Last year was unprecedented for many reasons, not the least of which was responding to the COVID-19 global pandemic. Unsurprisingly, cybercriminals leveraged the pandemic's uncertainty and disruption for their benefit in the form of cyberattacks on remote workers, consumers, organizations, and companies. We can expect for these attacks to not only continue but to multiply as a result. It's time to ensure your organization is prepared for the trends we see on the cyber-risk landscape.
SolarWinds: Continuing Reveals and Fallout
At the end of last year, the SolarWinds breach made headlines as industry professionals tried to unpack the who, what, where, when, and how of the attack, and importantly, whether they were directly affected. Two months after the discovery of the incident, we have started to understand the breadth and depth of the supply chain compromise, but it's still too soon to fully understand the complete and ultimate effects of the likely Russian compromise.
In fact, Robert Bigman, who served as the intelligence community's most senior information assurance officer for half of his 30-year career in the CIA, recently told the ThreatConnect Podcast it could be two years before we know the extent of the SolarWinds breaches.
In the months ahead, we expect to see additional details discovered on the compromise, related operations, and the actor's follow-on efforts. As we learn more about the situation and the attack, we'll likely see an uptick in the focus on supply chain security as organizations aim to protect themselves from being the target of a similar attack in the future. If you haven't done so already, now would be a good time to review the security posture of all vendors and partners in your supply chain.
Hackers Gonna Hack
Cyberattacks aren't going anywhere. They will likely increase — whether from state-sponsored actors, cybercriminals, or hacktivists. Ultimately, for government agencies and companies, this means taking a risk-based view of your cybersecurity program. If you don't start with risk, you can't really understand what it is you're trying to do, and that's protect the organization. Without a risk-based view, you don't know what you truly need to protect, where the biggest exposures are, and where existential threats and vulnerabilities are in your enterprise.
Make sure to understand the top threats facing your organization, the specific risks that they pose, and whether or not you have the right tools and procedures in place to prevent some of the attacks or at least mitigate the damage. Remember that it's not enough for your own organization to put strong security protocols in place — it could be your partner, your vendor, or even your customer's systems that create a vulnerability.
Take the knowledge that's been discerned from quantifying your top risk scenarios and use that to solve the prioritization problem in terms of where your threat intelligence teams should spend their time. Even the best vulnerability management program isn't really addressing cyber-risk. Did you know that more than 13% of all Common Vulnerabilities and Exposures (CVEs) have a severity score between 9.0 and 10.0 (the highest possible value)? Of those 13%, 7,628 (or about 47%) are scored at 10.0. The question becomes how can a security team tell one 10.0 from another? And how do businesses know they are focusing on the right ones?
There are thousands of attacks engineered each day. Companies cannot and should not consider every threat as a risk to their business. That would overwhelm and distract from effective risk management. Rather, organizations should strategize according to the probability of an attack targeting their business.
When considering probability, the distinguishing attacker attribute is motivation. Only 11% of cyberattacks have an unknown motive. For the remaining 89% of attacks, motives are understood, ranging from financial gain to competition and political advantage. Triangulating these attack probabilities using industry data serves to filter out irrelevant threats or unlikely events, while focusing attention on the more probable cyber-risks.
Disinformation Doesn't Die
Last year, we learned more about the pervasiveness of influence operations, which we must consider moving forward. Activities such as misinformation, disinformation, and leaking compromised information will continue and professionals should be ready to address these in the context of their organizations.
It also became apparent that influence operations are not exclusively a foreign adversary issue. More and more, we're beginning to see a wide range of influence operations, which can include malicious marketing and public relations activities, that can easily be operationalized against an organization or business by both foreign and domestic actors. These can lead to financial, physical, and other deleterious effects on an organization. As the barrier of entry lowers for bad actors to conduct influence operations, this is increasingly an area where security professionals should direct their attention.
Overall, it is difficult to predict exactly what will materialize in the months ahead in terms of cyber-risks, which is why it is wise to review your organization's security posture as it is currently. Security leaders should review and analyze the full risk landscape facing their entities and proactively identify and correct potential gaps. We can be certain that the attacks will keep coming but acting now can save your organization from future financial and reputational harm.