Last updated at Mon, 13 Jun 2022 14:47:37 GMT
The rapidly changing pace of the cyberthreat landscape is on every security pro's mind. Not only do organizations need to secure complex cloud environments, they're also more aware than ever that their software supply chains and open-source elements of their application codebase might not be as ironclad as they thought.
It should come as no surprise, then, that defending against a new slate of emerging threats was a major theme at RSAC 2022. Here's a closer look at what some Rapid7 experts who presented at this year's RSA conference in San Francisco had to say about staying ahead of attackers in the months to come.
Surveying the threat landscape
Security practitioners often turn to Twitter for the latest news and insights from peers. As Raj Samani, SVP and Chief Data Scientist, and Lead Security Researcher Spencer McIntyre pointed out in their RSA talk, "Into the Wild: Exploring Today's Top Threats," the trend holds true when it comes to emerging threats.
“For many people, identifying threats is actually done through somebody that I follow on Twitter posting details about a particular vulnerability," said Raj.
As Spencer noted, security teams need to be able to filter all these inputs and identify the actual priorities that require immediate patching and remediation. And that's where the difficulty comes in.
“How do you manage a patching strategy when there are critical vulnerabilities coming out … it seems weekly?" Raj asked. “Criminals are exploiting these vulnerabilities literally in days, if that," he continued.
Indeed, the average time to exploit — i.e., the interval between a vulnerability being discovered by researchers and clear evidence of attackers using it in the wild — plummeted from 42 days in 2020 to 17 days in 2021, as noted in Rapid7's latest Vulnerability Intelligence Report. With so many threats emerging at a rapid clip and so little time to react, defenders need the tools and expertise to understand which vulnerabilities to prioritize and how attackers are exploiting them.
“Unless we get a degree of context and an understanding of what's happening, we're going to end up ignoring many of these vulnerabilities because we've just got other things to worry about," said Raj.
The evolving threat of ransomware
One of the things that worry security analysts, of course, is ransomware — and as the threat has grown in size and scope, the ransomware market itself has changed. Cybercriminals are leveraging this attack vector in new ways, and defenders need to adapt their strategies accordingly.
That was the theme that Erick Galinkin, Principal AI Researcher, covered in his RSA talk, "How to Pivot Fast and Defend Against Ransomware." Erick identified four emerging ransomware trends that defenders need to be aware of:
- Double extortion: In this type of attack, threat actors not only demand a ransom for the data they've stolen and encrypted but also extort organizations for a second time — pay an additional fee, or they'll leak the data. This means that even if you have backups of your data, you're still at risk from this secondary ransomware tactic.
- Ransomware as a service (RaaS): Not all threat actors know how to write highly effective ransomware. With RaaS, they can simply purchase malicious software from a provider, who takes a cut of the payout. The result is a broader and more decentralized network of ransomware attackers.
- Access brokers: A kind of mirror image to RaaS, access brokers give a leg up to bad actors who want to run ransomware on an organization's systems but need an initial point of entry. Now, that access is for sale in the form of phished credentials, cracked passwords, or leaked data.
- Lateral movement: Once a ransomware attacker has infiltrated an organization's network, they can use lateral movement techniques to gain a higher level of access and ransom the most sensitive, high-value data they can find.
With the ransomware threat growing by the day and attackers' techniques growing more sophisticated, security pros need to adapt to the new landscape. Here are a few of the strategies Erick recommended for defending against these new ransomware tactics.
- Continue to back up all your data, and protect the most sensitive data with strong admin controls.
- Don't get complacent about credential theft — the spoils of a might-be phishing attack could be sold by an access broker as an entry point for ransomware.
- Implement the principle of least privilege, so only administrator accounts can perform administrator functions — this will help make lateral movement easier to detect.
Shaping a new kind of SOC
With so much changing in the threat landscape, how should the security operations center (SOC) respond?
This was the focus of "Future Proofing the SOC: A CISO's Perspective," the RSA talk from Jeffrey Gardner, Practice Advisor for Detection and Response (D&R). In addition to the sprawling attack surface, security analysts are also experiencing a high degree of burnout, understandably overwhelmed by the sheer volume of alerts and threats. To alleviate some of the pressure, SOC teams need a few key things:
- Greater efficiency and agility through automation and extended detection and response (XDR) capabilities.
- Increased proactivity in D&R capabilities, with external threat intelligence and digital forensics and incident response (DFIR) analysis.
- The ability to flex or surge D&R resources as needed, limiting wasted effort without sacrificing effectiveness or overburdening analysts.
For Jeffrey, these needs are best met through a hybrid SOC model — one that combines internally owned SOC resources and staff with external capabilities offered through a provider, for a best-of-both-worlds approach. The framework for this approach is already in place, but the version that Jeffrey and others at Rapid7 envision involves some shifting of paradigms. These include:
- Collapsing the distinction between product and service and moving toward "everything as a service," with a unified platform that allows resources — which includes everything from in-product features to provider expertise and guidance — to be delivered at a sliding scale
- Ensuring full transparency, so the organization understands not only what's going on in their own SOC but also in their provider's, through the use of shared solutions
- More customization, with workflows, escalations, and deliverables tailored to the customer's needs
Meeting the moment
It's critical to stay up to date with the most current vulnerabilities we're seeing and the ways attackers are exploiting them — but to be truly valuable, those insights must translate into action. Defenders need strategies tailored to the realities of today's threat landscape.
For our RSA 2022 presenters, that might mean going back to basics with consistent data backups and strong admin controls. Or it might mean going bold by fully reimagining the modern SOC. The techniques don't have to be new or fancy or to be effective — they simply have to meet the moment. (Although if the right tactics turn out to be big and game-changing, we'll be as excited as the next security pro.)
Looking for more insights on how defenders can protect their organizations amid today's highly dynamic threat landscape? You can watch these presentations — and even more from our Rapid7 speakers — at our library of replays from RSAC 2022.
- [VIDEO] An Inside Look at the RSA 2022 Experience From the Rapid7 Team
- Announcing Metasploit 6.2
- Identifying Cloud Waste to Contain Unnecessary Costs
- The Hidden Harm of Silent Patches