New insights pulled from big data reveal rising risks, supply chain complexities, and the double-edged sword of cybersecurity insurance.
Imagine two top-tier cybersecurity professionals sitting with you to talk about threat trends they see in data pulled worldwide. This year, attendees of the CXO Program at Zenith Live in Las Vegas enjoyed that experience at a presentation by Deepen Desai, CISO of Zscaler, and Steve House, SVP of Product Management. The discussion, titled “The Threat Landscape Today: Where We Are and Where We’re Headed,” explored how current events are shaping the global threatscape.
Using trends and communications pulled from the Zscaler cloud—which processes more than 50x daily transactions as Google–the speakers shared threat patterns that do not appear in smaller data samples. Audience members engaged the speakers with thoughtful questions, leading to a wide-ranging discussion on cybersecurity issues.
The modern workplace elevates three security risks
The first topic focused on ways the modern workplace is shaping threat trends on three specific fronts. The hybrid work environment continues to attract great attention from threat actors. Attackers have shifted their attention to three specific areas of the post-pandemic workforce:
- Employees. Phishing and spear phishing remain top attack vectors. Adversaries are taking advantage of social media to increase their success rates. Dual-use devices and home office equipment also allow attackers to weaponize payloads to capitalize on new vulnerabilities. More devices and apps touching the enterprise equals a larger attack surface.
- Exposed assets. Performing reconnaissance is an important precursor to launching an attack. How do adversaries look for entry points into an organization? One reliable approach is identifying exposed assets, which are any internet-facing resources attached to your organization. This is why Zscaler hides an organization’s assets behind its Zero Trust Exchange.
- Public cloud services. Anything from cloud misconfigurations to open RDP or SMB ports offer attackers potential access to the organization. Over the past year, ThreatLabz observed many ransomware and infostealer campaigns used public cloud vulnerabilities for initial access. Once threat actors breach the infrastructure they usually follow the same playbook – recon the environment from the inside, then execute an attack.
Visibility key to stopping supply chain attacks
Deepen Desai introduced the second topic by speaking on the intricacies of supply chain attacks. Supply chain attacks, like the one that happened to Solar Winds, are invisible at the initial infection stage. Some vendors may claim otherwise, but consider the facts – the malicious code used for this attack was encrypted and digitally signed by a trusted vendor. The threat originated from within the legitimate code base of a trusted provider, something security vendors do not scrutinize or detect. However, once the malicious code begins operating in the target environment it is highly detectable for those who know where to look.
In the Solar Winds example, malicious code arrived from a compromised Orion update server. Once the malware reached its target it immediately tried to make suspicious outside contact. How can one tell this is the case? The domain the malware tried to reach was registered a mere six months ago and not categorized. It was not a legitimate, known domain. This untrustworthy connection is the first step where security measures can detect and stop the attack. Preventing malicious communication to outside infrastructure severely limits the amount of damage a supply chain attack can inflict on an organization.
If the malware is allowed to communicate with the attacker’s infrastructure things become much more difficult. Assuming this is the case, step two is detecting unusual lateral movement within the environment. For Zscaler, this is done through identity-based segmentation. For example, suppose “process A” on “server A” regularly talks to “process B” on “server B.” If process A suddenly starts talking to ten other servers as well, that’s a good indication that there is a problem. This unusual behavior should immediately be flagged and investigated. If responders can contain the damage to a single malicious process, they effectively limit the blast radius of the attack.
Supply chain attacks can also affect third-party organizations with access to your data or infrastructure. Recall the attack on Quanta computer that ultimately led to the threat actors demanding ransom from Apple. Tackling Apple security head-on was probably deemed too difficult, so REvil simply found an easier, adjacent organization with access to Apple resources.
RaaS and rebranding keeping pressure on organizations
One benefit of the Zscaler cloud platform is watching threat trends unfold and hearing the global chatter that occurs during negotiations. Having the visibility to monitor communications, payment sites, and the actions of participants on both sides of a ransomware attack is incredibly informative. Attackers use tactics like pulling a list of organizations with the largest cybersecurity insurance coverage. This information factors into their targeting plans. Seasoned attackers know the ransom prices that negotiators will usually accept due to their past experience dealing with insurers.
There is a public perception that threat groups, ransomware gangs, in particular, are on the run after several recent government crackdowns. This is not reflected in the global threat data. Eight of eleven top malware families are still quite active with many being offered under ransomware-as-a-service (RaaS) agreements. Cybercrime offered as a service model makes it extremely easy for unskilled actors to launch and monetize malware campaigns.
When government action does shut down a threat group, they often rebrand and reappear within a short timeframe. In the past six months, we have witnessed a half-dozen or more “new” threat groups appear. Yet, these supposedly new attackers are using the exact same code base and tactics as ones that were recently “disbanded” by authorities. Between easily accessible RaaS offerings and the utter resiliency of skilled threat groups, organizations have seen very little relief from cyber threats.
Hearing in-depth analysis of global threat data in a short and digestible format is one of the benefits of attending Zenith Live. Often, the information shared at these events can only be found in voluminous research papers and technical threat reports. The high-quality information shared at Deepen and Steve’s presentation highlights the importance of attending live events and speaking with experts directly. If you did not see this informative presentation in person, now would be a great time to plan on attending next year’s event.
What to read next
CXOs see blurring lines between teams - Zenith Live 22 panel recap
Choose zero trust for security and spend – a conversation on business enablement