Posted on August 31, 2021

Lesson 1: Here’s where security protection is absent or impossible

Zero Trust serves as a superior framework for security defense, as it’s often used to refocus perimeter-based strategies around user access, identities, and devices regardless of their location. However, Zero Trust isn’t always possible, especially when it comes to mobile phones and other uncontrolled hardware. Why? The root issue is supply chain or hardware-based attacks.

In fact, the security onus is often on the platform vendors — such as phone and device manufacturers like Samsung®, LG®, Apple®, and the like — who must defend their hardware, microchips, and operating systems. And yet, that defense job is considered nearly impossible today. This is because no security technology exists that can effectively protect these companies and their products from supply chain or source-code-based attacks against the software or hardware supplier themselves.

No security technology can effectively protect against supply chain attacks. Therefore, Zero Trust isn’t always possible when it comes to mobile phones and uncontrolled hardware.

 

We have already witnessed terrible impacts in 2021, such as with the SolarWinds supply chain attack and the more recent Kaseya MSSP attack. With the exploitation of widely used software in both the public and private sectors all over the world, using the word vast to describe the circle of influence these attacks can have is a grave understatement.

Threats can come from both external attack vectors and internally from malicious insiders working from behind “trusted accounts.” SolarWinds showed security professionals everywhere that even with a perfectly constructed Zero Trust framework in place, this attack vector could not have been prevented. Anyone relying on third-party platforms to access resources will always be at the mercy of the manufacturer to provide some level of trusted access security.

Lesson 2: Zero-day exploits have doubled — hackers are already inside

Known vulnerabilities are easy to manage, because they have been identified and can be patched quickly. However, zero-day vulnerabilities are those that are unknown and unpatched. When discovered, it often means that hackers have already exploited the opportunity; bad actors are already inside your systems. This explains why zero-day vulnerabilities have become a primary attack vector.

In 2021, exploited zero-day attacks more than doubled when compared to 2020, as reported by the COO of Corellium, Matt Tait, during his keynote speech at Black Hat. “Offense has taken the gloves off,” he said. “Zero-days are fueling an out-of-control supply chain attack problem.” See more of the takeaways from Tait’s presentation. So, what can you do? Partners and their technologies and managed security services are the ONLY solution to this problem.

Lesson 3: Evading detection is commonplace — protecting Office365 is key

During one Black Hat session, security firm Mandiant called Microsoft® Office 365 the “Holy Grail” of attack vectors for motivated threat actors. Their presentation, titled “Cloudy with a Chance of APT,” offered a technical overview of various Advanced Persistent Threats (APTs) that were used against this widely adopted cloud-based service, which has become a favorite target for bad actors looking to gain a foothold into corporate assets.

It’s easy for them to get into O365, because of the frequent and poor administration of those environments. Companies and IT professionals are failing to secure the authentication mechanisms governing these cloud environments, which are accessible from anywhere in the world. Even worse, the ability to evade detection is becoming commonplace now, because attackers simply get access to an account and disable logging and auditing of existing security features. For a cyber criminal, this work is all too easy. In some instances, detection evasion is simple — all they do is click a checkbox to “downgrade” a single license from E5 to E3.

For a cyber criminal targeting O365, detection evasion can be as simple as a few clicks.

 

Lesson 4: These two technologies are making attacks more automated than ever

With the advent of AI-powered language prediction and word generation technologies, including GPT3 (2020) and the upcoming GPT4, the ability to automate cyber attacks will be easier than ever before. While these OpenAI tools make typing text easy for users everywhere, they also start to accelerate capabilities for bad actors, helping them expand and further automate already efficient attack methodologies. In one Black Hat session, researchers demonstrated the weaponization of these deep neural networks, showing how they can be used to automate a social media disinformation campaign and shape public opinion.

In fact, deep fake audio recordings and video footage are also powering cyber attacks. The creation of fictitious phone calls and fabricated videos has evolved at such a rapid rate over the past few years that the resources required to generate very convincing material is now attainable by hacktivists and cyber crime syndicates. This technology has a huge potential in security attacks — it could likely become a dominant attack vector in the near future. Creating attacks could be as simple as targeting employees with fake voicemail messages from their bosses, telling them to do things that aid the attacker. Undoubtedly, these tools can be used to fool insiders into becoming a threat to their own organization.

Lesson 5: Ransomware is here forever and cryptocurrency is making it worse

Today is just the beginning of the ransomware problem. The most popular operating systems are riddled with vulnerabilities that are at the heart of ransomware attacks. As long as software has new versions, there will always be vulnerabilities and ransomware attacks.

With the advent of cryptocurrency, the ease and total rewards for ransomware are far greater than any of the risks attackers face in engaging in these criminal practices. One reason: cryptocurrency allows for some level of anonymity. Pay a ransomware attacker in standard American dollars and it’s easier to follow the money trail, finding who is behind the crime. Additionally, many of these attackers operate in regions where American laws have no jurisdiction. Cryptocurrency and ransomware are such problems now, even the FBI has issued their first-ever alert about it.

Lesson 6: Social engineering is still the #1 attack vector and bad actors are getting brazen!

Social engineering is still the preferred method of attack. Out-of-band communications coming from untrusted sources outside the organization, are the low hanging fruit for attackers targeting companies via personal phone calls, personal emails, social media messages, even SMS text messages. These are popular tactics, because they are successful in turning unwitting users into insider threats acting against their own organization.

And to make matters worse, cyber criminals are trying every possible angle. With today’s trends in job changes and employee resignations, bad actors are seeking out disgruntled employees who are willing to infest company systems with malware, as was the case with a recent attack on Tesla. This mass solicitation is a new twist on the old concept of getting assistance from insiders. Likewise, COVID-19 news and headlines of the day offer entry points for attackers, and moving forward each new upcoming trend will provide more angles to play, resulting in more creative marketing “bait.”

The big takeaway: Awareness must be two-fold

With the rapidly evolving threat landscape, it’s important for every IT leader to understand not just the most popular attack methods today, but also where the security industry is lagging behind. IT leaders need to understand their own security strengths and weaknesses within their company, but they must also have the ability to recognize what gives bad actors the advantage and where every organization is vulnerable in ways that will always be inescapable. Like companies themselves, the security industry is still maturing and facing tough challenges to solve. When IT leaders are mindful of this, awareness is heightened, and we all know that sound security strategies start with heightened awareness.

Trevor Parks

Trevor Parks is the director for security solutions at Masergy. He is responsible for guiding the development, evolution and implementation of Masergy's Unified Enterprise Security services platform. Trevor contributed to the development of the patented Network Behavioral Analysis technology at the core of the Masergy’s security solutions aimed at detecting APTs and other advanced threats effecting customer networks.