COMMENTARY: Every enterprise has skeletons in its closet. Their epitaphs read: unknown devices, connected and forgotten; legacy systems, vulnerable and unmanageable; exposed identities, default passwords, and cached credentials.
These remains have become gateways for “ghosts” in the machine such as
advanced persistent threats (APTs) and “zombie” botnets that refuse to die.
[
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
Recently, threat actors have been automating their attacks with AI, scanning for exposures, brute-forcing credentials, and adapting their approach.
Organizations need not cower in fear. They can respond by deploying comprehensive visibility. In doing so, it's now possible to manage many of these “ghosts.”
Cracks in the foundation
A trope in scary movies is that ghosts tend to haunt dusty old buildings. This metaphor invites disrepair. When we neglect maintenance, any number of pests emerge.
These blind spots and security gaps can manifest in unknown or unmanaged assets. For example, IP cameras and smart building systems are often deployed and connected to enterprise environments without much oversight, but IP cameras with default admin passwords are frequently compromised. Organizations should quickly change these default passwords.
Legacy systems are another source of risk. It’s not so much that they are unmanaged, but that they are unmanageable. These systems are long past end-of-life patch support, but teams can’t decommission them when they are mission-critical assets in
OT environments. Network segmentation then becomes a common mitigation strategy.
Unfortunately, a direct line between many of these risks remains a lack of visibility. Many of these issues persist within organizations that have silos between IT, OT, and security teams, or that rely on fractured and manual incident response processes.
This Halloween, we have to once again face that scary movies aren’t real, but attacks by APTs are very real. The evidence of APTs surrounds us, not just in the headlines of mainstream news, but in their indicators of compromise (IOCs). APTs rely on tactics, techniques, and procedures (TTPs) to obtain initial access, move laterally, and establish persistence.
For example,
Volt Typhoon and
Salt Typhoon have exploited vulnerabilities in networking equipment, such as switches and routers. Increasingly, organizations are getting proactive by monitoring these TTPs as indicators of attack (IOA).
While APTs rely on remaining unseen, they often exploit the same unmanaged assets that fuel global botnets. Different APTs feed on the same victims. Whereas ghosts may haunt enterprises quietly, zombies overwhelm.
The Mirai botnet launched some of the largest DDoS attacks ever recorded by compromising the missions of IP cameras, routers, and consumer devices. Even after Mirai was taken down, its source code was released publicly, spawning a family of variants.
Today’s botnets are far more virulent. They have evolved into hyper-volumetric, multi-vector attack platforms like fast zombies. Many DDoS attacks now incorporate AI-enabled automation.
The good news: many DDoS mitigation platforms have outpaced these attacks with their own AI-enabled detection of DDoS attack patterns.
Cybersecurity must get proactive
Organizations should stay wary of any vendor that claims to offer a silver bullet. The challenges every organization faces are unique, but they tend to have something in common: the need for visibility.
Organizations need visibility to eliminate blind spots. But real visibility isn’t just a snapshot like a ghost captured by a camera. Think of real visibility as continuous, much like radar. Comprehensive visibility doesn’t just mean discovering every device: it means understanding its context, such as whether it’s a mission-critical asset, or hosting a severe vulnerability.
Monitoring for behavioral anomalies helps organizations discover TTPs, IOAs, and IOCs indicative of APTs, such as suspicious botnets. This sort of pattern recognition has become one practical application of AI.
Organizations are also increasingly interested in leveraging AI and automation to reduce mean-time-to-detection (MTTD) and response (MTTR) with orchestration across platforms and pre-configured playbooks to execute.
Technology can automate much of this, but it also requires a cultural shift. Security hygiene must become a daily habit, not an annual audit. It requires collaboration across IT, OT, and security departments.
Scary movies will lead viewers to believe that it makes sense to split up in a crisis. Not so for security pros.
When teams collaborate they bring threats to light, and the shadows start to disappear. The monsters that scare us most aren’t always the ones outside the walls. They’re the ones already inside – the forgotten, the unmanaged, the unseen.
Nadir Izrael, co-founder and CTO, ArmisSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
