Adapting defenses to stop attacks and breaches

Image of padlock against circuit board/cybersecurity background
(Image credit: Future)

Global attention on the state of cybersecurity heightened over the last year following the attacks against SolarWinds and Colonial Pipeline. As members of the security community, it’s critical that we pay attention to research findings from the latest campaigns to determine if any have impacted the organizations we work within. We also need to remain aware of the fact that adversaries are constantly evolving how they operate in order to reach new targets. Threats that were only relevant to specific industries one day, may soon wind up being pertinent to others.

About the author

Hugh Njemanze is President at Anomali.

Advanced Persistent Threat (APT) FIN7 (aka Carbon Spider, Carbanak Group, and Navigator Group) is a prime example of how highly adaptable threat actors can be. First detected in 2015, FIN7 has consistently targeted US-based retail, restaurant, and hospitality businesses with various financially motivated campaigns that have inflicted up to a billion dollars in damages, according to the United States Department of Justice (DOJ). It shocked the world again when it appeared as a player in the ransomware attack that locked up Colonial Pipeline systems, marking its ability to adapt to remain relevant and expand its tentacles into more sectors.

Many security teams may have never paid attention to FIN7 due to not working in industries the APT originally targeted. Now, any organization that is concerned about threats such as ransomware and phishing needs to start operating under the assumption that the group may be relevant to them. And of course, the security operations teams within the areas the threat actor originally targeted have to remain watchful, as the group continues to target those organizations, as recently revealed by Anomali threat intelligence analysts.

Coping in today’s threat landscape

The idea of having to shift security focus to deal with threats that were previously irrelevant to your industry may seem like a tall order. For certain, it will take some added effort on your part, but it will pay off in the prevention of a major incident down the line. Fortunately, there are steps you can take to increase your organization’s ability to adapt in today’s always-changing threat landscape, where new and long-established bad actors such as FIN7 continue to cast wider nets. Among several basics to take:

Implement comprehensive detection and response

Identifying when adversaries are trying to penetrate your network is only half of an effective detection program. You also must know what already dwells inside your networks to respond effectively to threats that may pose a risk. Comprehensive detection and response strategies leverage telemetry, threat intelligence, threat frameworks, visibility into the network, and talent to find, neutralize, and remove threats before they spiral into catastrophes. Traditional solutions that support your detection and response capabilities should be kept of course, but new innovations also need to be deployed as legacy solutions can only do so much. Among the most recent to show results are Extended Detection and Response (XDR), which expands detection and helps to speed response by extending threat visibility across more of the attack surface, including endpoints, clouds, containers, applications, and other software and hardware assets.

Gain a strategic understanding of threats

Enterprises often prioritize expansion into markets over security, leaving security operations teams to play a catch up when it comes to defense. This tactical approach is dangerous; it wins some battles but loses the overall war. To gain a strategic advantage over attackers, you need to use advanced response-model frameworks that yield information about who attackers are, how they operate, what their end games are, and how to shut them down. Fortunately, frameworks such as MITRE ATT&CK are already available to help you get context, prioritize threats, and execute more efficient responses to threat groups that have always been, or which have recently become, relevant to your environment.

Embrace artificial intelligence

Solutions powered by AI and machine learning are helping to level the playing field for those in the business of fending off rapidly-shifting cyberattacks. In an ongoing series of reports, Gartner analysts have highlighted the role that these innovations play in detection and response. Among the findings in relation to the business value these supply are overall improvement to the security analyst experience, security posture, and visibility over the network and assets. The research further concluded that faster detection and response, high-fidelity detection, and cost reductions were achieved through AI across various security use cases. AI and ML has now matured to a point where it is making an absolute difference and cannot be overlooked as a must-have tool.

Inventory your assets

Modern IT infrastructures, the systems that make them up, and data accessible through them are sprawling, often beyond security operations’ view. Organizations today should become hyper aware of everything contained within their networks if they are to avoid falling victim to a data breach. Digital asset inventories need to map and account for computers, servers, routers, scanners, fax machines, printers, modems, hubs, and various Internet of Things (IoT) devices. In today’s pandemic era, the “work from home” explosion and increased number of personally-owned devices used for business activities also need to be accounted for.

Be flexible

To remain relevant and achieve growth, criminal enterprises constantly pursue new opportunities, as the FIN7 example proves. Ransomware is one of the most expansive and lucrative cybercrime markets today, which means that private companies and government agencies alike are subject to attacks and disruptions. Regardless of whether you are a rookie employee or a seasoned executive, you cannot afford to ignore the possibility that threats once considered irrelevant to your industry now are, especially now that you know that many are adopting new methods of monetization. If you are concerned about things like ransomware, you better find ways to detect and block every cybercriminal that is now using it.

The modern world is forcing all organizations to pursue digital transformation and cloud expansion at increasingly high speeds, which can often place commercial initiatives and security operations in competition with one another. The stark reality is that we exist in an environment where business needs to thrive despite FIN7 and other cybercrime groups. It’s a tall order but with the right combination of technology, talent, and strategy, it can be accomplished.

Hugh Njemanze is a 30-year Cybersecurity Veteran, Ernst & Young Entrepreneur of the Year, and President at Anomali, a leader in intelligence-driven extended detection and response (XDR) cybersecurity solutions.