Today’s organizations are being subjected to an ever-changing and ever-evolving threat landscape. In this ‘new normal,’ applying conventional strategies to challenges, such as ransomware, is no longer enough. It’s vital that IT teams, security teams, and members of the board know where to focus their enterprise security and resiliency efforts so they can anticipate, withstand, and recover from modern cyber attacks.
As we approach the final quarter of 2023, we look ahead at the top three cybersecurity threat trends that security professionals should be preparing to repel.
1. Living Off the Land (LOL) techniques
Silent attacks that remain hidden for extended periods of time pose a unique risk to businesses. Today’s hackers are using far less malware. Instead, they Live Off the Land (LOL), using the operating system against itself by exploiting native legitimate tools like signed binaries (LOLBins), scripts (LOLScripts), and libraries to camouflage malicious activity, blend in, and bypass even the most advanced security defenses.
Unlike traditional attacks that leverage malware, LOL attacks use native OS utilities that are required to run the OS and aid IT operations. Inherently they are not malicious. So while conventional tools log LOL activities on each endpoint they do not alert on them. For example; Cmd.exe, the default command-line interpreter for Windows can be used to evade defensive countermeasures or to hide as a persistence mechanism.
This creates a difficult dilemma for security. How can they alert when legitimate tools are being used, as designed, but for nefarious reasons? Is it even possible to alert on intent? LOLBins are becoming the technique of choice because they blend in. It’s a method that was leveraged by the Volt Typhoon group to conduct surveillance on water and electric utilities that serve military installations in the United States and abroad.
Traditional security tools collect evidence of malice in the network and on the endpoint. They are a critical layer of defense that detect malicious files and activities, but they are not built to detect the stealth techniques, such as the LOLBins, used by the Volt Typhoon group. To defend data against this kind of attacks, organizations will need to enable a step change to their defenses, introducing realist decoys that will trick bad actors into engaging with these false resources and exposing their techniques; a move which in turn alerts the organization's security teams to a potential lurking threat.
CTO of Metallic Security at Commvault
2. Artificial Intelligence (AI)
Today’s hackers are using advanced tools like AI and machine learning to automate and coordinate attacks and increase their effectiveness. They are also utilizing AI to understand the defenses organizations have put in place to prevent attackers from penetrating their environments. No longer limited by the need to manually produce their threat campaigns, bad actors are utilizing readily available generative AI tools like ChatGPT and fine tuning them to meet their needs - whether that’s creating highly personalized phishing content at scale or generating keystroke malware and basic malware code that’s adapted to specifically ‘crack’ a target system’s credentials and algorithms.
According to a recent report, cybersecurity experts at large enterprises say that generative AI has already fueled a significant uptick in attacks. To combat the rising volume, organizations will need to make use of defensive AI and machine learning that makes it possible to: automate the detection and remediation of non-compliant systems; apply automated patching, configuration, and upgrades for software assets; and handle traditionally labor-intensive activities such as identity and access management (IAM) and reporting. In other words, using AI to drive compliance with a hardened zero trust architecture and meet threats head on with real-time visibility and early warnings that support a proactive defense posture.
3. Ransomware-as-a-Service
Ransomware poses one of the biggest threats to businesses of every size, in every industry sector. Highly organized groups have now evolved sophisticated Ransomware-as-a-Service (RaaS) subscription and distribution models that make it easier for threat actors, with little or no expertise, to compose a state-of-the-art attack comprised of the most modern techniques across the attack lifecycle.
Specializing in specific elements of the attack process, today’s RaaS operators are offering kits that feature everything from payment portals and ‘support services’ for victims to a choice of ransomware variants (such as LockBit, Revil, and Dharma). Others are acting as access brokers that specialize in discovery. Affiliates that buy or lease these RaaS kits are then free to put all these elements together to execute a ransomware attack, paying a fee or sharing a portion of their profits.
The emergence of the RaaS business model means that the frequency and sophistication of ransomware attacks is increasing. With this in mind, organizations will need to double down on their cybersecurity activities. Whether that’s amping up vulnerability management strategies and implementing early warning cyber detection tools or deploying automated remediation and data backup and recovery in production environments, to ensure they can quickly recover following an attack.
Adopting a resiliency mindset
The proliferation of new and emerging cyber threats mean that organizations will need to break the silos between security and IT operations and shift their thinking towards a collaborative resilience strategy and IT infrastructure that fights through cyber attacks. This is a shared responsibility inclusive of segmentation, redundancy, deception, contextual awareness, privilege restriction, and more.
Understanding that the likelihood of a cyber attack is a case of ‘when not if,’ they will need to initiate early detection capabilities and ensure they are proactively on the lookout for threats, so they can respond to attacks and security incidents quickly. The return to business-as-usual operations following a security event should now be a top security ambition, so rock solid data recovery procedures are a must have.
