2022 has, so far, shown us that data breaches, cyber threats, and privacy incidents are here to keep media outlets busy and news headlines stacked. The threat of cyberattack has permeated every layer of the global infrastructure from small businesses to large-scale enterprises. Even nation states have not been immune to cyber compromise.
Just this year, we saw the ransomware attack on the Costa Rican government that brought the country’s Ministry of Finance, public health services, and import and export sectors to a standstill. Data breaches were reported by two major international airlines in India and Turkey and, as the school year kicked-off, a disproportionately high number of attacks plagued U.S. schools, even resulting in the identity theft of minors.
Enterprises experienced their share of cyber dilemmas as well. Networking giant, Cisco, was hit with an identity-based attack through Active Directory, and ransomware gangs have zeroed in on nearly every critical sector including digital security firms, defense contractors, manufacturers, and information technology companies.
In all of these examples, there were security solutions in place. This blog post discusses the realities of the uphill battle enterprises are facing against cyber threats, their significance, and what actions they can take to better protect themselves.
Understanding Adversaries & Attack Surfaces
Today, businesses are asked to show they have reputable cybersecurity solutions in place before they can even get insurance coverage. As for threat actors, they have both evolved and expanded. Ransomware-as-a-Service (RaaS) business models have given non-technical criminals the ability to launch full-fledged campaigns. Double and triple extortion tactics are commonplace and ‘big game hunting’ targets high-value or high-profile organizations which have been identified as being able to pay large ransoms.
Not only have threat actors become more adept, attack surfaces are widening as businesses thrive in the age of more access, more connections, and more tools. The term ‘attack surface’ refers to the totality of vulnerabilities found in an environment. The term ‘attack vectors’ refers to ways that an unauthorized party can access the environment in question. Larger, more complex environments typically have a greater number of attack vectors and a larger attack surface to protect.
Observing the current threat landscape, three main attack surfaces come to the forefront: endpoints, cloud, and identity.
Attacks on Endpoints
The task of endpoint protection has grown more complex in recent years as more organizations adopt remote workers and BYOD (bring-your-own-device) policies. Endpoint-delivered threats usually start with malware-carrying devices that are then connected to the targeted network and spread infection, or social engineering tactics that trick unsuspecting users to install malware on their device.
Modern day work cultures allow endpoints to access sensitive data no matter where they are connected from, which increasingly puts the onus on the integrity of the endpoint itself. As endpoints are a critical part of every organization, their defense is a priority.
Attacks on Cloud
Security teams are starting to rethink their strategy as more businesses make the move from on-prem to hybrid and cloud environments. While cloud services offer an attractive boost in collaboration, scalability, and efficiency, they come with new risks that must be taken into account. Cloud computing requires businesses to secure virtual machines, containers, serverless workloads, and Kubernetes – all of which could be leveraged as potential attack vectors.
Cloud misconfigurations can easily expose businesses to cyberattack. Cloud environments are especially vulnerable to severe data loss, insider threats, supply chain attacks, and denial-of-service access.
Attacks on Identity
Identity-based attacks often involve the threat actor weaponizing legitimate tools and software used by their targeted victim. This year, Active Directory (AD) infrastructure continues to be an oft-exploited element in ransomware campaigns and post-compromise extortion efforts. For threat actors, targeting identity through sources such as compromised AD or access management is their quickest way to reaching their targets.
Since AD serves as a gateway to the rest of a company’s network, threat actors leverage the existing infrastructure to perform enumeration and move laterally through the rest of the network layers, escalating their privileges, obtaining access to sensitive files, and exfiltrating the data they are after.
Taking Care of Low Hanging Fruit
With low barrier entryways available and the possibility of generating high revenue, cyber adversaries will always look for easy ways into a targeted environment. It is crucial for businesses to identify and secure the attack vectors applicable to their network.
Not to be confused with attack surfaces, attack vectors are the means by which a threat actor gains unauthorized access to an environment. Common attack vectors include phishing and compromised credentials.
Existing infrastructure and solutions are also increasingly exploited by threat actors. Examples of these include:
- Multi-Factor Authentication (MFA) – While enabling MFA is highly recommended, examples from this year showed attackers exploiting this essential protection layer. Adding rules and monitoring attempts can help enterprises prevent and detect abuse of MFA for malicious access.
- Chrome & Browser Extensions – With the explosion of web applications, browser extensions have become essential for employees to perform their work. However when compromised, threat actors can perform data scraping techniques and see user behavior within the browser. Only approved extensions should be installed on company devices.
- Unpatched Software – Outdated software is one of the easiest ways threat actors gain unauthorized entry into a targeted network. Patch management keeps endpoints and networks up to date with bug fixes against known exploits as well as bolstering protection via new safety features.
The Long-Term Security Play | How SentinelOne Can Help
From a strategic standpoint, enterprise leaders need to take stock of the attacks happening on various surfaces as well as trending threats seen in the threat landscape. Enterprises that can keep their security strategies agile are the ones that stay ahead of cyberthreats.
Improving the organization’s security posture is a long-term play based on three major pillars: people, process, and technology. It requires understanding and a coordinated effort from all parts of a business, smart investment in effective technology, and a willingness to embed cybersecurity best practices on the day-to-day level of operations.
People: Build a Strong Security Strategy & Team
Enterprises are toughening up their teams in order to withstand and counter sophisticated cyber threats. Many companies are bringing in Chief Information Security Officers (CISOs) to assess, plan, and maintain the safety and digital growth of a business.
Based on the fluctuating threat landscape, CISOs are responsible for reevaluating their security strategies and adjusting how their business monitors and responds to potential attacks. Experienced CISOs stay ahead of developing cyber trends and attack patterns to build best practices that make sense for their team. A CISO’s cybersecurity strategy does not only safeguard people and processes but can also drive new opportunities, increase operational efficiency, and build up their business’s authority in their industry.
Process: Securing Operations & Workflows
Cyber attackers are the ultimate opportunists, always looking for the path of least resistance in the form of unprotected servers, vulnerable devices, or even third-party vendors that have weak security practices. Threat actors have been known to use relatively straightforward social engineering and phishing attacks to gain entry and then abuse the infrastructure itself, such as Active Directory, to spread quickly into an environment. Implementing identity protection is critical to stopping the misuse and exploitation of existing infrastructure and software and securing sensitive data held within it.
Enterprises globally trust SentinelOne’s industry knowledge and experience with fighting back privileged escalation and lateral movement. Get comprehensive identity security as part of Singularity™ XDR for autonomous protection including:
- Singularity™ Identity: End credential misuse through real-time infrastructure defense for Active Directory and deception-based endpoint protections. Singularity™ Identity defends Active Directory Domain & Azure AD Identities and domain-joined assets from adversaries aiming to gain privilege and move covertly.
- Singularity™ Ranger® Active Directory Assessor: Uncover vulnerabilities in Active Directory and Azure AD with a cloud-delivered, continuous identity assessment solution. Ranger® AD Assessor delivers prescriptive, actionable insight to reduce Active Directory and Azure AD attack surfaces, bringing them in line with security best practices.
- Singularity™ Hologram: Lure network and insider threat actors into engaging and revealing themselves with network-based threat deception. Singularity™ Hologram decoys stand at the ready, waiting to be engaged by adversaries and insiders. The resulting telemetry supports investigations and contributes to adversary intelligence.
Technology: Prepare to Invest In Tech
Security that stays relevant to developing cyber threats and also scales along with a business required investment in the right technology. Today, many businesses are adding artificial intelligence (AI) and machine learning (ML) to their security arsenal to better identify and respond to advanced persistent threats. When it comes to staying ahead of threats, speed is the differentiating factor – AI and ML both allow enterprises to combat emerging attacks by detecting patterns in real time. Many threat campaigns, particularly ones using ransomware, only last a few hours and actors are often already within a victim’s network just waiting to deploy. For context, major ransomware attacks from this year alone totaled over $236 million.
SentinelOne’s Endpoint Protection (EPP) and Endpoint Detection and Response (EDR) seamlessly combines automation with both AI and ML to detect and remediate modern attacks in real-time, at machine speed, and without extra intervention. This means that businesses can focus their resources on addressing operations-specific tasks. SentinelOne’s EPP solution also fully replaces legacy AV and AM solutions and can be scaled and tailored to fit a businesses’ specific requirements and processes.
While the headlines may make it seem like threat actors are winning in the ongoing cyber fight, enterprises can learn much from the attacks that have already happened and action them as lessons learned.
An adaptive and agile security strategy, team, and culture will take enterprises far in the uphill battle against growing cybercrime. Binding together people, process, and technology is key in taking a smarter, proactive approach to novel threats.
Enterprise businesses trust SentinelOne to help safeguard their critical attack surfaces by fusing together autonomous, AI-driven threat hunting and EDR capabilities. To learn more, request a demo or contact us for expert advice.