Contributed by Edwin Doyle, Global Security Strategist, Check Point Software. 

EXECUTIVE SUMMARY:

As adversaries employ more complex tactics, techniques, and procedures (TTPs) to successfully evade and exploit conventional security controls, organizations are clamoring to secure an increasing number of digital real estate assets both inside and outside the network perimeters. If 2020 taught us anything about security incidents, it is that state-sponsored threat actors are equipped with more innovative attack capabilities than the average organizations are prepared to defend against.

In 2021, new years resolutions for organizations must include a cautious, offensive approach to information security. Enterprise security teams must be ready to fight back—they can do this by enhancing their already-available automation capabilities with proactive security orchestration processes that intelligently unify relevant security data sources, producing visibility and insights required to defend an entire topography of technology assets.

In this blog post, we will discuss methods whereby threat actors leverage sophisticated TTPs to compromise critical systems within the government and across the private sector. Moreover, this blog will highlight methodologies to help organizations fight back, using the security automation tools already within reach—with just a pinch of unified intelligent capabilities, sprinkled with an extended detection and response (XDR)-based approach.

Why are automated cyber attacks successful? 

Attack automation provides threat actors the capability to reach towards the victim’s on-premise and cloud infrastructures. In a classic attack scenario, threat actors invest a great deal of time and financial resources in developing new scripts and mechanisms to successfully compromise a single target. This approach may work for a limited number of targets, but is not economical for large-scale attacks considering the time and money initially invested.

With attack automation, however, threat actors can launch large-scale attacks using intelligent, scalable, and evasive malware techniques. Malware used in automated attacks is capable of detecting the behavior of defensive systems/sandboxing and stoping malicious activity in order to suppress the alarm initialization process. Armed with a variety of anti-forensic techniques, automated malware attacks are capable of shapeshifting, thus leaving no trace for attribution measures.

How threat actors leverage automation

For the average cybercriminal, the use of automation means access to a larger range of targeted victims, more ransom payments, and the possibility of building an empire of threat actors. As the threat landscape matured, threat actors learned to leverage emerging technologies to maintain persistence, attack precision, and scalability. For instance, cybercriminals elevated their TTPs from simple code encryption software into specialized malware tools with polymorphic capabilities—thereby frustrating most defensive actions aimed at detection or attribution.

An enterprise security team’s response capabilities, for the most part, hinge upon its understanding of how threat actors engage emerging technologies to maintain persistence; perform lateral movement; and develop a command and control (C2) infrastructure via system backdoors. Therefore, the ability to retain current knowledge and skills required to maintain cyber resilience against the dynamic nature of the cyber threat is paramount.

Below are the top three ways threat actors are leveraging automation in 2021:

1. Credential stuffing

Credential stuffing is the use of user ID and password combinations that were compromised in data breaches and leaked publicly to gain authorized access to resources. Users who reuse the same password and email address combinations on multiple platforms are more susceptible to credential stuffing.

2. Brute forcers and checkers

Brute forcers and checkers are used by threat actors in combination with credential stuffing to perform automated large-scale login attempts on target systems.

3. Loaders and cryptors

Threat actors use loaders and cryptors to evade malware detection and endpoint devices. The actual payload is downloaded once the malware has made its way into the system.

How your IT teams can fight back

To deploy and maintain sophisticated attacks, threat actors rely on automation to ensure attack precision, sustainable scalability, and dynamic elusiveness. The current attack methodologies perpetrated by advanced persistent threat (APT) groups, especially those sponsored by rogue nation-states, are often multilayered: they adapt to the security defenses of a target’s computing environment to increase the difficulty of detection and attribution.

As such, most organizations and government agencies are not equipped to keep up with or fight back against these growing, sophisticated threat landscapes. Therefore, to fight back, it is imperative that organizations improve their already-available automation capabilities by employing proactive intelligent automation to disrupt the attack chain. Capturing an attacker’s TTPs in real-time helps to inform the development of next-generation security controls.

Therefore, IT teams can fight back using intelligent security orchestration solutions. This multi-generational framework is embedded with intelligent automation and machine learning capabilities that evolve and adapt to any given threat landscape, even in legacy systems.

Intelligent security orchestration solutions can be deployed within an enterprise computing environment via:

  • System patching: System patching is a cumbersome but vital activity to protect computing systems from newly discovered vulnerabilities. Software systems are generally set up to update automatically once any security or feature update is available. The timely installation of patches and updates is dependent on user configuration and preferences, which may not be aligned with the security requirements. Computing systems can be best protected by automated patch management, which is capable of identifying, testing, and applying required code alteration in a timely manner.
  • Privileged access controls: Privileged Access Management solutions are designed for automatic monitoring, protection, and management of administrative accounts to control and define privileges in a robust manner. Broken access and threats to privileged access can be detected without compromising the task efficiency.
  • Threat detection and response (behavioral vs. signature-based): Effective use of behavior and signature-based detection can leverage the security ROI manifolds.
  • Threat intelligence telemetry (local and cloud-based): Real streams of data containing information about threats, like known malware hashes, infected or suspicious URLs, and blacklisted IP addresses obtained from sources outside the organization can be used to make automated incident response decisions in real time.

Conclusion

A human-centric (manual) security team is incapable of completely detecting and responding to every malicious activity on an average corporate network. Eventually, APT groups (or standard cybercriminals) are identified, but it is often too late for cyber defenders to react in an impactful manner, due to the lack of visibility and insight into an entire landscape of technology vectors—which often includes legacy endpoints, cloud infrastructures, and mobile and web-based applications.

Therefore, by leveraging positive, intelligent automation and machine learning capabilities, security teams will be able to proactively predict their threat landscape; forecast attack interception capabilities; gain insights from signature-based and behavioral-based activities employed by APT groups; and significantly re-route the already-scarce IT sources wherever it is most needed.