By Ashwin Ram. Ashwin has been in cyber security for well over 15 years; holding various positions from post-sales delivery and implementations engineer to pre-sales team leader. He is a senior cyber security thought leader with extensive solution experience. As a member of Check Point’s Office of the CTO, Ashwin is a regular keynote speaker at global cyber security events, sharing real-world stories and security research to demonstrate the critical importance of striving for cyber resilience.
On LinkedIn, I recently shared some cyber attack trend data pertaining to organisations in Australia and New Zealand (ANZ) over the last 6 months. According to Check Point’s Threat Intelligence Data, an organization in ANZ was attacked on average 635 times per week over this period. During the second half of 2019, this figure was 335 times per week; meaning organisations are dealing with 90% more cyber attacks than previously. The most targeted country is still New Zealand.
The majority of the attacks were delivered via web downloads for this region, which was vastly different from the global average. Education and Research, Insurance, Legal and Transportation sectors received far more cyber attacks in ANZ compared to the global average for the same sectors over the same period.
These findings deserve a deeper discussion. Let’s unpack what each of the findings really mean for an organization striving for cyber resilience, and the controls and processes required to reduce the risks from these threats.
It should come as no surprise that the reason for this increase is that threat actors are continually fine-tuning their strategy to monetize cyber crime, and truth be told, it is a profitable business, supported by a business model involving multiple Initial Access Brokers.
The reasons for successful attacks are many; for example, the number of organisations embarking on cloud adoption without appropriate understanding of The Shared Responsibility Model or the pitfalls that exist in cloud environments. Other reasons include security oversights as organisations rushed to enable remote and hybrid working arrangements, software vulnerabilities, the proliferation of IoT devices with inherent security flaws, the sophistication of cyber attack tools, including social engineering tools -the list is much longer but I think you get the idea. It is for this reason, that cyber executives must take a holistic view and ensure all areas of threat are addressed.
I was gob-smacked when an executive of a publicly listed healthcare organisation recently dismissed a conversation about lookalike domain-based attacks against their organisation. Having engaged with many cyber executives, it is clear that some organisations do not fully understand the current threat landscape and sadly a few are still of the mindset, “it won’t happen to us”. In his own words, “threat actors have bigger fish to fry, I don’t think anyone is going to waste their time imitating our domain”. Unfortunately, this is the mindset of many executives today, until it happens to them. It is imperative that organisations understand all the cyber risks, then prioritize based on likelihood and impact.
So what can organisations do in the face of ever increasing cyber attacks? They have to focus on 2 key areas; adopt a prevention mindset to block the attacks in the first place and automate response against successful attacks.
According to the Ponemon Institute’s 2021 Cost of a Data Breach Report, the amount of time taken to identify and contain cyber attacks is on the rise. One of the findings, not surprisingly, was that the longer a threat was in an environment, the more it cost the victim. So it makes sense to have a strategy focused on preventing those attacks in the first place and reducing the breach lifecycle (time to identify and contain attacks).
The most effective and proven strategy to reduce breach lifecycles is to automate as much of your post infection controls and processes. Given the 90% increase in cyber attacks in less than 3 years, I fear many SOC teams will struggle to keep pace if they relied on manual processes. Burnout and job satisfaction issues within SOC teams are already a concern, according to the 2021 Devo SOC Performance Report.
The almost doubling of cyber attacks in less than 3 years means many SOC teams are unable to keep pace using manual processes. When asked, “What steps can be taken to alleviate SOC analysts’ pain?” the top response from SOC leaders and staff was automation, according to the 2021 Devo SOC Performance Report.
Some questions to consider as you work towards cyber resilience:
- Do we have a process in place to automate mundane task performed by our SOC?
- Do we understand all of the risks from cyber attacks and have we prioritized based on the potential impact of these risks?
- Do we have a way to automatically remediate and recover from attacks targeting devices used by our remote employees?
- Are the concerns of our SOC leaders and staff aligned?
The cyber attack trend data also revealed that the majority of the malicious files were delivered via web downloads. Organisations must therefore have effective security controls for web downloads, in addition to weaponized emails (malicious attachments or links within emails). The challenge now, of course, is that most of our employees work remotely or in hybrid mode. It is vital for cyber strategists to understand that employees are just as likely to be phished via their personal emails, which are primarily accessed via browser.
While there are no silver bullets in cyber security, the use of Content Disarm and Reconstruction (CDR) and Sandbox as part of your zero-day protection strategy will go a long way in neutralizing weaponized attachments, regardless of how they are delivered.
The final point worth noting in the data were the sectors most heavily targeted. The Education and Research sector was at the top of this list, not surprisingly. This sector has had to rapidly pivot in how it delivered services. Organisations within this sector have had to embrace newer technologies to facilitate remote learning. As the world started to figure out life during the pandemic, researchers at Check Point noticed a surge in hacker interest on topics related to education, research and going back to school.
In Asia, the increase in attacks against the Education Sector were seen mainly in several types of vulnerability exploits: Denial of Service, Remote Code Execution and Information Disclosure. Having appropriate security controls for these types of attacks must therefore be a non-negotiable.
Some questions to consider as you work towards even greater cyber resilience:
- Do we have a strategy to address threats posed by legacy systems?
- Do we have a vulnerability management platform to identify our exposure?
- Are we practicing virtual patching to block attacks landing on vulnerable systems?
- Are we utilizing cloud based DDoS capability?
- Have we identified our crown jewels; do we have an effective strategy to protect them?
The reality is that no sector is safe from cyber attacks. It’s a safe bet that cyber attacks will continue to grow YoY, and we are very likely to see more trusted 3rd party software supply chain attacks in the future. The tools used by threat actors will continue to evolve, as they use AI based technologies to achieve their malicious objectives.
It is therefore up to those striving for cyber resilience to ensure a prevention mindset is at the forefront. Leverage automation for timely remediation. No sector is safe, take a holistic view, and look for blind spots by carrying out cyber risk assessments. Have a strategy to protect remote users, learn to prioritize ruthlessly, and communicate your plan clearly.