Posts

2020 Threat Hunting Campaigns and the Lessons Learned

Society has learned a lot of lessons in 2020. While many may focus on the covid-19 pandemic, it’s fair to say that cybersecurity faced its share of challenges too – especially with many organizations being thrust into a remote working environment.

For Proficio’s Threat Intelligence team, we had to face a slew of new threats, all while battling some familiar faces as well. We spent the last year doing extensive threat hunting campaigns, learning and improving along the way.

Here are three things we’ve learned this year and how you can use them to improve your cybersecurity in 2021.

1.    Old Threats, New Faces: Malware and Phishing Continue to Endure

In 2020, malware, often in the form of a ransomware attack, continued to be incredibly prominent. The most popular variants we encountered were those that exfiltrated the victim’s data as a way of threatening victims who refuse to pay their ransom, such as REvil/Sodinokibi and DoppelPaymer.

Also popular are phishing attacks, which continue to be a key technique utilized by all classes of attackers. This was especially noticeable when many cybercriminals took advantage of COVID-19 as a topic to lure victims, but there have also been other varieties of phishing campaigns with different contents and formats to trick victims. As hackers adapt to a reality where cloud service offerings like Office 365 are increasingly used in corporate environments, one very common tactic we observed is the use of fake Microsoft login pages. We have been able to identify a significant number of these during our threat hunting campaigns, like the one seen in this HTM spear-phishing email campaign.

There have also been multiple attack campaigns that utilized unpatched vulnerabilities in widely used software. Some examples of campaigns that we have investigated include attacks on the Citrix vulnerability (CVE-2019-19781) as well as the Zerologon vulnerability. There are also campaigns that exploit software updates instead of a vulnerability in the software, and compromise victims via the compromised updates. Some examples of this include the GoldenSpy campaign and the recent SolarWinds Sunburst campaign.

Below is the breakdown of threat hunting campaigns we have conducted throughout 2020. It also highlights where we had identified and escalated incidents of true positive hits to our clients.

Threat Hunting Campaigns with Escalations Chart

While attackers will continue to use these avenues to exploit victims, there are still some common precautionary measures that can be taken to further safeguard you and your organization:

  • Keep your anti-virus software / EDR solutions and other security tools installed on the systems updated for detection and prevention from the spread of ransomware.
  • Performing regular backups on critical files and systems.
  • Keeping your operating systems up to date on the latest security patches.
  • Make use of network segmentation alongside the zero-trust model.
  • Close unnecessary network ports to reduce entry points for attackers.
  • Apply content filters on email gateways and email systems to prevent malicious content from reaching users and reduce the chance of a possible compromise.
  • Educate your employees and users to improve cybersecurity awareness.

2.   The Constant Evolution: Handling Increasingly Disparate Threats

Given the ever-evolving threat landscape, Proficio’s Threat Intelligence Team is constantly on the lookout for the newest cyber threats. We keep a close eye on the news and initiate threat hunting campaigns for threats are likely to have an impact on our clients. Throughout 2020, we conducted a significant number of threat hunting campaigns based on this research as well as threats found within our clients networks. We continually are looking for ways to improve how we conduct our threat hunting campaigns, as well as how we store and share information of interest with our internal teams and clients, to maximize our efficiency and make sure we give our clients the best protection possible.

When our team was first established, most threat hunting campaigns were self-contained within the Threat Intelligence team. As time progressed, and threats became increasingly complex, we found ourselves working with other internal teams, such as Security Advisors or Project Managers. We find collaborations can make us more effective and ensures all teams within Proficio are able to quickly and efficiently take appropriate actions when required, ensuring consistency of our security operations.

In addition, the structure and methodology we used for carrying out our threat hunting campaigns grew increasingly more robust throughout the year. We are better able to conduct rapid-response research and data collection efforts, with a clear plan of actions and priorities for every campaign we embark on. Depending on the extent of the hunt and the platforms used for searches, the amount of time taken to provide our clients with our investigation findings can vary from a few days to over a week; However, these efficiencies and improved methodology have allowed us to decrease our turnaround time.

In order to adapt to the more complex threat landscape, our threat hunting campaigns must continue to evolve; we have gone from using simple IOCs, like file hashes and IP addresses, to tactics, techniques and procedures tied to that of our adversaries. We have also transformed the way we document our threat hunts. We found that by enhancing our investigation write-ups with threat diagrams, attack maps and incorporating the MITRE ATT&CK classification framework, we are better able to organize our findings to create a library. We also take inspiration from documentation produced by other well-established security organizations sharing information such as JPCERT.

Creating a library of your threat hunts over time is a great way for any organization to better track the adversaries your organization is dealing with. In addition, the cybersecurity community has a tremendous amount of open source tools to take advantage of, that will better help us all defend against cybercriminals.

3.   Outside Looking In: Synergizing Efforts to Create Maximum Value

As a team, we are always looking for ways to synergize everything we do as force multipliers that help  make a big impact on all our clients.

We keep up with threat news and developments in cybersecurity on a daily basis, sharing those that we found to be potentially relevant on our official Twitter account. We also have a Threat Intelligence page, where you can sign up to receive a weekly threat digest with the top threat news each week.

These tools play a big part in our ongoing data collection efforts, allowing us to better track trends in cyberattacks across different industry sectors as well as document known threat group activities. The data collected also plays a big role in terms of our decision to initiate threat hunting campaigns, with the goal of identifying potential attacks or existing compromises that might have slipped past the cracks.

One of the greatest things about the cybersecurity community is that they are open to sharing knowledge in our joint efforts to combat cybercriminals. We recommend you join communities and follow along with the latest trends – and if you’ve found something, we encourage you to also share what you learned, so others can benefit from your research! That’s how we make the community stronger, one threat hunting campaign at a time.

While the Threat Intelligence team observed numerous new cyberthreats throughout 2020, we have no doubt the uphill battle on cybercrime will continue into 2021 and beyond. We will continue to conduct high-quality investigations for our clients for any relevant threats and share these findings, both with our clients and the community as a whole, in hopes to do our part in this war on cybercrime.

Cybersecurity in the Next Decade – Proficio’s Projections for the 2020s

2019 was another busy year for cybersecurity professionals. There were more security incidents than in any previous year, and they included some of the largest breaches of all time. According to Forbes magazine more than 4.1 billion records were compromised.

Looking forward to the next decade, we expect cyber defenders to still face many challenges. Fueled by the growth of the Cloud, IoT devices, and mobile, the attack surface will continue to grow exponentially. Cybercriminals have been using Machine learning and will expand on its use in the coming year. Nation States will invest more in cyberwarfare to target government, Critical infrastructure, and organizations.

Proficio has been providing our clients managed security services for nearly a decade. Our understanding of the cybersecurity landscape is informed from being both a user and a provider of cybersecurity technology. The following projections define 10 important changes that we see driving the cybersecurity agenda over the next decade:

  1.  AI Gets Real AI Cybersecurity

At Proficio, we have been both experimenting and deploying Machine learning (ML) for years. We think ML is now transitioning out of the early stages of the Hype Cycle into the early stages of broader adoption as a credible cybersecurity technology necessary for a meaningful part of any cyber defense arsenal and playing a significant role for Incident Response (IR) and Security Operations Center (SOC) teams.

There’s been a lot of talk about the potential for ML to replace Level 1 or 2 Security Analysts. We strongly disagree. We see ML as a tool that augments Security Analysts, helping them to identify relationships between seemingly unrelated events, cutting out false positives, and detecting anomalies. Combined with threat intelligence, ML will enable security teams to detect and respond to security incidents faster, more effectively, and with far fewer people than would otherwise be possible.

  1. Automation to the Rescue

Talk to any CISO and it won’t be long before you hear an anecdote that illustrates the cyber skills gap. Conventional wisdom is the shortage of cyber professionals is now measured in millions, and when you peel back this issue, the gap is more complicated by the range technologies used to ensure a strong cyber defense. In addition to Security Analysts, Incident Responders, and SIEM Engineers, organizations are now in need Data Scientists and ML Experts.

We don’t expect the cyber skills gap to go away in the 2020s, but there is light at the end of the tunnel in the form of SOAR (Security Automation, Orchestration, and Response). Proficio was the first MSSP to create a proprietary SOAR platform and today automation plays a significant role in the services we deliver.

SOAR platforms promise to help SOC and IR teams reduce response times, cut down on manual work, and engineer repeatable, semi-automated processes. By creating standardized, repeatable processes — and automating them where possible — SOAR reduces the burden on security teams. In addition, a SOAR platform integrates with other technologies and provides a single orchestration interface for security teams. Instead of learning to use five or more different tools, security engineers need only become accustomed to a single interface that is integrated into their operational processes.

  1. GDPR Goes Global

Since the General Data Protection Regulation (GDPR) came into effect in May 2018, organizations with EU customers have had to step up their data privacy compliance processes and systems.

Historically, the major compliance frameworks (PCI-DSS, HIPAA, ISO27001, etc.) were akin to audit checklists. So long as you ticked off certain requirements — and you could prove it — your job was done. It didn’t matter if you were actually secure, as long as you followed the rules.

But GDPR changed the game. Now, instead of a checklist, organizations are responsible for collecting, analyzing, and acting upon security data to ensure the ongoing protection of sensitive assets. If an organization is breached, and sufficient action wasn’t taken to prevent it, irrespective of any checklist, large fines will follow.

We believe that in the next decade GDPR like regulations will be adopted by most developed nations, and the afore mentioned industry specific compliance regulations will adopt a similar stance and have already started to do so.

  1.  The Cloud is the Thing

In terms of decades, if the 2000s were about defining the perimeter and improving perimeter security controls and the 2010s we same the introduction of evasive techniques and more sophisticated maleware that evolved over time bringing about the need for next generation technologies, including endpoint, firewalls and software defined perimeter controls within virtualized platforms, the 2020s will significantly expand on the extension of the security controls into the cloud as the adoption of cloud and hybrid architectures become more mainstream.

Data and applications have been moving to the cloud for a while now. Not only are cloud environments more complex to secure than local datacenters, they’re also vulnerable to a wider range of cyberattacks. For these reasons, some organizations have avoided a complete move to the cloud in favor of a hybrid approach.

Over the next decade, security and IT leaders will need to look for ways to secure complex, multi-cloud environments while retaining control over how cloud services are consumed. IT will need to find a way to be an enabler within the organization by defining standards that allow for the adoption of cloud technologies and limit shadow IT.

Cloud Access Security Broker’s will continue expand its use as more organizations consume cloud services in all areas of their business operations. This is a key enabler that protects corporate assets and data, reduces the burden on IT, and allows the business to explore new and improved technologies that better enable them.

We expect the compensating controls within big cloud infrastructure platforms — Azure, AWS, and Google Cloud, among others — to mature. This is an inevitable response to a clear business need, as cloud providers seek to keep customers ‘on brand’.

Security leaders will need to ensure that tools being used to secure traditionally hosted data and services also extend to the cloud. This may take time to fully realize because many security tools currently don’t work well in the cloud. However, now that cloud usage has become the norm, security vendors are scrambling to ensure their tools remain relevant, you will also continue to see cloud focused security vendors becoming more relevant and even prominent amongst the startups.

  1.  Marie Kondo for Security Tools

When organizations began to take cybersecurity more seriously, they went on a security tool buying spree resulting in a proliferation of tools that often did not work together. This was made worst by the abundance of Cybersecurity startups that claimed to be the next best thing and were trying to define a new market, which has created significant confusion in the industry compounded by baseless opinions often using marketing and global reach as an indication of effectiveness of a technology.

There were two big problems with this approach. First, it was expensive. Second, it introduced another problem: The hidden cost of resources to manage these tools, a “Best of Breed” purchasing strategy creates unnecessary complexity in the architecture requiring more trained resources to manage all the technologies in alignment with the vendor recommended best practices. This approach generally results in duplication of functionality across technologies and as a result ineffective implementations and underutilization of the investment.

Cybersecurity industry is slowly maturing, organizations are realizing that they can’t solve all security problems by purchasing extra tools. It’s often quite the opposite. They need to simplify their technological footprint while focusing on the other two components of a functional security program: a strong team and effective, repeatable processes.

Similar to Marie Kondo’s approach to simplifying and organizing household belongings, we expect security leaders to see that their teams are better off maximizing the value of a handful of core tools rather than they are using just 5-10% of the functionality of many disparate technologies, we expect smarter purchasing decisions that factor in cross vendor integration capabilities or through consuming technology as a service from an MSSP focusing their buying decision on a business outcome.

5G Globe

  1.  The Rise of 5G

The 2020s will be the decade of 5G. Any time there is a greater than 10X change, you should expect significant related affects. The promise of 5G is to improve mobile data rates and latency by 50 to 100 times. This technology will enable new applications, restructure cloud architectures, and notably be used in mission critical enterprise applications like factory automation, robotics, transportation, and more.

5G will accelerate virtualization, proliferate distributed edge networks, and enable hackers to attack more devices at faster speeds. Cyber defenders will need to respond with new policies, security virtualization, tighter access controls, and approaches to device authentication. Next generation endpoint security technologies will need to be far more effective on mobile technologies being more effective of locking down the OS of the devices and access to the hardware capabilities and apps. Think crypto jacking on mobile devices as an example of an attack type that would become viable.

  1.  The SOC of the Future

A Security Operations Center or SOC is the nerve center where a team of security experts monitors and responds to cyber threats on behalf of their organization. Proficio operates a global network of SOCs and is leader in innovating how SOCs operate for maximum effectiveness.

Over the next decade we expect the way SOCs function to change in a number of ways;

Historically, security event monitoring and response has been log-centered. If a log entry flagged as suspicious, an alert was created and investigated by a security analyst. This approach is problematic when it comes to unknown threats because, until a threat has been seen and reported, there’s no rule to detect it. Unless an organization has an active threat hunting program in place, such threats can go undetected for some time. Keep in mind that the current industry average for mean time to detection of a breach is 200 + days.

We expect SOCs to adopt frameworks like the MITRE ATT&CK which encourages security teams to think in terms of tactics, techniques, and procedures (TTPs). While a new threat may contain hashes, C&C infrastructure, or URLs that haven’t yet been categorized as malicious, only a tiny proportion of threats use completely new and innovative TTPs.

As a result, a security program that’s setup to identify TTPs (rather than specific indicators) is much more likely to identify attacks and breaches.

For many organizations, a fully-functional 24/7/365 operation is essential to ensure the ongoing security of sensitive data and assets. For all but the largest and most profitable organizations, however, building a security function of this magnitude is simply not financially viable. Currently the minimum viable number of resources for an average organization of about 3000 employees, to implement a 24X7 SO operation, is 27, this gives them the minimum viable for shift coverage, and this assumes a well rounded optimized technology stack for security control enforcement and monitoring. The challenge with this is that your resources would only have an effective average utilization of less than 20%, which is not very conducive to staff retention . Add this to the ever-present challenge of the cybersecurity skills gap, and it’s easier to understand why many organizations will turn to Managed Security Service Providers (MSSPs) to supplement the capabilities of in-house resources.

Women represent about a quarter of the cybersecurity workforce. We expect this percentage to increase considerably over the next decade with the consummate benefit of reducing the shortage of cyber professionals and adding diversity.

  1.  More Intelligent Patching

Vulnerability Management is key to a mature security program. However, VM Scans can generate so many vulnerabilities that IT teams only have the resources to patch a fraction of the hosts and devices identified as requiring updates. Sometimes the quantity of alerts can be so overwhelming that it slows down remediation or results in no action at all.

The solution to this challenge is to prioritize based on the risk of a vulnerability being exploited in the context of the criticality of the asset, industry vertical, and level of known activity in the wild. Vulnerability Management needs to become a process that prioritizes based on risk, includes expert advice on the best approach to remediation, and measures and reports on progress.

We see Risk-based Vulnerability Management becoming standard to most organizations over the next decade.

  1.  Don’t Forget Humans are Fallible

Human error is the second most common cause of a security breach. Human errors range from configuration errors on cloud architectures, servers and security devices to failure to follow organizational policies by administrators and users alike.

Humans are not going to change. So, to compensate for this reality we urge IT leaders to prioritize training, process control, and use technology where possible to automate tasks and detect issues resulting from simple mistakes.

  1. In the End It’s All About Risk

It is inevitable that most organizations will experience a security breach at some time. The operational priority for any organization is to quickly detect and remediate a breach.

In the 2020s, we expect IT leaders will increasingly need to explain the magnitude and types of cyber risk that apply to their organizations and provide their executive teams with strategic options to reduce risk.

Shareholders and customers want to understand what organizations are doing to protect important assets and data.

Up until now, security leaders have been forced to spend a huge amount of time preparing reports for board and stakeholder consumption. Many resorted to Excel and manual databases because alternatives weren’t available.

Over the next decade, security leaders will rely on business intelligence dashboards that show the threats facing their organizations and trends by type of attacks and attack targets. These dashboards will summarize the organization’s security posture, identify gaps, and compare risk with that of industry peers in near realtime as apposed to a monthly point in time based on sometimes limited and stale data. Proficio’s ThreatInsight is an example of such a dashboard

2020s: A Decade to Embrace Change

As we wave goodbye to 2019, we are excited about the changes that the next decade will bring and looking forward to helping our clients protect their data and brand.

From all of us at Proficio, we wish you a safe and successful 2020.

 

Happy New Year 2020