23 May 2021

State-Sponsored Cyberattacks Aren’t Going Away — Here’s How To Defend Your Organization

Adam Hunt

The world has never been as vulnerable to cyberattacks as it is today. The sheer number of attacks organizations face and the global scope of many of those attacks is putting today's CISOs on the hot seat.

There were nearly a dozen zero-day exploits in the first half of 2020 alone, an unprecedented rate of successful infiltration, making the lack of control and visibility for security leaders painfully evident.

Advanced persistent threats (APTs) are rising in frequency and their impact is increasingly devastating. Initially, the Microsoft Exchange vulnerability affected more than 400 thousand servers worldwide. Sophisticated attackers are taking advantage of the digital transformation where each of the internet's components is an individual thread woven together to create the Web as we know it.

Today, being a part of this tapestry isn't a choice; if you have an internet presence, you are interwoven with every other entity on the Web, including attackers. For the state-sponsored threat actors executing attacks against organizations all running the same systems, they're counting on this interconnectivity.

There's no turning back the clock on digital transformation and the rise of the extended enterprise, so there's no point in falling back on outdated cybersecurity methods to solve this crisis. We have to meet the challenges posed by the modern global attack surface head-on.

First, we have to realize that the internet's deep interconnectivity has good guys, bad guys and everyone in between linked via deep digital relationships. Then we have to answer how cyberthreat actors have used this to their advantage and, more importantly, how we in the security community can begin to use it to ours.

Those who understand how these connections work, good guy or bad guy, are the ones who will win.

One Breach Exposed Massive Vulnerabilities

Today, the internet is the perimeter, one that we all share whether we like it or not. The hack involving SolarWinds serves as undeniable proof.

Rather than being an isolated strike, the breach gave hackers access to "multiple supply chain layers," according to CSO, meaning organizations' networks of third-party suppliers, partners and vendors. It's also important to note that SolarWinds wasn't the only vector for the attack. According to a Wall Street Journal article, "Close to a third of the victims didn't run the SolarWinds Corp. software initially considered the main avenue of attack for the hackers."

This exposed the potential vulnerability of any system connected to the internet. Finding out that such programs can be hacked and corrupted for months on end without detection shook the cybersecurity community. And just as the cybersecurity sector came to grips with such an unprecedented intrusion, an even greater, more effective attack emerged: the Microsoft Exchange vulnerability.

We look at this sequence as a pattern that will undoubtedly continue.

I am CTO and chief data scientist at RiskIQ where my team and I have been at the forefront in assessing and correcting the Microsoft Exchange vulnerability. We understand more than most what the latest spate of cyberattacks means: that everyone, not just the most valuable IP holders, is at risk due to the nature of big data and the sophistication of APTs and nation-state actors.

Laying The Groundwork For Effective Threat Defense

It's simply not realistic for your organization to defend itself from attacks like SolarWinds on your own. The scale of your organization's attack surface — your digital supply chains, partners, IT to enable a remote workforce — has simply become too large. Meanwhile, internet-scale cyberthreats are the smallest of needles in massive data haystacks.

In fact, cyberthreats have almost become more of a big data problem than a security problem. That's why we've crawled the internet for more than 10 years to build a real-time map that exposes the deep digital relationships that makes up the global attack surface.

As we mapped the internet, we computed the relationships between cyberattack victims and perpetrators and studied how internet components fit inside the picture to understand their role in enabling or thwarting threats. Organizations often aren't even aware they're running the vulnerable systems that act as inroads for attackers, so preventing attacks — let alone responding to them — is impossible.

This perspective allows organizations to know what they don't know and understand, from a global perspective once thought to be impossibly large, where the threats and vulnerabilities most critical to them are hiding.

The Advice We Give to Fortune 500 Companies

To protect their businesses, security teams need intelligence that can provide a 30,000-foot view of the global attack surface. In order for your security program to successfully address the threats we face in 2021, it must:

• Contain the necessary intelligence to know what the attack surface looks like. Attack surfaces are necessarily larger today thanks to big data. Open-source intelligence gathering or network telemetry will no longer provide adequate threat detection. You need security intelligence with a view of the global attack surface and keen insight into threats most critical to the enterprise's one-of-a-kind digital footprint.

• Contain a robust budget for threat intelligence and forensic-hunting capabilities. Your security team must be able to respond immediately and decisively to attacks like the SolarWinds breach. Are you investing preemptively in your threat intelligence data and systems so that, when the time comes, you can identify and combat the intrusion? Because it's abundantly clear that the time will come.

• Chief information security officers (CISOs) must have an advanced incident-response function and accompanying data. Can your CISO answer the following questions:

• What is the nature of the attack?

• Which features of our network are vulnerable?

• Has the company been breached?

• What clues exist as a result of the attack?

Building your incident-response function, and trying to answer these questions, is extremely difficult if you're doing it as the attack happens.

Rather than taking an on-the-fly approach, I advise investing in and honing your incident response infrastructure before an attack happens — because the state-sponsored hack involving SolarWinds will not be the last mass-scale supply-chain attack. It's a harbinger of things to come.

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?



No comments: