John Shier is a senior security advisor at Sophos and has been working in the security industry for over 20 years. He is passionate about researching security threats and communicating security concepts and technologies to customers, partners and the public in an entertaining and accessible way.
Shier was a speaker at Infosecurity ISACA North America Expo and Conference in New York, presenting on the ‘Geek Street’ stage, exploring the evolving threat landscape. He discussed how cyber-criminals are adapting their attack strategies for maximum impact and warned that new threat vectors are arising where companies least expect them.
Infosecurity spoke to Shier at the event to gain further insight into changing threats, risks and security best practices for 2020.
What are the key trends and shifts in the threat landscape that Sophos has detected in 2019?
The threat landscape has seen several big shifts throughout 2019, as evidenced in the SophosLabs 2020 Threat Report. Understanding these trends is important for defenders to anticipate what lies ahead and how to best prepare.
Among the most notable trends is an increase in ransomware attackers raising the stakes with automated active attacks that blend human ingenuity with common tools in order to cause maximum impact.
Also, unwanted apps are becoming prime targets for a broad range of attacks, including fleeceware apps that abuse the in-app purchase business model, banking apps that steal users’ credentials from the Google Play store, and hidden adware gathering revenue from fake ad-clicks behind the scenes.
The greatest vulnerability for cloud computing in 2019 continues to be misconfigurations. As cloud systems become more complex and more flexible, operator error continues to increase risk. Combined with a general lack of visibility, this makes cloud computing environments a ready-made target for cyber-attackers.
Machine learning technologies that are designed to defeat malware are also being tested. Research has showed how machine learning detection models could possibly be tricked, and how machine learning could be applied to offensive activity to generate highly convincing fake content for social engineering.
What new/emerging tactics are cyber-criminals employing in their attacks?
Attacker patience and strategic evasion techniques are continuing to improve, interactively attacking endpoints and reducing reliance on less effective fully automated methods. Upon compromise, attackers survey the environment utilizing passive and active techniques to create a topology of the environment. This technique provides more stealthy identification of high-value targets such as administrative workstations, mission critical servers, security tools and backups.
Using legitimate administrative tools and utilities such as ping, nmap, net and nbtsat, the attacker moves laterally to higher priority assets without being detected in time to do anything about it. Administrators who closely monitor logs often filter out these events in Security Information and Event Management (SIEM) tools because, as the behaviors mimic legitimate administrator activities, they generate a lot of false positive alerts.
Are cyber-attacks limited to large organizations, or are SMBs and individuals just as likely to be targeted?
No organization is off limits. As we continue to see the threat landscape evolve, the latest threat vectors are arising where we least expect them – often times with our business partners and administration tools.
Small businesses and even individuals are being used as unwitting vectors for attack against larger, well-defended organizations. Small businesses are a likely target because of the relationships they have with larger enterprises, and no organization should think themselves immune to attack.
What threats/trends do you predict to be particularly poignant or impactful in 2020?
Based on observed trends in the threat landscape, we should expect several things in 2020. Ransomware will continue to be a major player in the threat landscape as long as victims remain easily identifiable. The low-hanging fruit of exposed services, unpatched systems and compromised credentials will provide an ample bounty to both skilled and unskilled attackers.
Due to the ubiquity and importance of mobile devices in everyday use, cyber-criminals continue to innovate devious ways to target these devices for data and profit.
Also, small missteps in the cloud may end up exposing businesses due to a lack of visibility into all of the resources available in the cloud. A common misconception is that off-loading IT/security infrastructure to the cloud also off-loads responsibility. It may make sense to outsource some or all of your systems and/or data to partners but it does not mean you relinquish responsibility. The data is still yours and you have a legal and ethical responsibility to keep it safe and secure. As a result, businesses will need to re-evaluate their cloud strategies with security top of mind.
Furthermore, we expect to see more research into and demonstrations of adversarial uses by and against machine learning systems.
For organizations of all sizes, what is your advice for best security practice heading into next year?
Unfortunately, there is no such thing as perfect security, but a best practice for businesses to implement is a risk-based approach to cybersecurity.
A risk-based approach begins with understanding business priorities and the inevitable consequences of security incidents both large and small. Cybersecurity is not just a technological issue but one that needs to also consider processes and people. Next, businesses need to ensure that prevention, both at the endpoint and on the network, is addressed. Ideally, the endpoint and the network should also communicate with one another to share threat intelligence as attackers routinely attempt to break into systems through multiple avenues. Finally, another key technology to implement is endpoint detection and response, because it saves time when investigating and remediating any threats that may get passed the first layers of defense and lie dormant in the network.
Sophos also recommends businesses implement these five security mitigations heading into the next year to combat targeted ransomware attacks specifically:
- Restrict access to external services, especially remote control applications such as RDP and VNC
- Complete regular vulnerability scans and penetration tests across the network; if you haven’t followed through on recent pen-testing reports, do it now. If you don’t heed the advice of your pen testers, the cyber-criminals will find and exploit those same vulnerabilities
- Multi-factor authentication for sensitive internal systems and external services
- Create backups that are offline and offsite
- Develop and test a disaster recovery plan that covers the restoration of data and systems for whole organizations, all at once