With cyber-threats continuing to evolve, organisations need to remain in the fight in 2021
Article by ThreatQuotient senior vice president of strategy Jonathan Couch.
2020 is the year organisations, businesses, governments and everyday internet users confronted the reality that doing the bare minimum when it came to cybersecurity was never enough.
To cyber-criminals, no organisation or user is off-limits. Sophisticated cyber-criminals will target larger companies with a larger buyout, while less sophisticated cyber-criminals can just as easily target average users and syphon hundreds of dollars, depending on the value of the files encrypted.
Experts have discussed how security operations teams need to be more proactive and less reactive to improve agility, and that SecOps needs to adapt faster than the threats they are facing.
As the threat landscape continues to grow and evolve, this is one of those things that may never happen. But this doesn’t mean all is lost — teams can make improvements in 2021 by having a more comprehensive understanding of the threats that are out there and defining how they conduct operations to offer flexibility to adapt better. Response teams should know the risk and understand what they are trying to fight and be able to adapt.
An alternative approach to ‘people, process, and technology’ is to look at SecOps as data, systems, and people. Two ‘systems’ markets that can help SecOps teams with their agility are Security, Orchestration, Automation and Response (SOAR) and Extended Detection and Response (XDR).
Both of these markets are still being defined, but at their core, they bring in automation (SOAR), so organisations can adapt quicker, and systems and data awareness (XDR) so everyone knows what threats they are trying to fight.
It’s not a new concept, but adversaries always go for what is easy — why change if it’s working? As organisations advance their response efforts to keep up, adversaries will also adapt and change their tactics to regain the advantage. This happened over the past year with the influx of COVID-19-related breaches, with cyber-criminals taking advantage of vulnerable organisations settling into the new remote working situation, which exposed broader areas of attack.
In 2021, organisations will get serious and more proactive in their cybersecurity response by shoring up defences and awareness around phishing, backups (offsite and encrypted), and cyber insurance.
Malware itself is becoming more specialised and modular. BlackEnergy and Emotet are two great examples, both started as banking malware, and both have since evolved into more modular malware where the code has one or two basic functions: infection and then propagation to other users/hosts.
Once installed, the malware can be instructed to download other modules depending on the target and the end goals of the adversary. It is ‘plug and play hacking’ at its best.
Emotet first started in 2014, with its first versions focused as a credential theft trojan, collecting usernames and passwords (mostly banking-related) and spreading via email. By 2017, it had adapted and grown substantially, becoming more modular, allowing for plug-ins, rather than limited built-in capabilities. All kinds of malware and trojans can now leverage Emotet spam capabilities to spread and then download secondary malware packages for specific functions.
In 2018, Emotet was observed collecting emails and metadata from infected systems. It is possible this was the beginning of the growth into the current spreading we see today where Emotet looks at inboxes, finds conversation threads and uses replies to those threads to infect other users (at which point, the secondary malware payloads, like TrickBot, are downloaded).
Modular malware like Emotet is the future of cyber campaigns. Many nation-state attacks have leveraged modular design so they can use a single tool for initial infection and then download whatever other capabilities they need to attack the target.
This modular update has allowed Emotet to now be used for ransomware distribution, in addition to banking credential theft. Attackers are setting themselves up for access to a variety of systems: personal, business, and government. Because the malware is now modular, attackers can target specific capabilities of specific victims to maximise their financial results.
Organisations need to stay updated on threat intelligence and streamline IOCs and signatures into their defensive technology stack, as quickly as possible, to try and block or detect malicious activity before the adversary has time to ransom their files.
While adversaries will continue to advance, SOAR and XDR technologies will evolve and mature in 2021, giving teams of all maturity levels the data, systems and people they need to align and be agile.