Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


// // //
01:00 PM
Connect Directly
E-Mail vvv

When Will Cybersecurity Operations Adopt the Peter Parker Principle?

Having a prevention mindset means setting our prevention capabilities to "prevent" instead of relying on detection and response.

The recent attacks caused by the Darkside ransomware attack impacted not just the company that was attacked, but also the entire Eastern US as it created significant demand for petroleum products and the recovery took weeks.

Related Content:

How Ransomware Defense Is Evolving With Ransomware Attacks

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: 11 Cybersecurity Vendors to Watch in 2021

In more recent news, Conti ransomware has targeted US healthcare and first responder networks as well as more than 400 organizations worldwide. No organization is too small or insignificant for an attacker, and recent events show us just how damaging an attack can be. "With great power comes great responsibility," a popularized quote that is now alternatively known as the Peter Parker Principle, is a lesson the industry should adopt when considering their defenses. To determine that great responsibility, I am inclined to ask, "Why is this still possible today and what can be done to prevent the attacks before they happen?"

For the last decade, there has been a growing reliance on detection as a means of gathering better visibility to the threat we know as ransomware. In many cases, this has become the primary means of response to these attacks and requires response tools like incident response services as well as forensic analysis to determine the root cause and best response. After the attack, there is a microscope placed on the organization, industry, and, more directly, the response teams within the organization. What follows is pressure to change either people, process, or tools to better deal with future attacks.

In researching how these attacks are made possible, it is easy to see the common actions that enable these attacks despite the target. Often the initial attack is through social engineering, phishing, or drive-by downloads to establish a foothold or command-and-control through a vulnerability in software or Web applications. Next is discovery, lateral movement, privilege escalation, and in some cases, data exfiltration. Ultimately, the last stage of the attack is the ransom of the machine(s), where an organization is often put in the precarious position of having to pay a ransom or deal with the lengthy impact of the attack.

Organizations can no longer wait until the attack happens to have a security policy, patch management program, least privilege mindset, and most importantly, a user awareness training program that is run at least quarterly with every employee in the organization. Taking this proactive approach to regularly review all security policies allows organizations to not only stay ahead of the changing landscape, but also keep our most critical assets (employees) part of the overall security practice. Stopping the phishing attacks by recognizing the illegitimate communications from email, social media, and websites on corporate devices is an integral part of any security practice.

Having a prevention mindset means setting our prevention capabilities to "prevent" instead of relying on detection and response. Often, we mistake better visibility for better security, and there is no replacement for excellent pre-execution prevention when it comes to your endpoint security.

Good visibility of the lateral movement, privilege escalation, and data exfiltration is important, but without a team analyzing and acting on the alerts, the data itself is less valuable. Equally important to the forensic data collection should be the process of evaluating the data and making informed decisions on the access controls, endpoint policies, running processes, and external connections on each endpoint. If, as an organization, we are not responding to all events quickly we run the risk of missing the indicators of the attack that could have been avoided.

In security, it's OK to challenge the norm on a regular basis. It should not be OK to review your security measures and configurations only in hindsight. The time for review and challenge is before the attack — and often. There should be at least quarterly reviews of all tools for visibility, effectiveness, and tuning to close security gaps. There should be annual reviews of the exceptions applied for compatibility and business continuity to make sure they are still needed and close any open gaps in security that these exceptions pose. Finally, there should be a monthly review of the application and operating system vulnerabilities and an action plan for patching that closes the exposure.

Just like Peter Parker, we too have a responsibility as both consumers of information and users of technology to be inquisitive of the access we have and the potential impact it can have on our lives, professionally and personally. As we see in the examples of healthcare and petroleum, something that we use to support our daily lives can affect us deeply when it is no longer there.

While your company may not be affected today, the threat posed by ransomware is there for us all, whether at home or at an office. It is the task of everyone in an organization to ask for a prevention focus along with a regular review, training, and data analysis effort. If we focus on enabling our tools and our employees to be part of the security practice, it is very possible to stop the threat of ransomware and stop the impact it has on us all.

Robert is the Field CTO for Deep Instinct. He has worked with many customers, partners, and investors over a 20-year span in his time in Sales Engineering and Professional Services to overcome the challenges in the growing threat landscape. As that threat landscape changes, ... View Full Bio
Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file