Supply chains, trust, and the Internet itself remain prime targets.
When Russia launched wide-ranging cyber-attacks while its army invaded Ukraine, it also deployed waves of wiper malware to destroy data.
The first wave targeted the data on the disks. As Ukraine fortified its defenses in that area, the second wave left the data on the disks alone and went after the metadata. The third wave bypassed the two previous targets and attacked the file systems.
As depicted in global news and during sessions of the RSA conference, this was a very methodical and effective approach designed to inflict maximum amounts of damage, and it reflects the methodical, often relentless, attack approaches shaping the threat landscape. In particular, as organizations fortify their defenses, adversaries will continue to focus on trust to gain access, using your partners, your vendors, and your employees against you. What does this mean for enterprise users?
As we discussed in our previous post on cyber threats, organizations must find new and novel defenses against adversaries who increasingly shift tactics. As adversaries become more nuanced, we must understand their moves and motivations to try to get one step ahead of them.
Several high-profile security incidents in the recent past altogether grimly encapsulate the myriad challenges companies now face.
- NotPetya, the most expensive cyber incident in history, demonstrated how attackers are masquerading their efforts. NotPetya targeted a tax software company in Ukraine in 2017. At first, the effort appeared to be ransomware. However, its intent was purely destructive as it was designed to inflict damage as quickly and effectively as possible.
- The C Cleaner attack, a few months later, demonstrated how complex and patient actors who were focused on IP level threats had become. The targets were system administrative tools that, if compromised, already had an increased level of access. C Cleaner showed that all software supply chain attacks aren’t created equal. It’s dependent on the level of access of the systems and the users that you’re compromising. Some 3 million versions of the compromised C Cleaner software were downloaded. However, only 50 of the downloaded software received additional payloads. This was an adversary that was willing to compromise more than 3 million systems to just get a foothold into 50. This gives you a clear idea of the challenges that we face as enterprises from these types of sophisticated actors.
- Attackers are also being more flagrant and doing a better job of covering their tracks. In the past, nation states focused on covert activities. Olympic Destroyer, which targeted the 2018 Olympics in South Korea, showed how attacks are now being brought to the public eye. False flags, tactics applied to deceive or misguide attribution attempts, were also put into Olympic Destroyer. Six months after the attack, it was attributed to multiple different nations, because such care had been put into throwing off attribution.
- More recently, VPN Filter/Cyber Blink demonstrated how adversaries are targeting different types of equipment. While attacks have historically focused on office equipment, these incidents shifted to home routers, in tandem with the increase in remote work. At home, people often use combination modem routers. These devices challenge detection capabilities. A foothold into home routers also allows actors to analyze all traffic moving in and out of the network. It’s incredibly difficult to detect an attack. You have to treat a home Wi-Fi like a public Wi-Fi at a coffee shop.
Threat actors are targeting the foundational infrastructure of the internet as well. Sea Turtle, a 2019 service-based supply chain attack, targeted DNS infrastructure. The tools hacked registrants, modified DNS records, and hijacked DNS servers, so actors could have the legitimate domains pointed to servers that they owned.
Attacks will continue to escalate. Compounding much of this is the fact that nation-states can now buy these exploits, rather than developing them in-house. That means anybody with deep pockets can launch very sophisticated attacks.
Time to Get Proactive
Today’s threat landscape is increasingly complicated, one that requires organizations to know much more about potential adversaries. Anomali believes that the next evolution of cybersecurity will be one focused on adversary detection and response. In the future, it may be the only way to truly secure and maintain the upper hand.
While the panel trained a spotlight on the myriad challenges that organizations face trying to protect their infrastructure, there’s more need than ever for proactive security strategies driven by threat intelligence to help them defend against cyberattacks.
Defenders need relevant intelligence on the adversary at their immediate disposal. They also need to be able to correlate that data with telemetry from their environment so they can accurately figure out their risks and then decide on the best course of action.
Taking a proactive approach gives organizations the opportunity to outmaneuver their opponents with a risk-based cyber-defense strategy, deploying machine learning, analytics, and automation as enablers to fine-tune detection capabilities and focus on the adversaries that matter.
As mentioned previously, organizations need to understand as much about their adversaries as possible.
- Who are they targeting and why?
- What is cyber attribution?
- What sorts of tactics and techniques are they deploying?
- And what are they after?
Organizations need to adopt a proactive, intelligence-driven defense. They need a solution that detects attackers and delivers the relevant intelligence necessary to defend against intruders. Instead of waiting for an attack to unfold, they need the necessary threat intelligence to predict an attacker’s next move and stymie infiltration attempts. This is the essence of adversary detection and response.
The threat landscape is constantly changing. Given its relentless nature, organizations must expect to adapt as they confront new challenges daily. By understanding their adversaries’ moves and motivations, they’ll be better equipped to proactively protect their operations and those who rely on them.