“Attacks these days don’t have a natural beginning or ending. For an adversary, every attack is an opportunity to learn something that can then be used against additional organisations.” — Greg Foss, Senior Cybersecurity Strategist, VMware Security Business Unit.

Attackers versus defenders will always be an ongoing battle. In our 2021 Cybersecurity Outlook, we found attacker behaviour drastically evolved over the past year from the rise in e-crime to ransomware-as-a-Service (RaaS), double-extortion ransomware and counter incident response (IR) and more. For many security teams, the threat landscape was refigured by the pandemic.

There is a new level of sophistication in attacks as cybercriminals and nation-state actors continue to exploit and profit from the ongoing disruption of the pandemic. The clandestine nature of the SolarWinds breach and the mass intrusion into vendor networks seemed like the pinnacle of cybercrime in 2020. However, Tom Kellermann, Head of Cybersecurity Strategy, VMware Security Business Unit, noted that “SolarWinds is not an isolated event. With COVID-19 catalysing digital transformation and a shift to cloud services, these sorts of attacks will only increase in frequency.”

Already this year, we’ve seen the massive attack on Microsoft Exchange servers by a state-sponsored Chinese hacking group, Hafnium, which has affected more than 30,000 organisations. As Foss notes, “attacks these days don’t have a natural beginning or ending.” In the case of the Microsoft zero-day vulnerabilities, once security patches were issued hackers began trying to reverse engineer their own exploits, opening the door for escalated attacks like ransomware. Alongside large-scale breaches, it has also been open season for attacks on the industry’s most vulnerable during the pandemic including healthcare, power and utility, and financial services.

The past year has served as a security wake-up call for all organisations in both the private and public sectors. We are now at an inflexion point, where defenders must rethink their security stacks to ensure their organisations have the mindset, investment, and platforms to stay one step ahead of attackers.

As the threat landscape evolves, what are some of the best practices for CISOs and security teams looking to fight back in 2021? The Howlers weigh in.

Workload Security:

To defend against cloud jacking, organisations using private and public clouds need to focus on protection — not only at the endpoint level but across workloads. Cloud workload security is particularly complex, as workloads pass through multiple vendors and hosts; thus, the responsibility for protecting them must be shared and prioritised. With the proliferation of apps and data, organisations must ensure they are protecting them wherever they are. As we navigate a cloud-first world, security for the cloud that extends across workloads and Kubernetes protection will be critical for all organisations.

According to Foss, we’re seeing an increase in malicious actors targeting workloads because it is harder for organisations to monitor them. Workloads are getting hit by adware and cryptominers as adversaries are focused on profit because workloads are temporary services, making it easier to take advantage of these services quickly. With this approach, adversaries are able to break out of the sandbox setting within the workload, and actually target the servers and encrypt virtual machines that are held within. With this in mind, organisations need to look at both the host and the workload to ensure both are protected. With the distributed workforce and rapid move to the cloud, this type of attack has become more attractive than ever to the adversary.

Identity Management and Continual Authentication: 

Identity management is key. Security teams today should have the mindset that attacks do not have a discrete beginning or end — rather, adversaries are continually accruing intelligence and harvesting data about the organisation suppliers and customers that they leverage in attack or profit from. Security teams must be able to track identities as they move throughout systems and workloads. This requires visibility into a lateral movement beyond PowerShell, as well as the integration of network detection response and endpoint detection response capabilities.

So, while multi-factor authentication is important, continual authentication is the next evolution – ensuring users do not have perpetual administrative rights rather access for a purposeful window of time. Continually reviewing who has access is also critical in preventing supply chain compromise. The central vulnerability in supply chain compromise stems from networks granting administrative access to outside parties. The larger the window of time that an outside user is granted access, the greater the opportunity for an attacker to get in.

“Credential Harvesting is a significant threat every organisation should worry about. Identity is the new perimeter and teams are driving toward a continual authentication and authorisation model. A focus on what the identity is doing is needed to help thwart current and future attacks,” said Rick McElroy, Principal Cybersecurity Strategist, VMware Security Business Unit.

Threat Hunting: 

Assume attackers have multiple avenues into your organisation. Given the nature of C2 on a sleep cycle, steganography, and other methods, adversaries can maintain clandestine persistence in your systems. Threat hunting on all devices can help security teams detect behavioural anomalies. Once identified, organisations can then reimage devices, eliminating the bad actor.

“81% of organisations have a threat hunting program now, and we’re thrilled to see the recent progress made in this area,” said Foss. “Many organisations today are realising that threat hunting is an integral part of any security program. It’s about understanding that a proactive approach is required alongside the contextual insights. Security teams are combing through massive amounts of data and are able to understand the context behind the attacks and trends they’re seeing in the data. Purple teaming is also becoming a more common approach to test threat hunting capabilities and identify gaps in visibility to prevent future vulnerabilities.”

Maturing Detection. Organisations should be constantly evaluating the effectiveness of their security posture. Doing so requires the vigilance of system users, the right tools, and platforms as well as qualified cybersecurity professionals to ensure their infrastructure is resilient and protected from ongoing threats and attacks. No matter what size or industry, businesses must approach security proactively and comprehensively. As organisations scale, security also must grow and mature to avoid new gaps and vulnerabilities or risk exploitation by attackers.

Organisations need to understand how the larger cybercrime ecosystem plays into the attacks that they are most likely to be confronted with. While the focus has long been on “advanced nation-state adversaries,” the reality is that cybercrime groups are just as capable, if not more so in many cases. According to Foss, “These capabilities, combined with financial fallout from the pandemic and an ever-burgeoning cybercrime ecosystem, in which stolen data, exploitation and access as a service and more are traded at an incredible rate results in a significant likelihood of catastrophic impact.” Similar to how we have seen ransomware evolve to encompass double-extortion, RaaS, and now affiliate programs, we must remain vigilant in the protection of our corporate and personal assets.

2021: Putting the power in the hands of defenders  

The global cybercrime market totals an astounding $1.5 trillion in revenue today. For many years, security teams focused on nation-state actors, allowing cybercrime to fly under the radar until recently when RaaS started grabbing headlines. According to Foss, “Three years ago we didn’t see much from e-crime groups, but now organisations are facing a surge of threats from both nation-state groups and e-crime groups. Adversaries are shifting to target organisations specifically with the goal of gaining initial access to then resell valuable data on the internet. Combined with the cheap barrier to entry, cybercrime groups have gotten more sophisticated and are moving laterally through organisations in more creative ways.” In the end, it’s critical for organisations to patch vulnerabilities immediately and proactively respond to these threats and better prepare for future attacks. As CISOs and security leaders navigate the evolving threat landscape in 2021 and beyond, it’s time to rethink security strategies and take the necessary steps to put the power back in the hands of defenders.

Additional Resources: 

• Blog: 2021 Cybersecurity Outlook: Attackers vs. Defenders
• Webinar: 2021 Threat Outlook: New-World Power Shift
• Webinar: Ask the Howlers: 2021 Global Outlook(Episode 21)

VMware January Survey Methodology:

VMware conducted an online survey in January 2021 about evolving cybersecurity threats and trends ahead in 2021. 180 IR, cybersecurity, and IT professionals (including CTOs, CIOs and CISOs) from around the world participated. Respondents were asked to select only one response per question. Due to rounding, the percentages used in all questions may not add up to 100%.