Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/23/2021
01:00 PM
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

When Will Cybersecurity Operations Adopt the Peter Parker Principle?

Having a prevention mindset means setting our prevention capabilities to "prevent" instead of relying on detection and response.

The recent attacks caused by the Darkside ransomware attack impacted not just the company that was attacked, but also the entire Eastern US as it created significant demand for petroleum products and the recovery took weeks.

Related Content:

How Ransomware Defense Is Evolving With Ransomware Attacks

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: 11 Cybersecurity Vendors to Watch in 2021

In more recent news, Conti ransomware has targeted US healthcare and first responder networks as well as more than 400 organizations worldwide. No organization is too small or insignificant for an attacker, and recent events show us just how damaging an attack can be. "With great power comes great responsibility," a popularized quote that is now alternatively known as the Peter Parker Principle, is a lesson the industry should adopt when considering their defenses. To determine that great responsibility, I am inclined to ask, "Why is this still possible today and what can be done to prevent the attacks before they happen?"

For the last decade, there has been a growing reliance on detection as a means of gathering better visibility to the threat we know as ransomware. In many cases, this has become the primary means of response to these attacks and requires response tools like incident response services as well as forensic analysis to determine the root cause and best response. After the attack, there is a microscope placed on the organization, industry, and, more directly, the response teams within the organization. What follows is pressure to change either people, process, or tools to better deal with future attacks.

In researching how these attacks are made possible, it is easy to see the common actions that enable these attacks despite the target. Often the initial attack is through social engineering, phishing, or drive-by downloads to establish a foothold or command-and-control through a vulnerability in software or Web applications. Next is discovery, lateral movement, privilege escalation, and in some cases, data exfiltration. Ultimately, the last stage of the attack is the ransom of the machine(s), where an organization is often put in the precarious position of having to pay a ransom or deal with the lengthy impact of the attack.

Organizations can no longer wait until the attack happens to have a security policy, patch management program, least privilege mindset, and most importantly, a user awareness training program that is run at least quarterly with every employee in the organization. Taking this proactive approach to regularly review all security policies allows organizations to not only stay ahead of the changing landscape, but also keep our most critical assets (employees) part of the overall security practice. Stopping the phishing attacks by recognizing the illegitimate communications from email, social media, and websites on corporate devices is an integral part of any security practice.

Having a prevention mindset means setting our prevention capabilities to "prevent" instead of relying on detection and response. Often, we mistake better visibility for better security, and there is no replacement for excellent pre-execution prevention when it comes to your endpoint security.

Good visibility of the lateral movement, privilege escalation, and data exfiltration is important, but without a team analyzing and acting on the alerts, the data itself is less valuable. Equally important to the forensic data collection should be the process of evaluating the data and making informed decisions on the access controls, endpoint policies, running processes, and external connections on each endpoint. If, as an organization, we are not responding to all events quickly we run the risk of missing the indicators of the attack that could have been avoided.

In security, it's OK to challenge the norm on a regular basis. It should not be OK to review your security measures and configurations only in hindsight. The time for review and challenge is before the attack — and often. There should be at least quarterly reviews of all tools for visibility, effectiveness, and tuning to close security gaps. There should be annual reviews of the exceptions applied for compatibility and business continuity to make sure they are still needed and close any open gaps in security that these exceptions pose. Finally, there should be a monthly review of the application and operating system vulnerabilities and an action plan for patching that closes the exposure.

Just like Peter Parker, we too have a responsibility as both consumers of information and users of technology to be inquisitive of the access we have and the potential impact it can have on our lives, professionally and personally. As we see in the examples of healthcare and petroleum, something that we use to support our daily lives can affect us deeply when it is no longer there.

While your company may not be affected today, the threat posed by ransomware is there for us all, whether at home or at an office. It is the task of everyone in an organization to ask for a prevention focus along with a regular review, training, and data analysis effort. If we focus on enabling our tools and our employees to be part of the security practice, it is very possible to stop the threat of ransomware and stop the impact it has on us all.

Robert is the Field CTO for Deep Instinct. He has worked with many customers, partners, and investors over a 20-year span in his time in Sales Engineering and Professional Services to overcome the challenges in the growing threat landscape. As that threat landscape changes, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-42258
PUBLISHED: 2021-10-22
BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1 allows SQL injection for unauthenticated remote code execution, as exploited in the wild in October 2021 for ransomware installation. SQL injection can, for example, use the txtID (aka username) parameter. Successful exploitation can include ...
CVE-2020-28968
PUBLISHED: 2021-10-22
Draytek VigorAP 1000C contains a stored cross-site scripting (XSS) vulnerability in the RADIUS Setting - RADIUS Server Configuration module. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the username input field.
CVE-2020-28969
PUBLISHED: 2021-10-22
Aplioxio PDF ShapingUp 5.0.0.139 contains a buffer overflow which allows attackers to cause a denial of service (DoS) via a crafted PDF file.
CVE-2020-36485
PUBLISHED: 2021-10-22
Portable Ltd Playable v9.18 was discovered to contain an arbitrary file upload vulnerability in the filename parameter of the upload module. This vulnerability allows attackers to execute arbitrary code via a crafted JPEG file.
CVE-2020-36486
PUBLISHED: 2021-10-22
Swift File Transfer Mobile v1.1.2 and below was discovered to contain a cross-site scripting (XSS) vulnerability via the 'path' parameter of the 'list' and 'download' exception-handling.