The cyber threat landscape is evolving as threats shift to emerging technologies. Today, it is not just healthcare, finance, or a government institution. Organizations and infrastructures of all kinds, from ransomware that paralyzes or shuts down operations to supply-chain breaches that expose sensitive data, are in the crosshairs of rampant cybercriminals who are constantly evolving and becoming increasingly sophisticated. Even an environment such as the cloud, which was touted as a safe haven, has a growing percentage of attacks. The Security Operations Centre (SOCs) must continually adapt, be forward-looking, and proactive to keep pace with global cyber threats. In this blog, let’s look at the current dynamics of the cyber threat landscape and the trends driving it. I’ll also cover how global SOC teams are or should be prepared to deal with them.
1. The Rise of Ransomware-as-a-Service (RaaS)
It is pervasive, and since Ransomware-as-a-Service (RaaS) requires no specialized criminal skills or aptitudes to access source code, anyone with an internet connection and a payment route that accepts fraudulent payments can join the bandwagon and launch their own campaign. At least some RaaS services will rent out a ransomware kit to a lay person that would be out of his or her technical depth to create on their own to a technically sophisticated, well-resourced cybercriminal actor. RaaS is the factor that enabled a ransomware tsunami of every shape and hue to fan out across every sector of every industry and wreak the damage that it has.
How Global SOC Teams Can Defend:
Proactive Threat Hunting: SOC teams should regularly conduct threat-hunting exercises, using TTPs or other threat intelligence to proactively hunt for early IOCs of ransomware (e.g., atypical file modifications, unusual network traffic patterns and so on).
Advanced Endpoint Detection and Response (EDR): These EDR solutions should provide both prevention of ransomware spreading across the network and insight into the forensic analysis of how the ransomware initially entered the network.
Backup and Recovery Plans: The best defense against ransomware is backup and recovery. SOC teams should work with IT teams in enforcing regular backups of essential data and assign a team to test and make sure the recovery process is available to execute, when needed.
Reducing the attack surface through Zero Trust Architecture: A Zero Trust deployment minimizes the attack surface, in that no user or system, inside or outside the perimeter, is automatically trusted, and access is provided at each step only after it’s verified.
2. Supply Chain Attacks: A Weak Link in the Cybersecurity Chain
Vulnerabilities left in a supplier’s or vendor’s infrastructure mean a bad actor could exploit it later to undermine a target company. After several high-profile incidents garnered widespread attention, such as the SolarWinds breach, supply chain attacks now command considerable attention. As companies increasingly outsource functions such as software development, human resources and payroll then, or else embrace third-party software, supply-chain risk rises.
How Global SOC Teams Can Defend:
SOC teams should work closely with procurement and legal divisions to establish strong vendor risk management standards, including clearly vetting vendors for cyber hygiene, including through security testing, and also by performing security testing on all third parties before permitting them access.
Ongoing monitoring: After the vendor is on-boarded, ongoing monitoring is necessary, especially enabled by an integrated threat intelligence platform that can alert on suspicious activity or vulnerabilities in third-party code.
Network segmentation and least privilege access: SOC teams should mandate this network segmentation and access, so that a vendor that gets compromised, say, causes only a department-level blast radius.
Incident Response Plans for Supply Chain Attacks: Supply chain attacks are difficult to detect from a trusted vendor. SOCs should develop and practice incident response plans specifically for supply chain attacks, with an increased focus on rapid isolation and remediation.
3. Cloud Security Risks: The Expanding Attack Surface
Moving to the cloud brings benefits such as scalability, flexibility and economies of scale. However, the mass migration to the cloud has also increased the attack surface: many more organizations store sensitive data and critical applications in the cloud. In response, adversaries are now exploiting misconfigured cloud environments, weak authentication mechanisms, and cloud application vulnerabilities.
How Global SOC Teams Can Defend:
Cloud Security Posture Management (CSPM): Ensure your SOC’s incident-detection and response capabilities are leveraging CSPM tools that scan a cloud environment for misconfiguration, vulnerability and compliance issues. Select CSPM tools provide remediation functionality to address such issues automatically.
Identity and Access Management (IAM): IAM policies are a core support to cloud security. MFA is a must for every cloud account, and RBAC to restrict access to sensitive systems and data is required by the global SOCs.
Shared Responsibility Awareness: SOC teams need to understand that security in the cloud is based on the shared responsibility model in which the ‘consumer of cloud services is responsible for security in the cloud, not the cloud service provider’. While the provider is ‘accountable for the security of the infrastructure supporting their services,’ the data and applications are typically owned by the client. Routine audits of such responsibilities by the client and the provider might help.
Cloud Incident Response: Cloud incident-response processes are different than traditional incident response, and SOC teams should develop and implement specific cloud incident-response playbooks that account for the cloud forensics challenges, including logging, ephemeral infrastructure and data collection.
4. The Evolution of Social Engineering and Phishing
Of the tools that hackers use, phishing is probably the most effective. Even worse, phishing attacks themselves are becoming more pointed – through ‘spear-phishing’ and ‘business email compromise’ (BEC) attacks that con employees into transferring money or sharing personal information. Many of these are extremely convincing, using deepfake and AI-generated text to send out fake emails and voice messages.
How Global SOC Teams Can Defend:
Sophisticated email protection based on machine learning that analyzes behavior and content should form a cornerstone of SOC defenses. Advanced email security based on machine learning that analyzes behavior and content will be a cornerstone of SOC defenses.
Phishing Awareness Training. Humans are the weakest member of the security chain and avoiding the loss is rarely seen with incidents where it wasn’t a human element involved. SOC teams need to never stop training and adjusting rules so that they handle an increasing set of phishing attempts made through the humans within the organization. So, how hard is it to prevent phishing in 2024? Well, pretty easy actually.
Periodic simulated phishing campaigns: Throughout the year, the SOC should conduct periodic simulated phishing campaigns to determine the maturity of employees and their recognition of the gaps in the training program. The successful ones also provide information as to whom or which departments might need more training.
Real-time Phishing Response: SOCs must provide real-time responses for phishing attacks. Attempted attacks should be quarantined and notified to users, and compromised users should go through an investigation process.
5. The Increasing Threat of Nation-State Actors
The threat landscape for today’s companies is changing. Increasingly, nation-state-sponsored cyberattacks – and in some cases, more serious attacks – are emerging. They have a specific objective, often well-hidden with subterfuge – espionage, sabotage of nations and their critical infrastructure, or something in between. With their resources and access to advanced tools, nation-state actors are among the most difficult adversaries for today’s organizations’.
How Global SOC Teams Can Defend:
Threat Intelligence Sharing: One of the best ways to defend against nation-state attacks is with other organizations. Your SOC team must be a member of an information-sharing community and contribute to government and industry security efforts to keep up to date on the most recent nation-state tactics and IOCs.
Sophisticated monitoring and anomaly detection: Nation-state adversaries conduct reconnaissance over weeks, months or years before an attack. SOC teams can use anomaly detection systems to detect suspicious activity that could be indicative of nation-state command execution, such as long-term lateral movement, privilege escalation attempts and data exfiltration.
Ensure Endpoint Security is APT-Ready and Integrated with EDR/XDR Solutions: As endpoints are often the starting point for APTs, SOCs should check whether endpoint security products they adopt are APT-ready and integrate with EDR and XDR solution for a holistic view of the attack surface.
Simulations of nation-state TTPs and attack paths as part of internal red team exercises: Present-day nation-state threat dynamics necessitate internal red team exercises simulating nation-state TTPs and attack paths. For SOCs to succeed today, they must transform from sporadic to ongoing red team mode, existing in a permanent state of red team operations, continuously testing an organization in order to provide crucial feedback on the right places to strengthen.
Conclusion
The threat landscape increasingly involves sophisticated threats, novel attack vectors, ransomware, supply-chain attacks, cloud insecurity, social engineering, nation-state issues and others. An insightful defense strategy along with the latest technologies and continuous learning culture can help to not only fight and fend off such threats but also circumvent them.
There, our worldwide SOC is manning the guard-posts and the watchtowers, ready to defend clients around the clock against those threats and more. Cyber – like much else – has to be everything to everyone, and that’s what we’re doing at DefendEdge.
Continue reading to see more posts on the latest cybersecurity news and best practices from our DefendEdge team.
By: Wesles Lubin., Global SOC Operations Director, DefendEdge
Leave a Reply