At enterprises today, cybersecurity teams are narrowly focused on addressing exploits. In addition to monitoring security alerts and incident data, security teams scan technology company news and software releases for information about new vulnerabilities that need to be patched. At the same time, they’re likely paying experts to monitor online criminal marketplaces to understand the latest threats that are being productized and weaponized. All of this data helps these experts quickly evolve their strategies and reduce their company’s attack surface.
This model, unfortunately, is broken. It’s more than likely that the adversary is already hiding within the network, and equally as likely that they got in with stolen, now compromised, credentials.
Digital transformation, hybrid work, third-party partnerships, and other factors have weakened security controls, created shadow IT and introduced other issues cybersecurity teams will be working on for years to come. As a result, these professionals are almost always working from a reactive position.
In addition, their assumption is that they can match pace with increasingly sophisticated, well-funded adversaries, such as nation states. Malicious insiders, hacktivists, and curious teenagers round out the mix, creating a confusing mix of attackers, motivations, strategies, and toolkits. As just one example, multiple people have been arrested for Lapsus$ hacks, including a teenager who has reportedly amassed a fortune of more than $14M in bitcoin from his attacks.
A new way of thinking about cybersecurity threats
So, if focusing on the exploit no longer works against cyber mayhem, what does? I propose that enterprises should take a different lens to improve their cybersecurity posture moving forward.
There are many ways to get user credentials: Nearly all of the hundreds of breach reports I’ve read have involved compromised credentials. More than 80% of hacking breaches are now enabled by brute force or the use of lost or stolen credentials, according to the 2020 Verizon Data Breach Investigations Report. Compromised credentials alone are involved in 61% of attacks, because it’s easier for bad actors to go in the front door than batter systems looking for vulnerabilities. And attackers know, compromised credentials work … every … single … time. I think there’s an argument to be made that compromised credentials are involved in nearly 100% of attacks, because even if credentials aren’t used to get in the front door, they’re used by attackers—the vast majority of the time—to move around and access targeted systems and data once they’re in.
There are so many ways to harvest these credentials. In addition to mining past data dumps, cyberattackers can phish employees, use social engineering to gain personal data for password attacks, automate credential stuffing, target devices with default passwords, scan cloud environments for exposed credentials and more. Organizations need to enable multi-factor authentication for passwords and enforce the concept of least-privilege granted and automate the enforcement of creating new passwords. Yet even this won’t be enough, as user profiles can be misconfigured, and determined insiders can maneuver around security policies and tools. As a result, cybersecurity teams must be able to identify when abnormal user behavior becomes risky, such as when administrator privileges are used to access new or existing systems in uncharacteristic ways.
Cyberattackers are already inside enterprise networks. A study found that 93 percent of corporate networks can be penetrated. Unfortunately, it’s getting easier day by day, as would-be attackers can simply buy credentials and toolkits on the Dark Web to accelerate their speed to market. Their goal isn’t always a quick data dump on the criminal underground or a ransomware payout. Sometimes attackers want to see how far and how long they can move throughout networks without being detected. As they learn more about a company’s IT systems, policies and assets, they can dream up new motivations. These goals include financial payouts (64%), fun (17%), grudges (14%), espionage (9%), convenience (3%) and ideology (1%)—or a mix of multiple aims.
Every breach is an insider threat. Cybersecurity leaders are always concerned about malicious insiders, disgruntled employees, or partners who use access privileges to exfiltrate data or cause other types of damage. Yet, the reality is more mundane. Although 94 percent of breaches involved insiders in 2021, they were more often than not due to error (84 percent), employees breaking security rules (74 percent), and phishing attacks (73 percent). As a result, cybersecurity teams must not only protect systems, applications, and data, but employees from being used as unknowing pawns in attacks.
That said, 66 percent of survey respondents said they had experienced a malicious leak in the last year. Insider data breaches are costly, typically take 85 days to detect and cost up to $15.4 million to remediate—up 34 percent from 2020. I predict that insider attacks will likely grow, as cybercriminals step up the pace of advertising to employees willing to hand over credentials and approve multi-factor authentication prompts or the installation of remote management software on their desktops. For example, one ad offered employees at companies such as Apple, AT&T, IBM, and others up to $20K a week to perform “insider jobs.”
Cybercriminals are collaborating on attack strategies: Cyberattackers aren’t just using the Dark Web as a watering hole to boast about exploits or sell services, such as stolen credentials and data or malware kits. They also use online criminal marketplaces to establish their brand and recruit and vet members, then moving discussions to private, encrypted channels such as Telegram. As a result, it’s harder for enterprises to detect new attacks in the making. Companies should also collaborate. By sharing cyber intelligence through industry forums and other channels, companies can help each other and collectively evolve their response to address the latest attack strategies and tactics.
Focusing solely on exploits provides limited gains. Cyberattackers know that there is a shelf life on vulnerabilities and new attack strategies. So, they’re leveraging shared information, reconnaissance and automation to move faster. Once companies catch up, these groups are on to the next exploit. That means that cybersecurity teams who focus on exploits alone have limited visibility into how threats are evolving. Focusing on attacker behaviors instead yields richer insights that teams can act on to stop and remediate breaches.
How to match tactics with cyberattackers
So, if cyber attackers are already inside networks, traditional security tools typically won’t detect them. Outsiders and insiders are using legitimate credentials and access privileges to explore networks and launch attacks. As a result, companies need to take a different approach.
They should use security platforms that use machine learning to establish a picture of normal activity for users and assets and automatically compare new activity against these thresholds and assign them risk scores. As more anomalous activities occur, that risk score increases. When these activities exceed preset levels, security analysts are then automatically engaged to investigate. Their work is streamlined with a machine-built timeline of a potential attacker’s complete journey, rather than a laundry list of alerts.
By using this approach, analysts no longer have to filter out noise, including false alerts or wait for alarms. Instead, they can focus on early warning signs, detecting and preventing breaches before they cause significant harm. Automation and behavioral analytics also improve analysts’ focus and productivity at every step of the journey, from collecting and analyzing data, to triaging incidents, to speeding investigation and response.
It’s time to stop treating cyberattackers and threats as if they’re coming outside-in. The truth is that they’re already inside enterprise networks. Using the right tools can help cybersecurity teams drive faster to insight, focusing on the problems that truly matter and reducing their impact. That work will translate to higher customer trust, a better brand in the marketplace and fewer operational distractions, as well as the ability to avoid fines, lawsuits, and the destabilizing impacts of widespread breaches.