This article is part of Panther’s new Future of Cyber Attacks Series which features interviews with cyber security experts, thought leaders, and practitioners with a goal of better understanding what organizations can do to prepare themselves for the future of cyber attacks.
The following is an interview we recently had with David Vincent, Chief Security Evangelist and VP of Product Strategy at Appsian.
How have cyber-attacks evolved over the past 12 months?
It’s common knowledge that cybercriminal activity is constantly increasing and is one of the biggest globally challenges that organizations will face in the next two decades. Current reports from numerous sources such as IBM, McAfee, Verizon, Cyber Magazine, etc., are predicting the impact of cybercrime damage to reach $6T by the end of 2021.
It is difficult to accurately report on the evolution of cyber-attacks that occurred within the last 12 months because according to the annual Verizon Data Breach Investigations Report, 58% of cyber-attacks take months or even years to detect, but they did indicate that 36% of confirmed data breaches involve phishing techniques, and 24% of those cyberattacks targeted financial institutions. Additionally, according to BlueVoyant, the top 5 cybercrime attack methods in 2020 were: phishing scams, website spoofing, ransomware, malware, and IOT hacking.
We can all agree that cyber-crime is no longer the highly skilled college student mischievously trying to hack into an organization. Now cybercriminal organizations like the top five: Cobalt, Lazarus, MageCart, Evil Corp and GozNum are recruiting highly skilled cybercriminals, but not just for the sole purpose of performing their own criminal activity against organizations. These cybercriminal organizations have evolved into cybercrime entrepreneurs through the development of increasingly sophisticated cybercrime tools that the average cybercriminal could not create on their own and selling these tools on the black market for a reasonable price. This is drastically increasing the population of cybercriminals that organizations must defend against.
More and more cybersecurity professionals are mentioning that they have seen some of the most authentic bank phishing attempts recently. Bank Phishing is a criminal activity where a malicious person(s) attempts to fraudulently acquire sensitive information, such as online banking passwords and credit card details, by masquerading as a trustworthy organization or website. These phishing attacks are usually done in the form of an email, and the increase in the number of “highly authentic” phishing and website site spoofing attacks are likely a result of cybercrime entrepreneurs selling their sophisticated crime kits on the black market to less experienced cybercriminals.
What lessons can be learned from the biggest cyber-attacks in recent history?
Organizations need to:
- Change their mindset and security posture from “if we are breached” to “when we are breached”.
- Implement the Zero-Trust security model to enforce the principle of never trust, always validate.
- Implement layered security, also known as defense in depth (DiD), which is implemented in overlapping layers of controls that typically provide the three control capabilities needed to secure assets: prevention, detection, and response. While no individual security control is guaranteed to stop 100% of the cyber threats, layered security provides mitigations against a wide variety of threats while incorporating redundancy in the form of compensating controls in the event that one control should fail.
- Transition from static security found in the typical Role-Based Access Control (RBAC) security models to a dynamic security model like Attribute-Based Access Control (ABAC) to enable the enforcement of policy requirements into the access controls at the transaction and data level and provide adaptive security with contextual-based controls at the transaction and data field level.
- Use Multi-Factor Authentication (MFA). Enforcing MFA at various layers – login, critical transaction level, and critical data field level to enable layers of security.
- Implement dynamic security controls capabilities to improve the organization’s ability to identify, detect, prevent, respond, and recover from anomalies and threats.
What will cyber-attacks look like in the future?
No doubt phishing scams, website spoofing, ransomware, malware, and IOT hacking will continue to occur, and these techniques will improve in their effectiveness with more convincing presentations of bank phishing emails and fraudulent websites. New cyber-attack methods will also appear, which will be difficult for anyone to predict what those will be, but many conference topics and articles have been mentioning the following as areas that will likely see more cyber-crime attacks.
- Multi-Factor Authentication for remotely accessing systems and data will become a bigger target.
- Mobile devices will become a bigger target. Mobile attacks such as smishing, which is similar to phishing, but sent through SMS text messages rather than emails.
- Another example of a mobile device threat is a keyboard logging app called “AirHopper”, which is malware loaded on the target system that is able to transmit radio signals from up to 7 meters away to wirelessly steal data from isolated computers. With more and more organizations adopting bring-your-own-device (BYOD), which are relatively easy to infect with malware, organizations need to manage personal device risks exposure more effectively.
What are three pieces of advice for organizations looking to get ahead of the cyber-attacks of the future?
Always Understand Your Current Risk Exposure & Vulnerabilities – The first step in any battle is to assess your defensive capabilities to identify weaknesses that need to be resolved quickly. This can be done by conducting a thorough risk assessment to identify and quantify all of the potential security risk exposure, and then evaluate the design and operating effectiveness of those controls intended to mitigate those risks to determine if any vulnerabilities exist that could be exploited by cyber criminals. Part of this risk assessment should determine your security control environment’s capability to detect, prevent, respond, and recover from threat events. Furthermore, it is important to monitor the residual risk level, of a given risk event, against the organization’s maximum risk appetite level to determine if they have implemented adequate level of mitigation controls. Residual Risk = Inherent Risk – Control Effectiveness. If the residual risk level is too close or exceeds the maximum risk appetite level, then the organization must go back and improve their control effectiveness.
Perform Independent Risk Assessments – Have an independent audit performed every six months to evaluate the design and operating effectiveness of the security control you have implemented to safeguard your systems and data. Part of this independent risk assessment should determine your security control environment’s capability to detect, prevent, respond, and recover from threat events.
Implement A Continuous Improvement Process – After implementing the 6 leading practices listed in question # 2, consider implementing AI & ML capability to constantly (24/7/365) perform your security risk assessment based on the “monitoring of the key risk indicators to detect and respond to anomalies and threats”.