We spoke with Richard Ford, Chief Technology Officer, Praetorian, and Christine Bejerasco, CISO, WithSecure, to discuss how security vulnerabilities could evolve in 2023 and how organizations can prepare defenses to ensure they don't become a victim of exploitation. What classes of vulnerabilities are currently causing enterprises the most trouble?
Richard Ford, CTO, Praetorian That's actually a pretty hard question to answer, because I think every company is a little bit different and I am wary of a 'one size fits all' answer. On the plus side, there are good lists of common vulnerability classes around, such as the OWASP Top 10, but it's tricky because these are all just Web applications. If you think about the attack surface of the company broadly, you have to consider not just the machines you're exposing, but your people, your source code, and even the algorithms that your systems use... all these vectors need to be considered as we think about the vulnerability classes that are most problematic. For example, phishing remains an incredibly effective way to breach an organization in 2023. Similarly, many organizations struggle with contaminating their source code with secrets that should be more carefully controlled. And who wants another round of Log4Shell or its equivalent?
There's also the other side of the coin: what vulnerabilities have been effectively weaponized by attackers and are actually being used. Here, defenders should pay a great deal of attention to the CISA Known Exploited Vulnerabilities catalog
(see:https://www.cisa.gov/known-exploited-vulnerabilities-catalog). Keeping track of these is really important.
Lastly, there's your business and its individual needs. For some businesses, confidentiality is more important than data integrity. Some businesses are more tolerant of outages than others. At the end of the day, there's three things to consider: what hurts your business, what are the attackers up to, and how is your business technically structured. If you understand those three things, you can figure out, for you, what classes of vulnerability are likely to cause the most trouble.
Christine Bejerasco, CISO, WithSecure ... Vulnerabilities introduced by compromised open-source libraries integrated into software the organization uses. This is because open-source libraries are heavily used in supply-chain attacks and organizations who don't validate their supply chain could just integrate these compromised libraries, or updates of software that have these compromised libraries, into their estate.
What emerging technologies or changes in the attack surface will have the most impact in the future? Think Edge, 5G, cloud zero days etc.
Richard Ford, CTO, Praetorian Of course, I worry about the use of large language models (like GPT-3) to enable highly automated phishing campaigns and human-centric attacks. It remains to be seen how this plays out in practice, but right now, there's definitely some concern here and my prediction is these attacks will grow in scope and sophistication. In addition, I think the "internet of everything" will go from an irritation to a serious enterprise attack vector. We're continuing to see the ip-ification (can I coin that word?) of all kinds of gadgets and that'll cause some real challenges. Couple that with 5G and things could get quite messy. These devices often have real-world impacts too, so there's going to be some bleed between virtual and physical world possible.
Continued moves to SaaS and the Cloud also expands the attack surface both in terms of breadth and rate of change, and we'll see that trend continue into 2023 and beyond. I don't think we're even close to done when it comes to dealing with that revolution.
Christine Bejerasco, CISO, WithSecure Low code, no code and the emergence of even more advanced AI capabilities. ChatGPT could just be the beginning.
Beyond the ChatGPT trend, 5G and satellite connectivity will bring large portions of the currently unconnected world to the internet, and these locations could both be targets as well as breeding grounds for new forms of cybercrime.
How do enterprises best deal with difficult to mitigate vulnerabilities?
Richard Ford, CTO, Praetorian The really difficult to mitigate vulnerabilities are the ones around people, because computers are, in comparison, easy. Automation here is critical - having good post-delivery filtering of mail and paying good attention to your outbound Internet traffic is pretty important. Couple that with good training and you have a fighting chance.
On the more technical side of things, it's very difficult for a business to keep control of its entire attack surface without some help. I think 2023 will see much more widespread deployment of Attack Surface Management solutions, ranging from pure SaaS plays all the way up to white glove managed services. A simple cost-benefit calculation should very quickly show the value of these solutions, and will allow you to decide if a managed service is more appropriate for you than technology only.
The important thing here is to measure the right thing: ultimately, the metric that matters most is vulnerabilities mitigated, not vulnerabilities found. Measure the wrong thing, and you will drive the wrong behavior. If you start with the right metrics and build them as your program matures, you'll end up in the right spot.
Christine Bejerasco, CISO, WithSecure Isolate the asset and take it offline if possible. If not possible, strictly limit the attack path towards that asset and monitor that path with for example Managed Detection and Response where cybersecurity experts will be continuously taking a look at anomalous events that happen with that asset.
How do enterprises build vulnerability management programs that can be most effective and adapt to the future?
Richard Ford, CTO, Praetorian
I'll keep my answer short here because I think everyone skips this crucial first step and I'd like to make sure I provide focus. Start with a really honest assessment of the maturity of your organization from a security perspective. What you need to do now depends on where you are. Everyone wants to jump instantly to some "vulnerability management nirvana" and that jump isn't always doable, or right, if you're still getting the basics right. So my advice is really super simple: start with an evaluation of where you are today. Everything flows out from there.
Christine Bejerasco, CISO, WithSecure
An effective vulnerability management program starts with effective asset management. Knowing what your organization's assets are, and what secrets they contain and business processes they serve helps build an understanding on whether they continue to be assets, or just liabilities. Then, continuous reduction of the attack surface by periodically revisiting and taking down assets that are becoming more of a liability would need to be a priority so that the organization's resources can scale. Otherwise, assets will eventually become unmanageable. Then enable the teams who support the business process to be capable and then accountable for securing those assets. ###