Between Log4j, geopolitical tension, and ransomware hitting hospitals and major school districts, it’s more evident than ever before that cybersecurity is no longer just a focus for defenders but for society at large. As a proud Champion of Cybersecurity Awareness Month, defenders continue to weather the storm, and VMware is raising awareness of emerging threats while providing best practices for security teams to properly defend against them.
Fueling the Fire: Understanding Today’s Attack Methods & Motives
One of the most common and destructive threats to an organisation is lateral movement, a tactic in which an attacker compromises or gains control of one asset within a network and then moves on from that device to others within the same network. An analysis by VMware Contexa found that 44% of intrusions included lateral movement. Attackers use this entry method to target high-value data and systems, island hop across networks, exfiltrate data, and deploy ransomware – all by gaining access to one entry point.
Today’s malicious actors are also incorporating deepfakes into their attack methods to evade security controls. A deepfake is a synthetic media (audio or video) that is either wholly created or altered by AI or machine learning to convincingly misrepresent someone as doing or saying something that was not actually done or said. In VMware’s latest Global Incident Response Threat Report, two out of three defenders saw malicious deepfakes used as part of an attack, a 13% increase from last year. Email was the top delivery method for deepfakes, which corresponds with the rise in Business Email Compromise (BEC) across the industry.
Perhaps unsurprisingly, geopolitical tension continues to motivate today’s cybercriminals, with 65% of defenders noticing an increase in cyberattacks since Russia invaded Ukraine. These geopolitically-fueled attacks have the potential to cause major damage and upheaval. After Ukrainian government and bank websites fell victim to a massive distributed denial-of-service (DDoS) attack, a new wiper targeting Ukrainian organisations was discovered on hundreds of machines to erase data from targeted systems. The potential for digital warfare must be factored into organisations’ cyber defense strategies, regardless of size, sector or location.
Changing Tides: Evolving Threats Require Updated Defense Strategies
Security teams must evolve their defense strategies to efficiently and effectively address today’s attacks from preventing lateral movement before major damage is done, to incorporating deepfakes into security awareness training programs. Defenders continue to weather the storm and here are a few additional best practices for defenders to bolster protection:
- Focus on workloads holistically: Many companies focus on keeping compromised applications and devices out of the network. But rather than just looking for anomalous behavior and vulnerabilities at these entry points, companies must understand the inner workings of their entire workload.
- Inspect in-band traffic: Many modern attacks succeed by disguising themselves as legitimate IT practices. For example, by using accepted protocols (such as the LDAP protocol that companies use to store usernames and passwords), attackers may connect to systems that should be off-limits. Don’t assume traffic shipped in a familiar wrapper is safe.
- Integrate your network detection and response (NDR) with your endpoint detection and response (EDR): Detection and response technology employs real-time, continuous monitoring of systems to detect and investigate potential threats before using automation to contain and remove them. By bringing together EDR and NDR, enterprises can have access to a broad and deep data set to lay a solid security foundation, and gain visibility into both the endpoint and network the basis of extended detection and response (XDR).
- Embrace Zero Trust principles: This broad approach to security assumes every digital transaction could be dangerous and emphasizes strong threat hunting and IR capabilities with broad visibility for the assumption of a breach, as well as robust identity, access and attribute management for every interaction between users and resources and among resources themselves. In addition to continuous security monitoring, it requires all users to be authenticated and capable of accessing only authorised, relevant systems. This reduces the blast radius of an attack by disabling any east-west spread to other systems.
- Conduct continuous threat hunting: Security teams should assume attackers have multiple avenues into their organisation. Threat hunting on all devices can help security teams detect behavioral anomalies as adversaries can maintain clandestine persistence in an organisations system.
Despite the challenges facing today’s security teams, there have been promising indications that defenders are adapting their responses to effectively fight back. Defenders are now actively disrupting cybercriminals’ activities, up to 50% of the time. This means cybercriminals are spending less time within an environment before an investigation occurs. Additionally, defenders are now taking the initiative to adopt new techniques such as virtual patching. While there is still ample room for improvement, defenders are resilient, having proven that if they continually learn and adapt to new conditions, they can successfully weather even the most torrential storm.
For more information on VMware’s involvement in Cybersecurity Awareness Month, please visit VMware News & Stories. Additionally, we’ll be featuring a series of employee spotlights on the VMware Security blog that celebrate this year’s Cybersecurity Awareness Month theme – See Yourself in Cyber. To join in on the conversation this Cybersecurity Awareness Month via social, use the hashtags #SeeYourselfInCyber and #CyberMonth