Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

01:00 PM
Ken Todd
Ken Todd

Watch Out for These Cyber-Risks

It's difficult to predict what will materialize in the months ahead in terms of cyber-risks, which is why it's wise to review your organization's security posture now.

Last year was unprecedented for many reasons, not the least of which was responding to the COVID-19 global pandemic. Unsurprisingly, cybercriminals leveraged the pandemic's uncertainty and disruption for their benefit in the form of cyberattacks on remote workers, consumers, organizations, and companies. We can expect for these attacks to not only continue but to multiply as a result. It's time to ensure your organization is prepared for the trends we see on the cyber-risk landscape.

SolarWinds: Continuing Reveals and Fallout
At the end of last year, the SolarWinds breach made headlines as industry professionals tried to unpack the who, what, where, when, and how of the attack, and importantly, whether they were directly affected. Two months after the discovery of the incident, we have started to understand the breadth and depth of the supply chain compromise, but it's still too soon to fully understand the complete and ultimate effects of the likely Russian compromise.

Related Content:

How to Choose the Right Cybersecurity Framework

Special Report: Building an Effective Cybersecurity Incident Response Team

New From The Edge: DDoS's Evolution Doesn't Require a Security Evolution

In fact, Robert Bigman, who served as the intelligence community's most senior information assurance officer for half of his 30-year career in the CIA, recently told the ThreatConnect Podcast it could be two years before we know the extent of the SolarWinds breaches.

In the months ahead, we expect to see additional details discovered on the compromise, related operations, and the actor's follow-on efforts. As we learn more about the situation and the attack, we'll likely see an uptick in the focus on supply chain security as organizations aim to protect themselves from being the target of a similar attack in the future. If you haven't done so already, now would be a good time to review the security posture of all vendors and partners in your supply chain.  

Hackers Gonna Hack
Cyberattacks aren't going anywhere. They will likely increase — whether from state-sponsored actors, cybercriminals, or hacktivists. Ultimately, for government agencies and companies, this means taking a risk-based view of your cybersecurity program. If you don't start with risk, you can't really understand what it is you're trying to do, and that's protect the organization. Without a risk-based view, you don't know what you truly need to protect, where the biggest exposures are, and where existential threats and vulnerabilities are in your enterprise.

Make sure to understand the top threats facing your organization, the specific risks that they pose, and whether or not you have the right tools and procedures in place to prevent some of the attacks or at least mitigate the damage. Remember that it's not enough for your own organization to put strong security protocols in place — it could be your partner, your vendor, or even your customer's systems that create a vulnerability.

Take the knowledge that's been discerned from quantifying your top risk scenarios and use that to solve the prioritization problem in terms of where your threat intelligence teams should spend their time. Even the best vulnerability management program isn't really addressing cyber-risk. Did you know that more than 13% of all Common Vulnerabilities and Exposures (CVEs) have a severity score between 9.0 and 10.0 (the highest possible value)? Of those 13%, 7,628 (or about 47%) are scored at 10.0. The question becomes how can a security team tell one 10.0 from another? And how do businesses know they are focusing on the right ones?

There are thousands of attacks engineered each day. Companies cannot and should not consider every threat as a risk to their business. That would overwhelm and distract from effective risk management. Rather, organizations should strategize according to the probability of an attack targeting their business.

When considering probability, the distinguishing attacker attribute is motivation. Only 11% of cyberattacks have an unknown motive. For the remaining 89% of attacks, motives are understood, ranging from financial gain to competition and political advantage. Triangulating these attack probabilities using industry data serves to filter out irrelevant threats or unlikely events, while focusing attention on the more probable cyber-risks.

Disinformation Doesn't Die
Last year, we learned more about the pervasiveness of influence operations, which we must consider moving forward. Activities such as misinformation, disinformation, and leaking compromised information will continue and professionals should be ready to address these in the context of their organizations.

It also became apparent that influence operations are not exclusively a foreign adversary issue. More and more, we're beginning to see a wide range of influence operations, which can include malicious marketing and public relations activities, that can easily be operationalized against an organization or business by both foreign and domestic actors. These can lead to financial, physical, and other deleterious effects on an organization. As the barrier of entry lowers for bad actors to conduct influence operations, this is increasingly an area where security professionals should direct their attention.

Overall, it is difficult to predict exactly what will materialize in the months ahead in terms of cyber-risks, which is why it is wise to review your organization's security posture as it is currently. Security leaders should review and analyze the full risk landscape facing their entities and proactively identify and correct potential gaps. We can be certain that the attacks will keep coming but acting now can save your organization from future financial and reputational harm.

Ken Todd is a pseudonym for a threat intelligence researcher with ThreatConnect who has several years of experience as a cyber-intelligence analyst. View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-23
Contao 4.5.x through 4.9.x before 4.9.16, and 4.10.x through 4.11.x before 4.11.5, allows XSS. It is possible to inject code into the tl_log table that will be executed in the browser when the system log is called in the back end.
PUBLISHED: 2021-06-23
Use after free vulnerability in file transfer protocol component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via unspecified vectors.
PUBLISHED: 2021-06-23
Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in Security Advisor report management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors.
PUBLISHED: 2021-06-23
Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in file sharing management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors.
PUBLISHED: 2021-06-23
Exposure of sensitive information to an unauthorized actor vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to obtain sensitive information via unspecified vectors.