Cybersecurity Mitigations No Organisation Can Afford to Ignore
Sander Vinberg, the Senior Threat Evangelist at F5 Labs, highlights the tactics organisations need to stay safe
Every year, F5 Labs publishes the Application Protection Report. Our goal is to document the evolution of the threat landscape so that security practitioners can fine-tune their defenses accordingly. The report aims to clarify the relationship between target characteristics and attacker behaviour so that each organization can focus on the threats that apply most to them.
Based on our research, these are the cybersecurity mitigation measures no organisation can afford to ignore. (Note – The analysis is primarily based on successful attacks, so the recommendations are more of a bare minimum than a complete, holistic security architecture).
Data backups need to be part of every organization’s strategy, and it is often difficult to assess the robustness of a backup program until it is tested. Many good backup programs employ several different modes, with longer-term backups air-gapped, stored on physical media off-site, or using other degrees of protection.
However, beginning in 2020, ransomware strategies evolved to exfiltrate data before triggering encryption, which reduces the power that even good backups have to control ransomware risk completely. Sure, with the right backups you can restore operations once your environment is cleaned up, but the data is gone, and you still have to deal with the attacker and ransom. A robust ransomware strategy needs to start with backup, but the preceding attacker behaviours, the methods of initial access, lateral movement, execution, persistence, and exfiltration need to be controlled as well.
Application Isolation and Sandboxing
This primarily takes the form of various forms of virtualization, such as virtual machines, containers, and browser sandboxing. This type of control can help mitigate several exploit-based approaches observed in 2021, including Exploitation for Client Execution, Exploit Public-Facing Application, and Drive-by Compromise.
The most obvious form of exploit protection is the use of a web application firewall (WAF). Despite the declining prevalence of web exploits in the data, a WAF is still critical for operating a modern web application. It is also a requirement for PCI-DSS, which applies specifically to the credit card numbers so heavily targeted by formjacking attacks. There are also a growing number of behavioural approaches to exploit protection that appear promising.
Network segmentation is a particularly underrated control, given how ransomware approaches have changed the threat landscape since the pandemic began.
It can shut down a huge number of attack vectors, five of which were observed in the 2021 data: Exploit Public-Facing Application, Automated Exfiltration, Exfiltration Over Web Service, External Remote Services, and Exploitation of Remote Services.
Furthermore, it makes exfiltration and lateral movement particularly difficult. Some cloud-native applications may have implemented the same control objectives using identity and access management, but for organizations with hybrid environments or legacy applications in the process of moving to the cloud, this is still an important approach.
Privileged Account Management
While the creation of privileged accounts is straightforward, the deletion of them is often overlooked, so they should be audited regularly to ensure they are decommissioned when they are no longer necessary.
The log4shell campaign that unfolded in late December 2021 is a reminder of the importance of software maintenance, not merely the software organizations produce or use, but all of the subcomponents and libraries necessary to keep everything running.
Regular vulnerability scanning adds situational awareness and flexibility to a vulnerability management program. This should include a public-facing scan from the Internet and an internal scan to assess how an environment appears to attackers.
Code signing is another underused approach, in light of architectural trends that pull code from disparate sources at runtime. In particular, sub-resource integrity (SRI) headers can ensure that external scripts haven’t been modified when they are called at runtime. As applications increasingly rely on external scripts to pull in new features, SRI is a powerful tool to shut down vectors, including many of the initial access techniques seen in formjacking and Magecart attacks.
Restrict Web-Based Content
|This is a broad-reaching control objective that can manifest in many ways, but all centering on controlling avenues for both unauthorised access and exfiltration, such as blocking specific file types, known malicious IP addresses, and external scripts. This approach can shut off a wide range of attack vectors, including malicious script injection, phishing, and malvertising.
Content security policies (CSPs) appear underused for such a powerful and free control for restricting web content. During a scan that F5 Labs ran in August 2021 for the 2021 TLS Telemetry Report, HTTP response headers for the Tranco top 1 million sites were also collected. Just over 6% of the top 1 million had a CSP header in the server response. The most frequent directive in those CSPs was upgrade-insecure-requests, which ensures that cross-site requests travel over HTTPS. Upgrade-insecure-requests showed up in 2.5% of sites, followed closely by frame-ancestors. Other elements that are more frequent vectors for injection of malicious scripts, such as script-src, img-src, and frame-src, are less common.
Network Intrusion Prevention
Intrusion prevention systems are no longer the leading-edge controls that they were a decade or more ago, but as lateral movement and deployment of malware appear to be on the rise, this kind of control is valuable as part of a defense-in-depth approach that also uses a WAF and other controls.
Every organisation of every type should have antimalware capabilities. However, because malware needs to be placed on a system to work, it is never the first step in an attack. Because of this, antimalware needs to be part of a more holistic strategy.
Disable or Remove Feature or Program
While the corresponding attack techniques were observed in only 12% of attack chains, disabling or removing features or programs would mitigate five observed techniques in the 2021 data: Command and Scripting Interpreter, Exfiltration Over Web Service, External Remote Services, Exploitation of Remote Services, and Cloud Instance Metadata API. The log4shell events in December 2021 are a reminder that zero trust and least privilege need to apply to systems as well as people as applications and environments grow in complexity.
Special Mention: Cloud Configuration Management
The absence of configuration management or change management structures from on-premises days does not obviate the need for a corresponding structure in the cloud. Guides and information for cloud configuration management are plentiful for all public clouds, and organisations running customer-facing applications in the cloud should treat these guides as doctrine.
Threat Assessment: Royal Ransomware
Written by Doel Santos, Daniel Bunce, and Anthony Galiette
Unit 42 has published a blog post detailing the Royal ransomware group, which has been recently involved in high-profile attacks leveraging multi-extortion tactics against critical infrastructure including healthcare and manufacturing. Unlike other major ransomware groups (e.g., LockBit 3.0) that operate on a RaaS model by hiring affiliates to promote their services, this group operates behind closed doors – and comprises former members of the notorious Conti ransomware group.
It is important to note that Royal ransomware extends beyond financial losses to small businesses and corporations. Since 2022, Unit 42 has observed this group impacting local government entities in the US and Europe, most recently the group attacked the city of Dallas. In the last 9 months, Unit 42 incident responders have responded to over a dozen cases involving Royal ransomware.
Below are some additional facts about the group from Unit 42’s findings:
- Since 2022, Royal ransomware has claimed responsibility for impacting 157 organizations on their leak site.
- They have impacted 14 organizations in the education sector, including school districts and universities. In the first few days of May 2023, the group has already impacted four educational institutions.
Royal ransomware has been involved in high-profile attacks against critical infrastructure, especially healthcare, since it was first observed in September 2022. Bucking the popular trend of hiring affiliates to promote their threat as a service, Royal ransomware operates as a private group made up of former members of Conti.
The Unit 42 team has observed this group compromising victims through a BATLOADER infection, which threat actors usually spread through search engine optimization (SEO) poisoning. This infection involves dropping a Cobalt Strike Beacon as a precursor to the ransomware execution. Unit 42 incident responders have participated in 15 cases involving Royal ransomware in the last 9 months.
Royal ransomware also expanded its arsenal by developing an ELF variant to impact Linux and ESXi environments. The ELF variant is quite similar to the Windows variant, and the sample does not contain any obfuscation. All strings, including the RSA public key and the ransom note, are stored as plain text.
Time for the Gaming Industry to Level Up Against DDoS Attacks
Written by Matthew Andriani, CEO, MazeBolt Technologies
Distributed denial of service (DDoS) attacks present a significant threat to organizations as they grow in sophistication and frequency. According to several studies, the average successful DDoS attack in 2022 lasted for over 50 hours, compared to 30 minutes in 2021. As the entertainment world’s largest source of income, the gaming industry has become a prominent target for DDoS attacks. The gaming industry houses several different entities that need protection in tandem with gadgets such as online access for consoles, smartphones, and cloud-based casual games – leaving the door open for cybercriminals to capitalize on the ever-expanding attack surface.
Without adequate visibility into DDoS vulnerabilities, an attacker can exploit thousands of entry points without notice, the only way a successful DDoS attack can occur is because of a vulnerability in the DDoS protection. It may only take one attack for an application to experience downtime, costing the businesses hundreds of thousands to millions in revenue along with their reputation within the gaming space. When an attack does occur, organizations are forced to operate in a reactive scenario that will only disrupt business and risk further downtime. As the DDoS attack surface continues to expand, gaming companies must gain insight into their vulnerabilities to close these gaps in protection and ensure players remain online.
The evolution of DDoS within the gaming industry
There are several enticing factors behind launching a DDoS attack in the gaming industry, including competition, extortion, and at times, disgruntled gamers. Threat actors know exactly how much in revenue and reputational costs a minute of downtime will have on the organization. Competition is a particularly critical factor because if one site goes down, users can easily pass to the next online platform to continue their gaming experience.
Likewise, extortion has become an easy way for attackers to monetize the industry by threatening to attack an online gaming company unless a payment is made, specifically after a demonstration that the threat is real. Online gaming platforms especially house big players in this field with great sums of money at stake, placing a large target on these organizations for cybercriminals to exploit.
There is also a growing trend among disgruntled gamers, known as ‘DDoS for hire’. Individuals no longer need to be knowledgeable about the functions of DDoS attacks, rather, they can have someone else launch the attack on their behalf. Gaming organizations are heavily investing in DDoS protection. The problem is that they are not consistently scrutinizing every vulnerability across the attack surface – the only reason gaming companies are experiencing downtime is because of a vulnerability in the protection they have already implemented.
Deploying a tier-one DDoS protection provider can only ensure around 60% automated protection into the attack surface, the other 40% must be continuously scrutinized with visibility tools. While many of these gaming organizations have the best protection in place, they don’t have the list of vulnerabilities within that solution. Without this critical insight, it’s impossible to manage the vulnerabilities and protect against this growing threat.
A race against time
It’s no longer an if, but when a gaming organization will suffer from a DDoS attack. This is not a new concept to the industry – it is well-known that these attacks are being launched at an alarming rate. To transform DDoS protection processes, gaming companies should start with a trusted solution that continuously identifies vulnerabilities across the attack surface, while speeding up the remediation process to ensure the damaging downtime is minimized.
Once these vulnerabilities are identified, organizations must confirm their closure to provide a more solid defense. At this stage of the process, the company is battling the clock to prevent further damage. Organizations that cannot keep up with this process will continue to experience downtime, and DDoS mitigation vendors not actively engaged in vulnerability management will be at a major disadvantage when working to avoid damaging DDoS attacks.
If you are not at the top of your game with DDoS protection, your organization will be knocked offline, costing millions in downtime and reputational losses.
The Chief Zero Trust Officer: A New Role for a New Era of Cybersecurity
Written by John Engates, Field CTO at Cloudflare
Over the last few years, the topic of cyber security has moved from the IT department to the board room. The current climate of geopolitical and economic uncertainty has made the threat of cyber attacks all the more pressing, with businesses of all sizes and across all industries feeling the impact. From the potential for a crippling ransomware attack to a data breach that could compromise sensitive consumer information, the risks are real and potentially catastrophic. Organizations are recognizing the need for better resilience and preparation regarding cybersecurity. It is not enough to simply react to attacks as they happen; companies must proactively prepare for the inevitable in their approach to cybersecurity.
The security approach that has gained the most traction in recent years is the concept of Zero Trust. The basic principle behind Zero Trust is simple: don’t trust anything; verify everything. The impetus for a modern Zero Trust architecture is that traditional perimeter-based (castle-and-moat) security models are no longer sufficient in today’s digitally distributed landscape. Organizations must adopt a holistic approach to security based on verifying the identity and trustworthiness of all users, devices, and systems that access their networks and data.
Zero Trust has been on the radar of business leaders and board members for some time now. However, Zero Trust is no longer just a concept being discussed; it’s now a mandate. With remote or hybrid work now the norm and cyber-attacks continuing to escalate, businesses realize they must take a fundamentally different approach to security. But as with any significant shift in strategy, implementation can be challenging, and efforts can sometimes stall. Although many firms have begun implementing Zero Trust methods and technologies, only some have fully implemented them throughout the organization. For many large companies, this is the current status of their Zero Trust initiatives – stuck in the implementation phase.
But what if there was a missing piece in the cybersecurity puzzle that could change everything? Enter the role of “Chief Zero Trust Officer” (CZTO) – a new position that we believe will become increasingly common in large organizations over the next year. The idea of companies potentially creating the role of Chief Zero Trust Officer evolved from conversations last year between Cloudflare’s Field CTO team members and US federal government agencies. A similar job function was first noted in the White House memorandum directing federal agencies to “move toward Zero Trust cybersecurity principles” and requiring agencies “designate and identify a Zero Trust strategy implementation lead for their organization” within 30 days. In government, a role like this is often called a “czar,” but the title “chief” is more appropriate within a business.
Large organizations need strong leaders to efficiently get things done. Businesses assign the ultimate leadership responsibility to people with titles that begin with the word chief, such as Chief Executive Officer (CEO) or Chief Financial Officer (CFO). These positions exist to provide direction, set strategy, make critical decisions, and manage day-to-day operations and they are often accountable to the board for overall performance and success.
An old saying goes, “When everyone is responsible, no one is responsible.” As we consider the challenges in implementing Zero Trust within an enterprise, it appears that a lack of clear leadership and accountability is a significant issue. The question remains, who *exactly* is responsible for driving the adoption and execution of Zero Trust within the organization?
Large enterprises need a single person responsible for driving the Zero Trust journey. This leader should be empowered with a clear mandate and have a singular focus: getting the enterprise to Zero Trust. This is where the idea of the Chief Zero Trust Officer was born. “Chief Zero Trust Officer” may seem like just a title, but it holds a lot of weight. It commands attention and can overcome many obstacles to Zero Trust.
Implementing Zero Trust can be hindered by various technological challenges. Understanding and implementing the complex architecture of some vendors can take time, demand extensive training, or require a professional services engagement to acquire the necessary expertise. Identifying and verifying users and devices in a Zero Trust environment can also be a challenge. It requires an accurate inventory of the organization’s user base, groups they’re a part of, and their applications and devices.
On the organizational side, coordination between different teams is crucial for effectively implementing Zero Trust. Breaking down the silos between IT, cybersecurity, and networking groups, establishing clear communication channels, and regular meetings between team members can help achieve a cohesive security strategy. General resistance to change can also be a significant obstacle. Leaders should use techniques such as leading by example, transparent communication, and involving employees in the change process to mitigate it. Proactively addressing concerns, providing support, and creating employee training opportunities can also help ease the transition.
But why does an organization need a CZTO? Is another C-level role essential? Why not assign someone already managing security within the CISO organization? Of course, these are all valid questions. Think about it this way – companies should assign the title based on the level of strategic importance to the company. So, whether it’s Chief Zero Trust Officer, Head of Zero Trust, VP of Zero Trust, or something else, the title must command attention and come with the power to break down silos and cut through bureaucracy.
New C-level titles aren’t without precedent. In recent years, we’ve seen the emergence of titles such as Chief Digital Transformation Officer, Chief eXperience Officer, Chief Customer Officer, and Chief Data Scientist. The Chief Zero Trust Officer title is likely not even a permanent role. What’s crucial is that the person holding the role has the authority and vision to drive the Zero Trust initiative forward, with the support of company leadership and the board of directors.
Getting to Zero Trust security is now a mandate for many companies, as the traditional perimeter-based security model is no longer enough to protect against today’s sophisticated threats. To navigate the technical and organizational challenges that come with Zero Trust implementation, the leadership of a CZTO is crucial. The CZTO will lead the Zero Trust initiative, align teams and break down barriers to achieve a smooth rollout. The role of CZTO in the C-suite emphasizes the importance of Zero Trust in the company. It ensures that the Zero Trust initiative is given the necessary attention and resources to succeed. Organizations that appoint a CZTO now will be the ones that come out on top in the future.