Like the universe, the attack surface is always expanding. Here’s how to keep up and even get ahead.
Most criminal activity is designed to elicit a payoff for the perpetrator, and crime on the Internet is no different. As new surfaces emerge, previous attacks are reconstituted and applied. Cybersecurity tends to follow a cycle, once you know when and what to look for. To (poorly) paraphrase Bob Dylan: You don’t need a weatherman to know which way the wind blows. You just need the experience of being around for a few of these cycles.
The New-New Thing
When we think about cybersecurity threats and associated mitigations, there are three key factors to consider:
- Attack Surface: The thing that an attacker attempts to compromise, such as a laptop, smartphone, or cloud compute instance.
- Attack Sophistication: The methods and attack types, including persistence, zero-days, phishing, and spear phishing.
- Threat Actors: Who the attackers are and their implied motivations, like nation-states seeking intellectual property or organized crime engaged in ransomware.
The attack surface is like the universe: in a perpetual state of expansion. While your laptop is (hopefully) running a recent operating system version with (kind of) timely patches, there’s a good chance that your bank’s ATMs are running Windows XP. But after Microsoft retired XP support in 2014, 95% of ATMs were still running the operating system. That number hadn’t improved much four years later and hackers were gleefully demonstrating these machines spewing cash. This means an IT security team must live in the past and the future.
A solution to a modern problem can introduce a new set of challenges: a new console to learn and new alerts to integrate. However, this presents an excellent, and often necessary, opportunity to repurpose existing budgeted spending. Examples of this include the erosion of traditional antivirus by endpoint detection and response (ERD) and the move from physical Web application firewalls (WAF) to software-based NG-WAFs.
Attack sophistication is directly proportional to the goals of the attackers and the defensive posture of the target. A ransomware ring will target the least-well-defended and the most likely to pay (ironically, cyber insurance can create a perverse incentive in some situations.) because there is an opportunity cost and return on investment calculation for every attack. A nation-state actor seeking breakthrough biotech intellectual property will be patient and well-capitalized, developing new zero-day exploits as they launch a concerted effort to penetrate a network’s secrets.
One of the most famous of these attacks, Stuxnet, exploited vulnerabilities in SCADA systems to cripple Iran’s nuclear program. The attack was thought to have penetrated the air gap network via infected USB thumb drives. As awareness of these complex, multi-stage attacks has risen, startups have increased innovation – such as the behavior analytics space where complex machine-learning algorithms determine “normal” behaviors and look for that one bad actor.
Threat actors are the individuals and organizations engaged in the actual attack. In the broadest sense of the term, they are not always malicious. I have seen companies hobbled by an adverse audit finding or a compliance lapse. When I was early in the data loss prevention (DLP) market, solutions were sold to detect insider threats stealing intellectual property. This was (and still is) a hard use case to sell against, and it wasn’t until regulations and legislation emerged that required companies to notify if they’d been breached and lost personally identifiable information that the DLP market became a must-have security solution.
It is possible for solutions to advance independently of new threats, actors, or surfaces, frequently when there is a breakthrough in underlying computational capabilities. Examples of this include the use of machine learning to identify file content in order to prevent data loss without rigid rulesets or machine vision to read text from an image-based spear-phishing attack.
It’s All Been Done
In my experience, a new market for cybersecurity solutions is triggered by an expansion of the attack surface. This could be something as seismic as AWS or the iPhone, or as localized as a code framework like Struts or React. With a new attack surfacecomes new management requirements and new attackers, exploiting vulnerabilities and flaws in human interactions. The ensuing data, financial, and reputational losses cause new cybersecurity solutions to emerge.
Typically these solutions will also improve on previous generations, whose limitations become obvious when deployed on a new attack surface. Examples are plentiful. IT system compliance and vulnerability management was confined to inside the enterprise, scanning with agents and crawlers (Qualys, Tenable). With the emergence of public cloud, startups (such as Evident.io and Lacework) appeared to scan for vulnerabilities through native APIs provided by cloud environments.
There are typically four ways to handle risk. You can accept, mitigate, transfer, or avoid it.Brought to you by Reciprocity, Inc
For its part, antivirus started as relatively simple signature-based protection; if an agent detects a specific executable or behavior, prevent it. But as the attack sophistication increased, next-generation endpoint protection emerged with specialization for file-less attacks, in-memory exploits, etc.
Data loss prevention began with simple detection of structured content (Social Security numbers, credit card numbers) in email, Web posts, and end-user devices. There is now a new breed of vendors focused on data leakage from cloud-based services (outside the enterprise datacenter) such as Slack, Box, and Github, offerings that didn’t exist when the previous generation of solutions came to market.
The Next Thing
Security practitioners must consider the cybersecurity requirements when new surfaces are deployed or business models change. They should ask four questions to help clarify risks:
- Has your business changed in a way that increases the likelihood that you will be attacked and/or the attacker sophistication will change?
- What baseline data have you historically collected, and how will you get the same information from this new surface?
- What of value is contained with, or generated by, this new surface?
- How could this new surface be exploited and defended, and does it impact existing surfaces?
The initial question should be asked on a routine basis. COVID-19 changed attacker interest for many small biotech companies in a way their security posture did not anticipate, resulting in an uptick in attacks by nation states seeking an edge in new treatments and a potential vaccine. The second question is often the one that solution providers initially race to address because it is the most obvious. If there’s an enterprise compliance policy requiring potential vulnerabilities to be remediated, security organizations still must identify those vulnerabilities regardless of where the underlying system is running.
The third question is often the one that gets forgotten. Many data breaches have occurred because a new surface is deployed and it gives attackers an expanded attack surface that allows for access to an existing, previously “secured” platform. The Target breach is the most well-known example of this, but countless other breaches have happened because of something as trivial as a mis-configured network setting on an Amazon Web Service’s Virtual Private Cloud.
The recent, near-universal move to remote work will no doubt result in new attacks against home networking infrastructure. It’s important to remember that attackers are not interested in doing more work than is necessary (the ROI calculation), the attack surface will shift the “weakest link” to exploit. Asking these questions and anticipating possible vulnerabilities is critical to getting ahead of the next ransomware attack or zero day-driven intellectual property robbery.