2022 Cybersecurity Threat Landscape
The cybersecurity threat landscape is extremely challenging, and that’s not likely to change soon. While predictions often age poorly and technology predictions precipitously so. Organizations need to plan today for the likely challenges of tomorrow. One way to hedge against the fickle nature of predictions is to examine what is happening today and base future strategies on that. In this paper, we walk through some of the most prominent cyber threats organizations face today and some strategies for cyber threat prevention. Given the length of this response and the fact that we are limiting this to 10-20 threats, advice to address the threats will be necessarily short and generic.
What is a Cybersecurity Threat?
Whenever we discuss the cybersecurity threat landscape, it is helpful to agree on a threat definition. For this document, we will discuss cyber threats as the intersection of the following when applied in the context of a hostile actor (also known as a threat actor):
The beauty of this simplistic definition is that the cyber threat is effectively neutralized if any of these three elements are removed. The remainder of the paper will discuss the cybersecurity threat landscape according to this definition.
What is a Threat Actor in Cybersecurity?
Cyber threat actors, often simply called threat actors or malicious actors, are the individuals, or groups of individuals, who actively locate and attack network security vulnerabilities with a deliberately hostile act intended to cause harm to the targeted victim of such an attack. One of the most common examples of this can be seen in ransomware attacks, where the threat actor hacks into the network of an enterprise-level organization to steal confidential data from the network and hold it for ransom, often resulting in the victimized organization making a multi-million dollar cryptocurrency payment to the threat actor.
Breaking Down the Cybersecurity Threat Landscape
Now that we’ve briefly discussed not only what a cyber threat is but also what a threat actor is, it shouldn’t be too difficult to imagine why the authorities often struggle to catch and prosecute these threat actors, especially the ones with seemingly just the right balance of intent, opportunity, and capability.
Understanding the intent of an arms-length actor is difficult at best. Changing their intent is even more so. However, there are multiple areas of the threat landscape where understanding a threat can assist us in developing controls, up to and including even removing the intent to do your organization harm entirely. Consider for a moment the various ways in which insider threats, hacktivism, and increasing regulations could each play a role, if not each of them individually, represent the single driving force behind the intent of a threat actor.
There’s no question that insider threats are a serious issue. Insiders start from a position of trust and often even have privileged access to systems. Yet User & Entity Behavior Analytics (UEBA) software is relatively ineffective at detecting and controlling them. Zero trust network access (ZTNA), also known as the software-defined perimeter (SDP), will limit the damage caused by an insider threat. If properly implemented, the ZTNA may even assist in detecting one. However, the best defense against an insider threat is education. Tell employees that they are being monitored to prevent theft and educate managers on potential signs of insider theft.
As we saw with the Parler leaks and the high-profile hack of Verkada, hacktivism is still a problem. While most cyber threat actors perform their misdeeds for money or intelligence, hacktivists do so because they have an ax to grind. A single statement by an executive can set off a firestorm in the hacktivist community. Educate executives on interacting with the media and set up monitoring programs, particularly for social media, so you know when an executive is coloring outside the lines.
There’s no doubt that more privacy regulations are coming at the state level in the US. Intelligent organizations are planning for data inventories and hiring privacy counsel and consultants to assist them in rearchitecting systems to meet privacy demands never conceived of during the original system implementation.
The opportunities presented and exploited by most threat actors are wholly caused by the victim organization’s failure to plan or a failure to execute. Organizations must understand where they are vulnerable to close gaps that attackers will otherwise exploit. A very thorough threat modeling process should be a core element of an organization’s cybersecurity strategy.
What is Threat Modeling?
Threat modeling is a proactive security measure. It is used to identify cyber threats, attacks, vulnerabilities, and preventative measures that can be prioritized for improved network security. It is a form of risk assessment designed to search for potential security threats within a network and model the specific vulnerabilities that leave the network susceptible to cyber attacks.
More critical data than ever before resides in cloud applications. Yet we rarely have proper visibility into their use (and misuse). Two specific threats in this area include lack of data loss prevention in cloud applications (addressed with CASB) and lack of visibility into application logs and audit controls. Organizations must strategize too.
Poor Asset Inventories (Hardware and Software)
This one might seem like a cop-out, but a lack of asset inventories leads to poor security hygiene. The CIS Critical Security controls highlight this by noting that the top two security controls (in priority order) are hardware and software inventories. Most organizations struggle with these, but an effort must be applied in this area. You cannot secure that which you do not know about.
Talent Management – Salary
Cybersecurity talent is hard to come by, and it’s a seller’s market. Smart organizations track industry pay rates and adjust their salary brackets before cyber talent moves to another job for 25% more than they’re paying. Remember: it’s almost always cheaper to retain talent than acquire them.
Talent Management – Education
Cybersecurity talent is often grown in non-traditional ways. By requiring a college degree (for hiring, advancement, or competitive salary), organizations risk alienating a large percentage of their potential hiring pool. Smart organizations have already addressed this with HR and stakeholders, but if you haven’t, do so immediately.
Running On-Premises Software When PaaS is Available
Organizations should not take on the task of maintaining infrastructure to build a platform if PaaS is available. “I am afraid of the cloud” is not a valid excuse. Not that this should require any convincing, but every Hafnium victim wishes they weren’t running on-premises Exchange. If a stakeholder claims they are safer on-premises, just ask about vulnerability management KPIs (and then exit, stage left).
Speaking of vulnerability management, you have to do it! Not just for Windows. For every operating system (third-party apps matter too). Not for 90% of endpoints. And no waiting weeks before patching a critical vulnerability. Most organizations can’t solve vulnerability management with software; it takes people (and usually, these people are needed in IT, not security).
Unlike opportunity, the capability area of the threat definition is another one that we do not control. Threat actors constantly evolve their capabilities, so assessing attacker capabilities is necessarily a point-in-time snapshot. Also, while opportunities are universal, different actors have different capabilities. Technical and policy controls need to be specific to the capabilities of the actor we are discussing in the context of a threat.
Blindsided by New Capabilities
Many organizations feel they are being blindsided by new capabilities that attackers are seemingly already experts in. An example that highlights this point well is the Golden SAML technique. Golden SAML was used by the attackers who executed the SolarWinds Orion software supply chain attack. They used it to maintain access to email stored in the Microsoft cloud. While stealing the private key used to sign security assertions is a well-understood academic threat model, most organizations weren’t tracking this as a likely attacker technique (capability). But should they have been? Because of the correlation between capabilities discussed at public security conferences and the techniques used by threat actors, there’s some argument in the affirmative. Golden SAML has been talked about publicly (with tools available) since at least 2019.
Last month we published The Conti Leaks – Insights into a Ransomware Unicorn. Files from the threat organization were leaked to the public. Our research team was able to compile in detail the inner workings of the Conti organization. The insights garnered from pieces like this are priceless. Work with your cyber threat intelligence and offensive security teams to ensure that you aren’t blindsided by new techniques.
Not Matching Controls to Attacker Capabilities
While controls sit squarely in the realm of opportunity, they need to be matched to attacker capabilities. Too often we see organizations struggling to address capabilities that are not in active use by attack groups. And then controls for techniques in active use are being slow rolled. To align controls to attacker capabilities, work with your cyber threat intelligence teams to understand the techniques used to target your vertical.
This document walks through several of the most serious cybersecurity threats facing organizations today, divided across intent, opportunity, and capability dimensions. In today’s Cybersecurity Threat Landscape, organizations should not consider this document a complete roadmap to cybersecurity but rather a list of enumerated threats that should serve as a “where to start” document.