In a series of remarks at the Office of the Director of National Intelligence on July 27, President Biden commented on how cyber threats have increasingly been able to cause damage and disruption to the real world. He went on to say, “I think it’s more likely we’re going to end up — well if we end up in a war, a real shooting war with a major power, it’s going to be as a consequence of a cyber breach of great consequence. And it’s increasing exponentially — the capabilities.”
This is the first time a U.S. president has hinted at the possibility of kinetic response to a cyberattack. As outlined in our latest Global Incident Response Threat Report, we’ve reached a new era of cyber offense and defense.
Commandeering the Cloud
Cybercriminals are now willing to escalate beyond traditional data theft to manipulate everything from identities to time stamps so that the way in which defenders perceive their own environment is distorted and data sets are poisoned. These cases are no longer few and far between. Our report found that targeted victims now experience integrity and destructive attacks more than 50% of the time, and cybercriminals are exploiting cloud environments as the delivery method. For example, nearly half of respondents said more than one-third of attacks were targeted at cloud workloads.
Another emerging vulnerability comes from Kubernetes environments. Like clouds, Kubernetes can provide a false sense of security. Our report found that 64% of respondents encountered container images that allow bad actors to exploit vulnerabilities in Kubernetes environments. This echoes the findings from the National Security Agency (NSA), the Cybersecurity and Infrastructure Agency (CISA), the Federal Bureau of Investigation (FBI), and the UK’s National Cyber Security Centre (NCSC) who on July 1 issued a rare joint alert that warned of widespread brute-force attacks by Russia’s GRU military intelligence agency that employed Kubernetes software containers to perform the attacks at scale. CISA and the NSA followed up on August 2 with a Kubernetes Hardening Guidance to help organizations and agencies better secure their environment amid these emerging threats.
If 2020 was the year of island hopping, where cybercriminals infiltrated large company networks by targeting third parties with lower levels of protection, then we should expect cloud-jacking through public clouds to go mainstream in 2021. Cloud-jacking is a process in which an organization’s cloud account is stolen or hijacked by an attacker. With the mass migrations to public clouds to support distributed workforces, it’s likely that we will see a public cloud be commandeered to launch a systemic ransomware attack this fall.
Taking the Gloves Off
Given the escalation to cloud-jacking and the dramatic increase of destructive attacks, defenders are looking for new ways to fight back. 81% of IR pros told us they’d be willing to leverage active defense techniques in the next 12 months, ranging from deception to disruption. MITRE’s active defense matrix showcases the techniques defenders can employ to create a hostile environment for attackers and stop lateral movement in its tracks.
An embrace of active defense by incident responders comes at the same time as the introduction of a bipartisan bill that instructs the Department of Homeland Security (DHS) to study the “potential consequences and benefits” of allowing private companies to hack back following cyberattacks.
As the hack-back debate bubbles back up to the surface, I strongly believe the risk of allowing this is greater than the reward. Active defense techniques, such as deploying deception grids and micro sharing data, are useful for organizations in the fight against attackers. Hacking back, on the other hand, should not be enacted. Rather, security teams must practice cyber vigilance.
Practicing Cyber Vigilance
As we are all digitally transforming and modernizing our infrastructure, organizations should employ the following tactics to remain vigilant and resilient:
- Operationalize hardening immediately.
- Increase situational awareness by integrating network detection response capabilities with endpoint detection response capabilities.
- Secure workloads and containers.
- Encourage developers to pursue strategies of rugged coding and DevSecOps.
- Track identities on the move and embrace multi-factor authentication.
- Conduct regular threat hunting, but expand it to the outside general counsel, managed service provider, and marketing or PR firms.
- Apply micro-segmentation.
The role of the CISO has emerged as a key voice that requires empowerment and a direct line of reportings to the CEO. Just like a defensive coordinator and an offensive coordinator both reports to the head coach, a CISO and CIO must both report to the CEO. As destructive and integrity attacks increase, it’s more critical than ever before that organizations have a defensive mindset at the top.
Download the full Global Incident Response Threat Report and read more about the ways defenders can fight back here.