3 cybersecurity trends & mitigation strategies for CISOs

February 11, 2022 TH Author Trend Micro CISO : Cloud, Trend Micro CISO : Compliance, Trend Micro CISO : Detection and Response, Trend Micro CISO : Digital Transformation, Trend Micro CISO : Expert Perspective, Trend Micro CISO : Risk Management, Trend Micro CISO : Skills Gap, Trend Micro CISO : Video

We’ve also seen an increase in “living off the land” attacks where cybercriminals leverage legitimate tools within an enterprise’s network to avoid detection before exfiltrating data. These attacks usually occur during working hours to seem more legitimate.

Lastly, Bitcoin has become seemingly integral to ransomware. It’s anonymous, difficult to track, fast, and easy. What more could a bad guy want? It’s no wonder the amount of cryptocurrency funds from ransomware skyrocketed 311% from 2019 to 2020.

However, Bitcoin is extremely volatile. The sporadic rise and fall of Bitcoin’s value is well-documented, and it’s not just investors who are impacted. We predict enterprises will experience an uptick in ransomware and crypto mining attacks corresponding with Bitcoin’s plummeting value; the less Bitcoin is worth, the more attacks need to be launched to make a profit, but more importantly, the malicious actors can obtain the currency on the dip.

Trend #3 – Crime as a Service expands

The increase in targeted and specialized attacks is due to the rise of Ransomware as a Service (RaaS). As the name suggests, RaaS providers are dedicated to selling or renting ransomware capabilities to buyers (called affiliates) to use at their own discretion. RaaS is part of the growing Crime as a Service (CaaS) ecosystem, which includes Access as a Service (AaaS) – providers who sell their residence to affiliates.

With the rise of CaaS, cyberattacks aren’t privy to only highly specialized, advanced attackers, which has inevitably led to an increase in commodity attacks. Now, anyone (affiliates) with the time and money can purchase the necessary components and launch a successful, oftentimes lucrative, attack. Case in point: the Colonial Pipeline attack was executed by an affiliate.

3 mitigation strategies

You can’t stop something you don’t see. Understanding the current trends of cyberattacks is the first step to establishing a strong cybersecurity strategy. CISOs should consider these 3 mitigation strategies:

1. Attack surface management (ASM)

Software supply chain attacks can seem daunting, especially since the majority of proprietary software is composed of open source code, which is notoriously difficult to manage. Introducing attack surface management (ASM).

According to Tech Target, “attack surface management is the continuous discovery, inventory, classification, and monitoring of an organization’s IT infrastructure.” The difference between ASM and asset discovery and monitoring is ASM evaluates security gaps from the attacker’s perspective.

By approaching security from the eyes of an attacker, organizations can better prioritize and address risky areas of the attack surface. As the attack surface is constantly evolving and expanding, it’s critical to continuously monitor your environment to prevent vulnerabilities from going unnoticed. Regular testing will shore up any potential risks such as weak passwords, unpatched software, encryption issues, misconfigurations, and any pesky Shadow Cloud within the development lifecycle.

Ideally, you should select a platform with ASM capabilities, giving you comprehensive visibility across your infrastructure. This is especially important if you’re building in a multi- or hybrid-cloud environment with resources living in disperse environments. Leveraging automation, ASM will ensure your software supply chain is secure, without slowing down development workflows, enabling developers to meet business objectives.

2. Ransomware mitigation

We often get asked: “Should I pay the ransom?” In an ideal world: no. It perpetuates the crime and proves you’re a victim willing to pay, which puts a bigger target on your back. However, during a crisis, it can be challenging to thoroughly explore all options. Just like cybercriminals plan an attack, enterprises need to plan a response.

It’s crucial to establish a ransomware playbook addressing the entire impact across all stakeholders, how to mitigate operational risks, ensure business continuity, and even ransomware negotiation strategies.

Another popular question is: “What are the early warning signs of a ransomware attack?” Remember, ransomware is a post-breach attack, so stopping the initial access is the top priority.

The zero trust approach is a great way to keep the bad guys out. Follow the mantra “never trust, always verify” before granting users, devices, and applications access to your network. After initial validation, remember to continuously monitor users, devices, and applications for the usual tactics, techniques, and procedures (TTPs) used in a traditional breach, such as unusual sign-on attempts from multiple locations at the same time.

You can’t stop what you can’t see. To successfully apply the zero trust approach, choose a unified cybersecurity platform that provides comprehensive visibility across endpoints, email, network, servers, and cloud. Look for a platform with XDR capabilities to collect and correlate data for deeper insights and less false positives, enabling security teams to use their valuable time investigating the most critical alerts.

3. Vulnerability and patch management

2021 was a record-breaking year with over 80 zero-day vulnerabilities used in attacks. Effective vulnerability management starts with hardening admin, critical app, and database accounts with MFA, patching, and advanced detection technologies like machine learning, AI, and behavior monitoring.

Patch management is very important and oftentimes very difficult for organizations to manage. The sheer volume of patches is overwhelming—it seems every Patch Tuesday has nearly 100 patches. And that’s just Microsoft’s patches. If you’re using several vendors, it can seem nearly impossible to 1) decide what to patch and 2) actually patch.

The rapidly shrinking time to exploit doesn’t help patch management either. In previous years, it took 30-45 days on average before you would see a vulnerability in the wild or a proof of concept (POC) was created on a disclosed vulnerability. Today, this all happens within hours, giving organizations less time to react.

Preparation is key. Like the ransomware playbook, establish a patching action plan is crucial, so you can react quickly and limit the scope of the attack.

Don’t approach patching as a “defend all or defend none” situation. Evaluate which area can do most harm if infiltrated so you can prioritize protecting and understanding the vulnerabilities associated with your critical data, systems, and hardware.

For example, if you work in a hospital, attackers will often target patients’ medical devices or records because it’s the fastest way to disrupt business operations, so these should be prioritized.

Ideally, you want to protect these devices with a network-based intrusion prevent system (IPS) or network scanner to identify any exploits attempting access. In the case an exploit does occur, you’ve already established medical devices are a top priority to lockdown. Your IPS product will deploy a virtual patch, minimizing the explore ability of the vulnerability and keeping operations (pun intended) running smoothly.

Next steps

For more cybersecurity trends and mitigation strategies, check out these resources:

You May Also Like

The Future of Cloud Security

3 Ways to Evolve Your Cybersecurity Operations

3 Hybrid Cloud Security Challenges & Solutions