing mainly on manual hacking techniques to gain
unauthorised access, then focusing on destroying the backups to enhance the
chance of payments.
This has been a technique that has been adopted widely due
to the success of SamSam and seems to be the playbook of choice. With greater
detection of C2 servers, attackers are favouring offline encryption of
data, databases, and virtual servers which allows attackers to go undetected
longer. This technique is clearly paying off for attackers given the frequency
of governments and companies falling foul to this.
But for 2020 there is a worrying threat emerging;
the theft of sensitive data as part of the ransom demand, designed to coerce
the victim into payment. Although there have only been a few campaigns found to
adopt this technique, such as ShadowKiller in South Africa in October, it won’t
be long before others follow suit.
Collaboration Third-Party Apps Targeting
With so many people using collaboration apps such
as Slack and Jira it makes for an interesting attack surface. Many of these
services are used in Operational IT and/or Development sprints, and usually
contain a lot of information that is useful to an attacker. Collaboration tools
are usually seen as trusted third parties, and therefore sensitive information
is usually exchanged. In some cases, I have even seen private API keys
exchanged in a Slack channel.
It’s important to ensure that collaboration tools
are locked down, accounts are protected, and policies enforced to reduce the
likelihood of attackers gaining unauthorised access to this information.
Not all bad news though, there are
some really simple things you can do now, and throughout 2020 to reduce your
exposure:
- Conduct regular education and training of your employees to reduce exposure to phishing, social engineering, and help give them the skills to perform basic cyber hygiene. Also, where possible, ensure 2FA is enabled - it really does reduce the risk of common attacks.
- Conduct regular Ethical Hacking Assessments on your risky assets, especially those that are public facing. Check cloud and internal networks for misconfiguration - the quickest win to prevent abuse from attackers. Also test those integrations; understand how and where you are exposed.
- Train Developers and Operational teams (DevOps) on secure coding and deployment principles. Ensure these are documented through a defined set of procedures and policies. Also ensure developers are using secure coding frameworks, and not using risky third-party libraries, or untested open-source objects.
- Conduct incident response scenario testing as this can be vital to understanding how you might perform in that perfect storm and will highlight where improvements can be made. Increasing your ability to detect, react and most importantly respond is something we all should be doing on a regular basis.
In 2020 there will most likely be new threats, vulnerabilities, exploits
and attackers emerging on to the scene - there is every year! What’s important
is to be mindful of identifying your blind spots and developing the appropriate
strategy that is balanced for the size of your organisation and information
(and assets) you are looking to protect from unauthorised access. Technology
and automation will help, but without the right balance of people (skills and
training), and processes there is always the risk of misconfiguration or human
error.
Wishing you a good festive break and prosperous new year!