This article is part of Panther’s new Future of Cyber Attacks Series which features interviews with cyber security experts, thought leaders, and practitioners with a goal of better understanding what organizations can do to prepare themselves for the future of cyber attacks.
The following is an interview we recently had with Hugo Sanchez, CEO and co-founder of rThreat.
One of the most significant developments has been growth in third-party supply chain attacks, which involve threat actors who gain access to companies that are connected to the primary targets. The Solarwinds and Kaseya breaches both involved attacks through third-party software that was compromised by threat actors, enabling unauthorized access to the US government agencies that used the Solarwinds product and to a major European grocery chain that used Kaseya, among others. While these were not the first supply chain attacks – the Target breach in 2013 began with a breach of their HVAC vendor – supply chain risks have become a much bigger focus for cyber defense planning in the last year. The increasing frequency of these breaches merely highlights the fact that the technology that has been used to defend against them is insufficient, and there is a need for government agencies and private entities alike to rethink their cyber defenses and integrate an element of real-world strategy.
There are many lessons to be learned from these most recent attacks, particularly for consumers who remain unaware of the extent to which they are vulnerable to data breaches and other forms of cyber attacks. An important reminder for the public is that very little private data that is provided by consumers to e-commerce companies and others that collect it can truly be trusted to remain private. WIth this in mind, it’s necessary to be cautious when sharing key personal information online and to put safeguards in place to protect themselves when possible. An important implication for consumers is that fraud actors will use this data for “social engineering,” posing as a trusted company by showing that they know private information that the consumer gave to that company. Some people are already familiar with these types of scams, but it’s a good idea to reinforce this warning, for adults and children: be cautious about which links you’re clicking on and verify that they are coming from the company or institution they claim to be by calling their official number.
To be perfectly honest, we don’t know, and that’s part of the problem. Attackers are innovating faster than our cyber security protocols can currently keep up with, and the government isn’t doing enough to encourage innovation to protect against the attacks. It is safe to assume that the frequency and complexity of these attacks will only increase as technology gets more advanced, and cyber defenses need to be appropriately strengthened to stand up to this onslaught. One thing that is important to understand is that attackers often leverage the same software advances that we see in commercial solutions. A major trend currently is the incorporation of machine learning and artificial intelligence into many commercial solutions, including those used in cyber-defense. The use of ML/AI in cyber-attack technology is certain to grow in coming years, so organizations need to be working twice as hard to ensure that they are protected from these more advanced attacks.
The first thing organizations need to do is adopt a “Zero Trust” mindset, which means building and managing your cyber-defenses based on the assumption that attackers will be inside your systems environment – or already are. The weakest aspect of current cyber protocols that fail to adhere to this mindset is that by the time they discover a threat, it’s too late – the threat actor or virus is already inside their system and defending against it becomes nearly impossible. The Zero Trust mindset gives organizations a chance to be proactive about their defenses and more innovative with regards to their strategy. After adopting this mindset shift, organizations should perform threat modeling and invest in contingency planning based on the key risk areas for your organization. It’s impossible to know what to protect against without an in-depth risk analysis, and your ability to recover from common scenarios is critical, so this is an essential step. On a final note, once these two elements are in place, test your defenses – people, processes, and technology – on a continuous basis. I can’t stress this enough, because validating your defense posture against ever-evolving threats will play a major part in keeping your security program current.
