The Future of Cyber Attacks — Insights From Purandar Das

This article is part of Panther’s new Future of Cyber Attacks Series which features interviews with cyber security experts, thought leaders, and practitioners with a goal of better understanding what organizations can do to prepare themselves for the future of cyber attacks.

The following is an interview we recently had with Purandar Das, Chief Security Evangelist and Co-founder of Sotero

How have cyberattacks evolved in the past 12 months?

Cyber-attacks have both stayed constant and evolved simultaneously. The traditional style attacks of attacking perimeter weaknesses, software bugs, unpatched servers and phishing attacks have continued. However, these vectors are now also being used as a staging platform for far more sophisticated attacks.

Cyber-attacks have evolved along multiple dimensions. They have increased in volume as well as complexity and sophistication. The interesting thing about the evolution is that only one of the attack vectors is a new one, while the rest of them are either enhancements or combinations of existing attack vectors. The other point on note is that the new attacks have not slowed down the old attack vectors. Ransomware has evolved into a long play both in its sophistication and the ability to monitor traffic patterns while exfiltrating data. The data as well the systems are being held hostage. Ransomware has also evolved from the old social engineering approach to piggy backing on legal third-party software deployment mechanisms and vulnerabilities. Automation and sophistication both in the attack methods as skills are now the hallmarks of cyber-attacks. 

The combination attacks are having the effect of overcoming security mechanisms as one weakness is being used to mount more sophisticated and widespread attacks. Using third party software vulnerabilities to monitor email or to deliver malicious payloads is a recent development.

What lessons can be learned from the biggest cyber-attacks in recent history?

Some of the areas that are being highlighted relate to a legacy mindset in security defensive postures. The traditional approach of network & perimeter security coupled with “at rest” data protection is being exposed. Another weakness that is being exposed is the traditional focus on internal systems and leaving third party platform and software security to the providers and vendors. Yet another area that is being exposed is the lack of security skills and knowledge of cloud security. Traditional approaches of migrating on premise security systems to the cloud is being exposed as inadequate. Every area of integration and collaboration involving data and applications are being exposed as points of weakness.

The lessons that are evident are the obvious ones. 

• Security is not a static practice. It has to constantly evolve to keep ahead of emerging threats. 
• Data protection techniques and practices are lagging
• The attackers are bringing to bear highly skilled talent that is exposing the limitations and skills of enterprise security
• Assuming that you will suffer an intrusion and planning for to defend an organization post intrusion is key

What will cyber-attacks look like in the future? 

While it is hard to accurately predict what attacks will look like in the future some trends are obvious. In addition, traditional assumptions around security no longer hold true. Starting with the basic assumptions that will no longer hold true.

• On premise security approaches don’t travel well, whether it is the cloud or other provider platforms.
• Assuming a service, platform or application provider can and will protect your data will no longer hold true.
• You are secure if you have a strong policy for patching. You can’t control third party software, nor can you trust them.
• Patchwork of security products that don’t talk to each other will work.
• Data protected at rest is sufficient.
• Underinvesting in security will be ok.

Some areas that will continue to evolve as it relates to cyber-attacks:

• Consolidation of resources for mounting attacks will continue.
• Sophistication of skill sets, on the part of the criminals and specialization skills, as well as technology and skills for hire will evolve.
• Consolidation of attack vectors and mechanisms will continue
• Weaknesses in defense posture as well vulnerabilities along every step of the information journey will be exploited and exposed.
• A very profitable economy related to theft of data and IP has evolved and will continue to grow and attract more criminals.
• Legacy software weaknesses will continue to be exposed for many years.

What are three pieces of advice for organizations looking to get ahead of the cyber attacks of the future? 

Needleless to say this is a time of reckoning for most organizations. As evidenced by recent developments the federal government along with some of the largest private technology companies have committed to investing billions of dollars in improving cyber security. Motivations range from existential threats to severely impacted earning abilities. Regardless of the motivation, the underlying message is clear: Cyber threats have grown in scale to a point where they are threatening the very existence of a country’s security & economy.

Getting ahead of this threat(s) will require basic reassessment towards how this is addresses:

1. Reassess security postures and mindsets.
2. A pragmatic and holistic view of today’s security.
3. Siloed, fragmented approaches will not work.
4. Trusting of third-party software and platforms will not work.
5. Emphasizing process and process alone will not work.
6. Reassessing security with a critical eye towards action and constant improvement has to be a key part of security.
7. Allocation of resources and budgets towards cyber security. This is critical. Every decision made to save money will have an adverse impact.
8. Owing security, meaning not relying on other parties to keep your information secure.
9. Acknowledgement of limitations in today’s legacy deployment and limited investment in security.
10. Constant review of security approach and policies.