This is part 2 of a commentary series.
Cyber-attacks are now a top business threat for really any company that provides a critical piece of the supply chain.
With the extreme cyber talent shortage, international tensions, the rise in advanced adversaries, and budget fluctuations in cybersecurity, we wanted to know what organizations should be doing at this time to help them prepare and defend against this surge in cyber-attacks. We spoke with experts from around the industry to get their insights.
Brian Warehime, Principal Threat Researcher at ZeroFOX "With the threats of ransomware being ever so prevalent, having a good disaster recovery plan in place is key to being able to recover from these types of incidents. However, in cases where ransomware operators threaten to leak data, disaster recovery will not always be enough. That's why understanding what threats are likely to target your organization helps you better prioritize remediation and defensive strategies. Investing in a cyber threat intelligence function in your organization can help prioritize threats and allow you to focus your time and effort on the most worthwhile defenses.
Understanding that you may not be targeted based on who you are anymore, and you could be a victim of opportunity at any given time can help you perform better threat modeling against your organization. This will allow you to account for non-targeted threats and identify what can be done when it's a random attack and not something planned for in advance. In addition, understanding more about what data lives where in your organization and what data is paramount to protect will help prioritize where you should focus your time building better defensive strategies.
In some cases, companies don't have a resilient disaster/backup recovery plan in place that will allow them to restore their data to mitigate the threat of ransomware. This forces companies to either lose all of their data or payout the ransom with no guarantee of safety, both of which are extremely expensive. In addition, having a better understanding of external threats and their techniques, tactics, and procedures (TTP's) will allow organizations to prioritize threats and build appropriate detection and monitoring solutions based on those threat actors.
There is no shortage of victims out there, and with enough attackers, there are bound to be successful attacks. In some cases, ransomware operators will take the approach of quantity over quality and attempt to exploit any and all victims they can find, which gives the impression that there are so many successful attacks. While other attacks are more targeted, like the recent SolarWinds attack that takes a skilled attacker and proper planning, ransomware operators don't need to be as careful and can target everyone with little recourse, resulting in successful payouts." Kevin Dunne, President at Pathlock
"Organizations need to strongly consider a Zero Trust approach to security, which can ensure damage is limited even in the case that privileged accounts are compromised. Rationalizing the applications, identities, access, and roles into a manageable and understandable structure is the foundation of a Zero Trust architecture. From there, organizations can implement more investigative and preventative policies to ensure that the access that has been granted is being used as it was intended to be."
Jack Kudale, founder and CEO of Cowbell Cyber
"While cyber-attacks are making headlines each and every day, we must not forget about the need for cyber insurance. As the cyber insurance market matures, there is an increased need for standardization - from applications, to risk assessment and coverages. Because of the recent upsurge of ransomware attacks, cyber-crimes and other threats, policyholders should expect to be asked more questions at renewal. At the same time, cyber insurers are taking steps to clarify their coverage and remove ambiguity policy terms. The rise of standalone cyber insurance brings much needed clarification.
Moving forward, the role of the insurers must go beyond response and recovery to include education and prevention. For example, organizations need cyber policies which are bundled with complementary cybersecurity training for all insured’s employees. This will eliminate one of the basic root causes of many attacks: an employee clicking on a phishing email. Businesses of all sizes must increase employees awareness on cybersecurity so that they can be the first line of defense and recognize malicious activities."
Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber
"The shift to mass remote working required the mobilization of security teams to quickly adapt to an evolving threat landscape and the need for more proactive vulnerability remediation efforts. Reflecting on the experience, organizations must build task forces for the most critical vulnerabilities within enterprise infrastructures. Security and IT teams can’t do it alone. They need each other to get fix done. They need to invest in collaboration platforms that will bring teams together, rather than relying on a confusing array of Excel spreadsheets and communication channels. And finally, they need to establish KPIs that are as clear as possible, and uniform across all teams. You can’t fix what you can’t measure. The efficiency and strength of an organization’s collaboration and the clarity of communication will be the key to success in today’s remote reality."
John Morgan, CEO at Confluera
"In the haste to support today’s new business model, many IT teams have shifted their focus to ensure employee remote devices and accesses are secure. Monitoring the core corporate networks and data became a lower priority. Attackers can take advantage of this lack of focus to gain unauthorized access to the network. Once they are in, attackers will methodically and slowly move from servers to servers and cloud to cloud avoiding actions that may alert typical detection solutions. Organizations cannot assume their network is safe just because there haven’t been any breaches. Under the covers, a breach may be imminent.
Whether an organization continues to support the virtual workforce, or is preparing to welcome back their employees to the office full-time, they must start monitoring their corporate network. Start with the assumption that attackers have made their way in and are lying dormant. The IT team’s focus is then to detect and intercept the attackers’ lateral movements before they result in a data breach."
Sounil Yu, CISO at JupiterOne
"Traditional assets, such as physical hardware and virtual assets such as cloud instances, workloads, and applications, were left to deteriorate during the pandemic. While many of them have since been picked up, some remain untouched. In many cases, the enterprise has even forgotten they are there. The risk of both gaining entrance and access to physical systems as well as unmaintained cloud systems is real. This is a perfect example where the enterprise requires continuous visibility into their cyber assets using an automated system to avoid leaving these assets unattended."
Douglas Murray, CEO at Valtix
"The threat landscape is an ever evolving and critical matter for both the public and private sector. This is challenging because it requires cooperation across multiple companies in the private sector, as well as various governments, to come together to solve. While incredibly complex, we have to get this right and it must be done in real-time as newer ransomware is detected anywhere around the globe. We need to protect our infrastructure, while upsetting the bad actors business model. This threat feed can be ingested by security services to allow government and enterprises to appropriately respond to these attacks. Urgency is critical."
Timur Kovalev, CTO at Untangle
"Small businesses are particularly vulnerable to cyber-attacks, as they don’t have the same IT staff in place as large companies, or the large budgets required to shield them from the ever increasing number of attacks.
Cyberattacks have continued to increase with attackers taking advantage of people feeling vulnerable. While an employee’s intentions may be good, clicking on a phishing link can open the door to hackers. For a small business in particular, the effects of an attack can be devastating, and in the worst cases lead to the business shutting down.
However, if a larger company were to fall victim to a ransomware attack, they may be able to recover from restoring their systems from archived backups. If they didn’t have backups, a larger company would then have the budget to consider paying a ransomware. For a smaller company, who may not have invested in archiving and backup technology, the loss of data could cause the company to go out of business, and they would not have the budget to pay expensive ransomware demands.
Encouraging small businesses to act, and step up their cyber security technology, is a good thing. Not all small businesses are aware of the risks, and those that do know the risks don’t always have enough budget to invest in enough protection."
Bill Osterhout, Director, Cloud & IT Solutions at Array Information Technology
"As more and more requirements for remote access and remote monitoring of systems become necessary there is an increased demand to make security a priority. There must be increased security monitoring and testing to stay ahead of the curve. Using paper-based auditing processes and procedures is no longer adequate to assure that a systems security posture is being maintained. Frequent Penetration testing events and software-based security monitoring controls must be implemented to assure that vulnerabilities are not introduced once a secure baseline is validated. In today’s world of rapid IT innovation, the only thing that is constant is change. IT and security staff must embrace a continuous learning culture necessary to effectively control this rapidly evolving environment."
Momodou Jaiteh, Application Security Consultant at nVisium
"As ransomware behaviors change from mass attacks to highly targeted, from file based to fileless and in-memory attacks, as well as the traditional email attachments and links, exploit kits, etc., IT leaders need to adapt to these changing behaviors. I think it’s time for IT leaders to not only understand the changing attacker behaviors of highly sophisticated and targeted attacks but also its relation to their critical data and employee awareness.
Additionally, as ransomware attacks gets more and more sophisticated, they require advanced skillsets on the defensive side. With IT staff facing capacity issues due to a typical individual juggling multiple tasks, the necessary skills gap widens. Under these circumstances, IT security teams need to strategize automation of routine tasks to free staff to pursue advanced skills needed to combat ransomware and other threats. Also, leveraging external resources that are more specialized in defending against ransomware can help fill that gap."