22 February 2024

2024 Cyber War Gets Hot—It’s Time to Dynamically Respond

ELI NUSSBAUM

For years, cybersecurity experts have been saying that organizations’ cyber defenses must evolve as quickly as threat actors’ constantly changing tactics. Whether or not this advice has been heeded is specific to each organization and security professional. Most often it is not. Organizational IT is largely (and understandably) focused on the daily needs of the business. Across most industries, IT departments generally lack the operational bandwidth and the relevant data necessary to calibrate defenses against rapidly changing threats.

Organizations can no longer afford to continue eschewing this advice. In 2022 and 2023, security researchers witnessed an unparalleled “hockey stick” curve in the rate of threat evolution. A landscape once characterized by predictable threat evolution has given way to threat affiliate groups demonstrating the ability to compromise virtually any application and operating system, rapidly dismantle organizational systems using the company’s own tools within hours, retool their arsenals at an accelerated pace, and leverage expansive affiliate networks to disseminate new vulnerabilities almost immediately after discovery.

The idea that security tools, processes, and procedures can be set and then forgotten never worked, though it has been practiced routinely by overstretched IT teams. Today, this mindset leaves companies wide open to the white-hot hacker industry that is actively attacking and crippling U.S. and international organizations’ ability to operate. Worse, threat actor activity is expected to continue to escalate in the coming year. Companies that fail to continuously adjust their defenses against emergent tactics will see their security investment depreciate. Despite potentially having the right tools in place, their defenses become less secure daily in the absence of continuous evolution, re-calibration, and proper orchestration across people, process, policy, and product. Callibrating defenses to real-time tactics also enables organizations to focus both their investments and efforts to where they are needed most, becoming more efficient in the long run.

We understand that the continuous barrage of breach news and security professionals’ warnings has created a sort of ennui—we are so used to hearing these often-hyperbolized concerns that too many of us have become inured to them. But, as we enter a whole new era of cyber risk in which breach actors incorporate both AI technologies and novel approaches, it’s essential to understand that today’s threat actors are not playing the same game as yesterday. As we see daily in our practice, breaches can and do frequently result in the failure of established institutions, the loss of jobs, and in some cases, even contribute to the loss of lives as organizations that thought they weren’t at risk are victimized. Your organization very likely will become a target if you lack a strategy that includes continuous adaptation.

The need for accurate, timely data

To respond to threats in real time, organizations require rapid access to a broad span of threat data. This presents challenges: software vulnerabilities issued in the Critical Vulnerabilities and Exposures (CVE) database are often not published in a timely manner. Traditional lists and databases also fall short of addressing techniques, such as the recent social engineering attacks on Help Desks and Identity Provider (IdP) solutions, the layering of vulnerabilities into sophisticated attacks, or how forgotten, legacy technology is currently being compromised. As most IT staff aren’t actively working in the threat recovery field, how can organizations address this information gap?

A layered defensive strategy

It’s important to build your defenses in layers: Where one defensive approach may fail, another is there to thwart the attack. Layered security means creating overlapping defenses that involve people, process, policy, and product in an intentional strategy that protects against intrusion, lateral movement, endpoint compromise, backup compromise, and data destruction while protecting the entire security estate. It’s like having a belt and suspenders—should the belt break, you still have suspenders holding your pants up. An example of redundant security defenses includes having an Endpoint Detection and Response solution, a traditional antivirus solution, and a staff member monitoring these tools—covering endpoint defenses from multiple angles.

Applying these layers across your risk estate will help you proactively defend against emerging threats, even if/when your organization is unable to maintain access to complete up-to-date threat data. It’s important to note, though, that these layered defenses must also be reassessed and adjusted regularly for settings and relevancy as your company and the landscape changes. Nothing should be considered “set and forget” (especially Cloud solutions, which can become insecure with each new update or feature release). Organizations must still work to obtain current threat data via multiple threat feeds, research, and participation with the security community (as possible) to keep their security relevant.

Managed security services

Some managed security services providers (MSSPs) have continual access to evolving threat data and may be able to assist your organization with routine adjustments to security configurations and orchestration. These services can be very helpful in gaining the expertise, staffing, and relevant information needed to keep your security in the required state of constant evolution. Before diving into a relationship with an MSSP though, ensure that they offer true threat intelligence integration and regular security calibration into their service.

Even with an MSSP, their service is limited to the portion of your network and environment that they support. Your organization must look at itself holistically and across segments, systems, sites, and providers. Threat actors chain their attack mechanisms– your approach to security must be as comprehensive as it is layered, and it cannot be uniquely dependent on the MSSP in the same way that it cannot be uniquely dependent on a single tool.

Always one step behind

Security defenses, almost by definition, are frequently one step behind threat actors as we often must see what we are up against before mounting an effective counterstrategy. Despite this, it’s important to begin with the right foundational layers, and then evolve those layers and defenses as rapidly as possible. There is no panacea. Layered defenses are no different, but building rapid evolution into your cybersecurity strategy, leveraging defensive layers and real-time threat data, will help prepare your organization against the emerging next-level attackers who are skilled, practiced, collaborative, professional and determined to get into your networks.

No comments: