Record-breaking vulnerabilities, rising OT security risks and increasing exploits demand a new approach to vulnerability management.
If the events of 2021 tell us anything about the state of cybersecurity, it’s that you can’t fight today’s battles with yesterday’s tools. The rapid evolution of the threat landscape has made past approaches to vulnerability management outmoded, if not downright archaic.
That’s one key conclusion from Skybox Security’s Vulnerability and Threat Trends report 2022.
CybersecAsia had the opportunity to speak to Skybox Security CEO & Founder Gidi Cohen about the findings of the report, as well as his insights and perspectives into current and future cybersecurity challenges and solutions.
In what ways are threat actors getting better at weaponizing vulnerabilities?
Gidi Cohen (GC): Skybox Research Lab, the threat intelligence of Skybox Security, discovered that the number of new vulnerabilities exploited in the wild rose by 24% in 2021. That’s a sign of how quickly adversaries are moving to weaponize new vulnerabilities, shrinking the window that security teams have to detect and address vulnerabilities before an attack.
Cybercrime has become a vast and thriving industry. Our threat intelligence analysts say they “see ransomware samples everywhere,” alongside a sprawling ecosystem of specialized services designed to enable threat actors to make money quickly. Examples of modern cybercrime strategies include:
- Easy-to-use exploit kits and malware-as-a-service (MaaS) have made it remarkably simple for non-technical threat actors to get into the game and start reaping financial returns.
- Recent years have seen a steady rise in malware designed to facilitate complex multistage campaigns and hard-to-detect exploits such as fileless attacks (where the malicious code is injected directly into memory, not installed on a hard drive).
- The quick money to be made from exploits such as cryptojacking is tough to resist, especially in parts of the world where pay is low and legitimate career opportunities are few and far between.
Given all the threats and adversaries, it’s not surprising that cyberattacks have become more frequent, bigger, and more costly. We expect the world will continue to see widespread supply chain attacks that target popular IT software. For example, the SolarWinds attack affected an estimated 18,000 organizations, while the Kaseya attack impacted roughly 800-1,500 businesses globally.
What does a Zero Trust approach look like when it comes to operational technology (OT)?
GC: At its foundation, Zero Trust is a cybersecurity model that denies access to applications, assets, and data by default. Every security decision must be assessed based on actual, quantifiable risk to the organization.
In OT environments, a critical first step to achieving Zero Trust is shining a spotlight on the unknown assets to illuminate where exposed vulnerabilities are hiding. Today, many OT flaws remain hidden from cybersecurity teams. That’s because most OT systems are hard or impossible to scan.
At best, companies scan OT assets infrequently (once or twice a year) because they can’t afford to take these mission-critical systems offline or degrade service. Likewise, patching many OT systems is technically impossible or too cumbersome and costly to address all vulnerabilities. As a result, many OT environments are riddled with security holes, with no effective way to assess weaknesses, much less fix them.
A different approach is clearly needed: One that eliminates the blind spots by providing a complete view of the OT and IT attack surface and that also facilitates targeted, effective remediation. To achieve a 360-degree view of the attack surface as a foundation for Zero Trust, vulnerability data from all assets (including IT, OT, and cloud) and every corner of the network must be aggregated into a single model.
Then, it is possible to employ path analysis to understand all IT and OT connectivity, including how risks can impact either environment or traverse one to reach the other. Pairing this visibility with the security controls required to stop, remediate, and surgically remove exposed vulnerabilities enables a holistic Zero Trust strategy across both IT and OT environments.
What are the biggest risks in IT-OT convergence?
GC: As OT and IT networks converge, threat actors are increasingly exploiting vulnerabilities in one environment to reach assets in the other. Many OT attacks begin with an IT breach, followed by lateral movement to access OT equipment. Conversely, intruders may use OT systems as steppingstones to IT networks, where they can deliver malicious payloads, exfiltrate data, launch ransomware attacks, and conduct other exploits.
Increasingly, malware is designed to exploit both IT and OT resources.
Most organizations don’t even have visibility into the problem. They have no global view of their attack surface, with its interconnections, entry points, configurations, and policies. It’s not just blind spots such as unscannable OT and network devices that prevent such a cohesive view; it’s also organizational siloing between IT and OT departments and among their various teams. Often each group has responsibility for a small piece of the puzzle, but no one has the big picture. Without full visibility, it’s difficult to detect policy violations, vulnerabilities, misconfigurations, faulty design, or unplanned or unauthorized changes.
It’s also difficult to recognize and respond to complex attacks; individual teams may see only isolated incidents and fail to recognize that these are part of a larger coordinated campaign.
That’s why a modern vulnerability management strategy must begin with a holistic view that models and visualizes the entire attack surface, including IT and OT environments and all of the connections among them. The goal is not just to cut off initial breaches where possible, but also to prevent lateral movement that enables attackers to jump from IT to OT systems and vice versa, or from less critical devices to core systems.
How should organizations in Asia Pacific defend against supply chain attacks and mitigate the risks?
GC: In 2021, Log4Shell highlighted the growing danger posed by open-source software and the supply chain.
Vulnerable or malware-infected components can make their way into widely used software products in ways that are hard to detect and extremely difficult to root out. Such was the case with the Solar Winds hack, and so it is with vulnerable Log4j libraries tucked away in a multitude of enterprise software, with no quick and efficient way to find, much less fix, all of them.
Using traditional, active scanning to find all instances of the vulnerability and then applying patches everywhere is monumentally time-consuming and costly. Fortunately, it’s also unnecessary.
Scanless detection can be used to identify affected assets without the cost and performance impacts of active scanning, and exposure analysis can pinpoint the typically small subset of devices that are actually susceptible to attack. Security teams can then apply appropriate mitigation measures such as configuration changes or network segmentation to stem the risks even before patches are applied or in cases where patches aren’t available.