In yesterday’s blog posting, I reviewed in some detail as to how file less attacks can be launched, and how they can 99% of the time go undetected even by the most sophisticated antimalware and antivirus software applications.
No doubt that this is a very scary proposition, at here is something even scarier. This morning, as I was perusing the Cyber news headlines of what exactly to blog about, I came across a story as to how various types of Cyberattacks are still penetrating the lines of defenses through Corporate America, and most of the time, even these go often undetected.
A leading Cybersecurity firm, known as FireEye, recently conducted a study (sort of similar to the one I discussed about in yesterday’s blog as well), which is entitled the “Mandiant® Security Effectiveness Report 2020”. The full scope and content can be downloaded at this link:
In this study, literally thousands upon thousands of tests were conducted, which included the following:
*Real world Cyberattacks (sort of like a gargantuan Penetration Testing exercise);
*Examining suspicious types and kinds of malicious behavior;
*Other forms of “actor-attributed techniques and tactics”.
These above-mentioned simulations were conducted across 11 major industrial segments, across a plethora of 123 based security related technologies. Some of these included network security, Email security, and endpoint security tools, to just name a few. Even Cloud based security tools were used as well, assuming that they were made ready and available from the Could provider.
The bottom line of this report is that although Corporate America is spending some serious dough on security technologies, the Cyberattacker is still finding their way into the backdoors of the IT and Network infrastructures of these organizations. Here are some startling, key takeaways from this report:
*53% of the simulated attacks were able to penetrate through the lines of defenses, going un-noticed;
*A mere 26% of these simulations were actually detected by the IT Security teams;
*Only 9% of the security tools actually generated some sort of meaningful warning or alert, even despite using such reputed tools as the SIEM and SOAR models.
The following depicts some of the major hurdles or challenges that Corporate America is currently facing when trying to detect any form of Cyberattack:
*Only 4% of any kind of reconnaissance activity that was conducted generated any meaningful alert or warning message;
*68% of the respondents reported that the existing controls that they have in place did not prevent the Cyberattacker from breaking through;
*It was discovered that at least 65% of the time, the Security Policy was actually to blame, because of the sheer lack of its enforcement;
*During any sort of file transfer process, even those done on a secure channel, still had some malware payloads in them that were able to make it through;
*In 97% of the situations, as just discussed, the SIEM was not able to generate any kind of alert. In other words, the system could have very well been just “asleep”.
Yes, the above numbers are actually pretty sad, so what are the fundamental reasons for them? Here are some of them, as cited by the report:
*The businesses that deploy the security tools/technologies after they have been procured are not configured to the exacting security needs and requirements of the business itself. Rather, the default settings (those that have been already preset by the vendor before the product actually shipped) were used, thus providing a very weak means of security.
*The sheer lack of resources in order to fine tune the settings of the security tools/technologies after they have been received.
*The lack of not testing in a regular fashion the controls that have been already put into place at the business.
*Any fundamental changes to the IT and/or Network infrastructure that have gone not reported because for some reason or another, they were included in the Change Management process.
My Thoughts On This
Honestly, after examining the reasons as I have just described them, I find that the reasons why Corporate America is still letting the Cyberattacker through is totally reprehensible. Yes, as I have mentioned many times in the past, we are all at risk of becoming a victim, this includes both individuals and businesses alike. But the key is being proactive in helping to further minimize that risk.
But apart from the above reasons just cited, here is my own take as to why I think the situation is the way it is right now:
*The COVID19 Crisis:
With the current WFH status, IT departments are now (or probably even have) reached their breaking points in order to meet the needs of both their employer and the end users that for it. Because of this, now IT Security teams are being called upon to augment the regular IT staff. As a result of this, dealing with the Cyber threat landscape has now become an exceptionally low priority. This is truly an extremely dangerous double-edged sword to be dealing with, because as the sheer lack of manpower is dissipating, the total number and sophistication of the Cyberattacks that are occurring now is growing at an exponential rate.
*An overworked team:
Even before the COVID19 crisis hit, IT Security teams across Corporate America were also reaching their breaking points. This has been primarily due to the severe shortage of a skilled labor force in the Cybersecurity market. But truthfully speaking, this is a pure fallacy. There are actually plenty of skilled workers that are out there, but they do not have all of the requisite experience that Corporate America wants to hire. For example, many of these potential candidates are fresh of out school with a degree in Cybersecurity, or attended a workforce training program, or have just gotten their certs. In my opinion, these people are still professionally qualified, but they simply need on the job training to further hone in and refine their skillsets. Once again, Corporate America only wants experience, because they do not want to waste the time in training these candidates. My message to the CIO and/or CISO is simply this: Wake up and hire these people and train them. It will probably be one of the best investments you have ever made.
*Too any alerts and warnings:
Because Corporate America has endowed themselves to get as many security tools as they can from too many different vendors, the end result has been an over glut of too many false positives coming through, and which take forever to triage manually by the IT Security team. Because of this, many of the real and legitimate alerts and warnings fall through the cracks, thus resulting in more Cyberattacks in happening. There are two ways to alleviate this particular situation:
*Make use of Artificial Intelligence (AI) tools that can automatically filter through and weed out the false positives, thus only presenting to the IT Security team the legitimate warnings and alerts;
*Stop deploying too many security technologies from different vendors. Instead, conduct a detailed a risk analysis to determine where the soft spots are in your organization, and deploy fewer tools, but place them strategically so that you can still get the same amount, if not more levels of protection. In other words, get away from the mentality of the proverbial “Safety In Numbers”. For example, instead of deploying 10 firewalls from 10 different vendors, just deploy 3 of the them from the same vendor, in order to help create a much more seamless environment. And set those security thresholds to meet the needs of your business, do not rely upon the vendor upon whom you procured them to do this for you.
*The lack of plan rehearsals:
As the numbers from this report clearly indicate, Corporate America is simply rehearsing on a regular basis the plans that they have set forth in place (but this is even assuming that they even have one). But, perhaps maybe the one good thing that has come out of this pandemic is that businesses are now starting to realize the importance the importance of having a Security Policy, as well as Incident Response (IR)/Disaster Recovery (DR)/Business Continuity (BC) plans in place. But apart from having them, they almost must be practiced and updated to address the lessons learned and what can be better done in the future.
*Not testing controls:
Let us face it, in today’s Cyber world, data privacy is fast becoming the norm. That is why the GDPR and the CCPA have been enacted to protect the consumers. It is up to Corporate America to test their controls and further refine them. If not, you will be faced with huge fines and penalties that could completely eradicate your business altogether. Also, implement a Change Management process so that everybody will be in the loop for any transitions that are expected to occur in the IT and Network infrastructures.