[BreachExchange] Lessons Learned From High-Profile Exploits

Audrey McNeil audrey at riskbasedsecurity.com
Mon May 24 18:35:10 EDT 2021


https://www.securityweek.com/lessons-learned-high-profile-exploits

In 2020, malicious actors took full advantage of the expanded threat
landscape created by the increase in remote work. We saw the reappearance
of older malware targeting older, unpatched devices in home networks, a
seven-fold increase in ransomware attacks, and one of the most significant
supply chain hacks in recent years. And so far, 2021 is following that
theme with the recent attempts by cyber adversaries using a variety of
attacks to exploit several Microsoft Exchange Server vulnerabilities and a
continued assault with ransomware.

Given the rapid expansion of the potential attack surface, the
interconnection of devices and data across a larger digital environment,
and the inconsistent and fragmented approach to security taken by many
organizations, cybersecurity risk has never been greater. As the saying
goes, there’s no rest for the weary—and the recent spate of ransomware and
other attacks looking to exploit newly revealed critical system
vulnerabilities are just the latest in an escalating campaign by
increasingly motivated and sophisticated criminals. And that means
cybersecurity professionals have to stay vigilant and prepared.

Understanding the tactics of cybercriminals

But while HAFNIUM may have been among the first to target the Microsoft
Exchange vulnerabilities as an example, they will certainly not be the last
until patched. Campaigns like these demonstrate a classic strategy of
cybercriminals. Once a high-profile vulnerability has been revealed,
cybercriminals immediately attempt to make the most of it. They rely on two
things. First, they are hoping to exploit the gap between the disclosure of
vulnerabilities and when organizations begin to apply patches and updates.
In most cases, exploits targeting newly released vulnerabilities show up
within a few hours of a vulnerability being made public. While zero-day
exploits are the most valued because they can target a vulnerability
discovered by a cybercriminal and for which no patch currently exists, they
are rare and expensive. The next best thing for them is to target newly
announced vulnerabilities, also known as “N-Days”.

And that leads to the second attack strategy. While the majority of
potential victims will deploy patches and updates within the first several
days of their being released, there are invariably large numbers of
organizations that can take weeks or months—if ever—to update their
systems. And that means that we can expect to see cybercriminals launch new
campaigns targeting these vulnerabilities for years to come.  In fact, the
average “shelf life” for a vulnerability – in terms of how long they’ll
still be widely commoditized – is two to three years.

Next steps and best practices

Although every network environment is unique, there are steps any
organization can begin to implement now to reduce their risk from
ransomware and other advanced threats:

• Ensure that access controls like multifactor authentication, zero-trust
access, and even Network Access Control (NAC) solutions are in place

• Tie access controls to dynamic segmentation and then use those network
partitions to create security zones that can stop the spread of infection

• Use change control processes to implement a plan for ensuring you can
rapidly respond to emergency patches

• Ensure that all endpoint devices have advanced security installed,
including anti-exploit and endpoint detection and response (EDR) solutions

• Update email and web security gateways to identify and effectively filter
out malicious email attachments, website links, and files.

• Make sure network IPS signatures are updated, as well as device antivirus
and anti-malware tools. This is especially critical when you need to
protect devices that cannot be updated or patched

• Back up your systems and then store the backups off network – along with
any devices and software needed in the event of a network recovery

• Ensure that CDR (content disarm and recovery) solutions are in place to
deactivate malicious attachments

• Use forensic analysis tools to identify where an infection came from, how
long it has been in an environment, which devices were along the attack
path, etc.

• Conduct cybersecurity awareness training to account for one of the
biggest unknowns: the people who use your devices and applications

• Deploy a sandbox to securely discover, execute and analyze new or
unrecognized files, documents, or programs

• Block unauthorized SaaS applications with a CASB solution

All of these and similar steps should geared toward a single goal:
leveraging people, technology, and processes to quickly gather and
correlate threat intelligence about active attacks on a network and to
automatically respond using a coordinated strategy that leverages all
relevant security and technologies regardless of where they are deployed.

Lessons learned and moving into the future

As mentioned, we are only seeing the tip of the iceberg when it comes to
exploit attempts targeting these latest high-profile vulnerabilities.
Additional targeted attacks, especially more ransomware, are destined to
come, and they will dearly cost those businesses that fail to respond
quickly. Many of today’s malware and ransomware attacks are a completely
different game because they are being specifically crafted and targeted at
certain internal systems. The target assets are no longer just about data,
but also about services that can be disrupted and held for ransom. This
approach is providing to have a higher return-on-investment for cyber
criminals.

Because attackers like to follow the path of least resistance, they are
constantly keeping an eye out for the weakest link in security. That could
be people, technology, supply chains or bad cyber hygiene. Which means that
organizations need to either be continually upping their game, or they need
to implement a security-driven security strategy designed to adapt to a
constantly evolving threat landscape.

Prepared for attacks

Ransomware isn’t going anywhere—and it’s not only going to get more
sophisticated, but we’re also going to continue to see an increase in the
volume of attacks due to the growth of Ransomware-as-a-Service. And as the
targets of ransom become higher-profile, risk is not just increasing for
organizations, but the costs will continue to climb. This is creating a
feedback loop in which ransomware efforts become increasingly lucrative for
cybercriminals. The efforts to exploit the latest Microsoft Exchange Server
vulnerabilities are just the latest examples receiving global attention,
but they are merely a harbinger of things to come. They are a clarion call
to cybercriminals to join in as well as to organizations to adopt and
implement security better practices related to managing vulnerabilities.

Bad actors act quickly, so IT security teams must patch quickly,
effectively, and comprehensively, because the bad guys only need one
vulnerability to bring down the whole network. The recommended actions
listed above are a good checklist to compare current security practices to,
but they are just a starting place. They are designed to complement a
comprehensive security architecture built around an integrated security
platform that can be broadly deployed, actionable threat intelligence,
automation designed to leverage AI, and unified management for centralized
visibility, orchestration, and control. As ransomware becomes more
targeted—and therefore more dangerous—organizations that implement these
strategies will be well-positioned to defeat whatever exploits come next.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210524/cce5a698/attachment.html>


More information about the BreachExchange mailing list