The COVID-19 pandemic was far from the only development to impact the cybersecurity world in 2020. Nation-states continued to sponsor advanced persistent threat (APT) groups and improve their cyber offensive capabilities. The expanded attack surface area brought in by remote working technologies and prolific IoT device deployments increased the frequency and impact of cyberattacks. And, the increased use of ransomware against enterprises—in conjunction with attacks on digital supply chains—prompted information security teams to explore new methods to better secure their networks.
As we move into the future, businesses should understand not just the nature of the risks that they face, but their own network footprint and potential vulnerabilities. To protect against today’s threats, businesses and organizations must operate under the assumption that the accounts of customers, vendors, and employees are already compromised, embracing a shift toward zero-trust and continuous monitoring and measurement.
The network may already be compromised—so act like it
Businesses looking to better protect their networks should begin with the basic assumption that all users on the enterprise platform are already compromised. There are billions of compromised credentials freely available on the internet, and attackers will engage in “credential stuffing” attacks to identify passwords used across multiple accounts. Notably, just 33 percent of people change their passwords even after being notified that they have been compromised.
Companies therefore must operate under the assumption that users are compromised already. If users have permissions to access data or perform actions outside the regular scope of their job, IT teams should assume that those permissions can and will be exploited by malicious actors. Addressing this issue means implementing the most limited set of permissions for account-based rule sets and increasing them as needed. Whether provisioning new accounts or updating existing ones, organizations must not stay overly permissive by default.
These are the principles upon which we build zero-trust. Although there’s not yet a “standard” zero-trust model, the industry has steadily moved toward embracing the concept of zero-trust architecture. The increased spikes in cyberattacks driven by credential stuffing over the past year, as well as a rise in spearphishing, business email compromises (BECs), and other social engineering attacks has led to this growing acceptance. These attacks put valid credentials in the hands of attackers, and are often the gateway to supply chain attacks, exposing companies to risk even when their own networks are secure.
Businesses today outsource a wide range of services, such as software infrastructure and data storage to third-party providers. Unfortunately, enterprises are only as secure as their weakest link, and the recent SolarWinds attack shows the extreme danger posed by partnering with a poorly secured vendor. Even in cases less extreme than the SolarWinds attack, partnering with businesses that lack effective protections can still result in disrupted business continuity. Setting the minimal permission levels for all users will limit the initial damage an attacker can do, even if they acquire valid credentials or access the network via a poorly secured vendor.
The need for continuous monitoring
While regularly scheduled security audits are still needed, it’s no longer enough to rely on “point-in-time” reports about digital infrastructure. Continuous monitoring for any sort of cybersecurity risk will help companies understand the true risk level of the organization, and as networks move toward a zero-trust model, continuous monitoring for suspicious login attempts remain particularly critical. Security teams can measure multiple failed logins across multiple users, attempts from irregular geolocations, and other anomalies to improve the chances of detecting and mitigating such activity. Moving toward zero trust will take time, and this type of monitoring can serve as a crucial safety net as the transition continues.
Organizations should watch for compromised credentials that may circulate the internet, or avail themselves of commercial monitoring services, which are widely available and are a valuable supplement to in-house teams. Companies looking for a starting point to assess their cybersecurity stance can also turn to security rating services, which the Cybersecurity and Infrastructure Security Agency (CISA) recently recommended as a valuable tool alongside other strategic risk metrics.
Threat intelligence signals are an important component to enterprise cybersecurity awareness, and organizations that understand the threat model they face will find themselves better equipped to defend against them. The danger posed by APTs remains very real—especially when paired with a nation-state sponsor. Understanding which APT groups are known for targeting certain industries, as well as their most common tools, tactics and procedures (TTPs), can help organizations harden their networks against those specific TTPs. This can frustrate attackers, often prompting them to abandon their efforts in favor of searching for easier prey.
Continuous monitoring also means continuous measuring. There’s an old saying that you can’t manage what you don’t measure, and that’s as true in cybersecurity as in any other industry. Organizations must have a full understanding of their digital footprint, and external continuous monitoring can often aid how companies manage their digital asset inventory. Increased focus on procurement, insurance, and regulatory requirements will likely make it even more important for businesses to assess their own security posture, and combining both internal and external views can help offer a more complete picture.
Now, more than ever, organizations should recognize the value of zero-trust and the importance of continuous monitoring and measurement of cybersecurity improvements. Attackers will look for the path of least resistance, so make their lives as difficult as possible – it’s often the best way to derail a cyberattack. Ultimately, security teams can’t stop 100 percent of attacks, and everyone will eventually experience a cybersecurity breach attempt. But by making the network more difficult, costly, and time consuming to compromise, companies can help dissuade all but the most determined attackers.
Alex Heid, chief research and development officer, SecurityScorecard