As we look to the New Year many of us make resolutions – getting healthier, learning a new skill, saving money, or making more time for family and friends. With 2018 just around the corner, the challenge now is to stick to that resolution and this is where many of us fail. Often the goal is too broad, or we don’t have a plan for achieving it. As security professionals we’re always resolved to look for ways to mitigate digital risk to our business and 2018 is no different. The trick to achieving this goal is to determine how to get the biggest return for our efforts and develop an action plan. To do this, let’s start by considering what the threat landscape will look like over the next 12 months and focus on two areas that will continue to present opportunities for attackers.
Supply chain and third-party vulnerabilities. These types of attacks have been common in 2017 and will continue to be a fruitful method for cybercriminals in the next year. Of note, intrusions resulting from the compromise of software suppliers have been the most detected. Software supply chain attacks that were reported in 2017 alone included the June 2017 NotPetya attacks, the ShadowPad backdoor that was distributed through NetSarang software, the distribution of trojanized CCleaner software and modification of the Windows event log viewer called EVlog. Suppliers are attractive initial targets as they either have privileged access to customer networks, or provide regular software updates to customers. This means compromised software versions (containing malware) will be whitelisted or overlooked by customer security teams and systems.
Wormable malware. Some of the biggest cyber incidents in 2017 revolved around the issue of self-replicating malware that can spread between networks. WannaCry and NotPetya were examples of this. We’ve also see the Bad Rabbit ransomware that reportedly spreads via a combination of Windows Management Instrumentation (WMI) and Server Message Block (SMB) protocol. A wormable Trickbot banking trojan was also reported in Jul 2017. We can expect malware modified with self-replicating capabilities to continue in 2018, particularly given the disruption caused by WannaCry and NotPetya which is inspiring similar attacks.
With these two types of threats likely to continue into 2018, here are five concrete things you can do to focus your efforts and keep your resolution to mitigate digital risk.
1. Hold suppliers to certain standards. Suppliers and third parties are often seen as easier entry points for attackers, especially as many do not have adequate security maturity levels. Define a supplier management policy that classifies vendors and identifies appropriate controls based on access granted to sensitive data and critical systems. Regularly audit and enforce these security measures.
2. Apply privilege management measures. Suppliers are often given much broader access to company networks than internal users are offered. Instead, organizations should apply privilege management measures. For example, separation of duties ensures no single individual can perform all privileged actions for a system, and least privilege provides only the bare minimum level of access to perform their jobs.
3. Address vulnerabilities. Patching is an important part of your defense strategy and failing to do so opens the door wide for adversaries. For example, Microsoft has issued a patch that prevents the exploitation of the SMB network service for lateral movement within target networks. In addition, disabling unneeded legacy features will reduce the scope of work and further mitigate risk.
4. Restrict communications. Network isolation, segmentation and limiting communication between workstations can keep supply chain traffic separate from other internal traffic. This approach can also prevent attacks, like WannaCry and NotPetya, from propagating across networks to reach their intended target.
5. Understand and backup data. Categorize data based on organizational value and then physical or logical separation of networks can be created for different business functions. For critical data and systems, use cloud-based or physical backups and verify their integrity. Ensure that backups are remote from the main corporate network and machines they are backing up.
Remember that cybercriminals will shift targets and evolve their tactics, techniques and procedures (TTPs) throughout the year. Plan to proactively monitor the open, deep and dark web for mentions of your company or industry to know if you’re being targeted. Also monitor for suppliers’ names to uncover if threat actors have set their sights on key partners and if such activity may put your organization at risk.
Whatever happens in 2018 and beyond, cybercrime will continue to be a problem. We can improve our chances of sticking to our resolutions by focusing our efforts in a few manageable areas. Even just one of these activities can help you better manage your digital risk. And with continuous monitoring, when something bad does happen, you will know quickly and can deal with it more effectively.