Unprepared infosec pros were overwhelmed when the pandemic hit organizations a year ago. They were met with cyberattacks from a wide range of threat actors doing everything from trying to leverage remote access vulnerabilities to firing phishing messages with COVID-19 lures.
There was a lesson in the pandemic response, Jason Rivera, director of CrowdStrike’s strategic threat advisory group, told viewers last week at the one-day RSA365 virtual summit.
“A lot of what COVID-19 showed us is how difficult it is to understand the problems we are facing, particularly when those problems are changing very quickly,” he said.
Too many infosec pros want to solve problems before understanding them, he argued. “I see a lot of organizations going from threat to threat, alert to alert but not really understanding the underlying basis of why it’s happening. There are many ways I see this: In many cases, we see organizations buy expensive solutions but not understand the problem they’re trying to solve.”
That’s when they react to incidents, he explained.
“The longer you play whack a mole, eventually you lose the game and the mole [in this case the adversary] gets through,” he explained. “Your ability to defeat cyber threats rests pretty much entirely on understanding the problem,” he maintained. “If you know what your adversary is capable of, you know what your vulnerabilities are, what you are trying to protect and what malware the adversaries have and the capabilities, then you are pretty well-positioned to succeed against them.”
He suggested infosec pros should start thinking about their attack surface through these three lenses:
Strategic – Why does an adversary want to target you? What industry are you in, what are your critical assets? A criminal might be interested in financial gain, an espionage actor might want national security secrets.
Operational – Just as you should think of your people, process and technology, adversaries think of their capabilities such as malware, social engineering and infrastructure. So think of how adversaries might use these tools against your technology, people and processes.
Tactical – What are your internal attack surfaces [operating systems, applications, perimeter devices like gateways and firewalls] and external surfaces [cloud services, web sites]. What tools do adversaries have to get into these?
The four steps
Admittedly, he said, you have to consider that the attack surface has changed because more employees are working from home. That blurs the idea of an internal-external perimeter threat surface.
What’s also important, Rivera noted, is to understand threat actors have changed their tactics. Before COVID, many were into “big game hunting,” focusing on large targets in hopes of large payouts. Ransomware-as-a-service has piqued criminals’ interest, and data extortion on top of ransomware has increased. Nation-states are focusing on stealing medical research related to COVID vaccines and on government decision-making information.
So for infosec pros it’s “evolve or get left behind,” Rivera said. Here’s how:
1–Decrease your reliance on planning for a perimeter
Treat endpoints as the heart of the IT environment and as protected assets. Focus on a zero-trust architecture and verify the identify of all individuals allowed network access. Consider the possibility that everyday IoT items at home (connected printers, coffee machines) are part of the battlefield;
2– Prioritize simplicity and adaptability
“Simplicity is your friend,” Rivera said. We can prepare all we want for intrusions, but when attack starts the threat may look different, so response plans have to be flexible. If you’re going to use different types of security technologies think about how they can be consolidated (for example, have fewer agents). Less complexity can mean more comprehensive protection;
3– Evolve from reactive to proactive
Don’t wait for things to happen. Leverage threat intelligence to preemptively understand threats. (So, for example, if something happened to a peer in your sector it will likely happen to you. Similarly, use intelligence-driven threat hunting within your environment (If that attack against a peer used a technique it will likely be used against you). Also, make sure all security-related teams in your organization (the SOC, the threat intelligence team, the incident response team) have a common operational picture of the threat (different security teams need to see the same problem the same way. Otherwise, they may make uncoordinated responses.
4– Prepare your workforce for the ‘new normal’
Combat the threat of misinformation by adversaries. They will use global events against us like COVID and politics to trick people into falling for phishing lures. Think of identity as the new perimeter. “We already tried the network as perimeter, and that didn’t work,” he said. “Endpoint security products alone won’t necessarily work. We need to have multiple ways of vetting who is on our machines, [determining] is this behaviour normal?”
“Ultimately, it’s just you (and what you are protecting) and the adversary,” Rivera concluded. “Not only do we need to understand the reasoning of adversaries, we need to understand their capabilities, their infrastructure — We need to know a lot more about them than we do now.”
Understand your problems and you will make the right decisions, he said, hire the right people — and buy the right security products.
