Active adversaries continue to menace organizations, breaching systems in two primary ways — by exploiting vulnerabilities and using already compromised credentials. According to Sophos’ Active Adversary report of 2023, ransomware maintained its dominance as the top attack type of choice for active adversaries, with 70% of investigations resulting from a ransomware attack. The top root causes of these attacks were compromised credentials (55.84%) and exploited vulnerabilities (16.23%).
A lot of cybercrimes are crimes of opportunity. In these attacks, threat actors perform automated scans in search of vulnerable systems, and when they find them, they will run automated exploit tools in an attempt to infiltrate. It’s the cyber equivalent of rattling locks or attempting to push a few windows up. When they fail, they’ll move on to the next potential victim.
Adaptive adversaries operate more aggressively. They don’t just try doorknobs and windows and move on. They keep pushing. Whether they are motivated by financial gain, a “gun for hire” to breach specific targets, or mercenaries seeking to gain entry and persistence into businesses and then sell that access to other criminal groups, these attackers are persistent in these goals. They will persistently dig in to succeed in their attacks.
“That’s what makes attacks from active adversaries different from other attackers. They will get hands-on in their attacks,” says John Shier, CTO, Sophos.
The good news is that many of these attacks are avoidable. The following paragraphs outline steps to mount a better defense.
Adversarial evolution: How defenders must also evolve
To succeed against active adversaries, defenders must also be active and constantly work to adjust their tactics to align themselves against their attackers.
Active adversaries will utilize all the tools and techniques to get into the targeted organization. They will also target external remote services, impair cybersecurity defenses and system recovery tools, and even abuse system services to gain entry.
To effectively respond, organizations must possess an adaptable security posture.
Steven Aiello, CISO at digital platform provider AHEAD, notes that adapting to changing attacker tactics requires building and maintaining an accurate baseline of the business-technology environment.
“Baselines help identify when something deviates from the norm, which could indicate attack activity,” Aiello says, adding that large organizations often run fewer baselines than they need to attain adequate security, including baselines of network traffic, normal system behavior, and the software installed in the organization.
Additionally, visibility into unpatched servers, misconfigured cloud storage systems, and outdated web apps — and having the processes to remediate these systems — is critical to reducing risk.
To keep attackers out, the security posture must keep pace with the active adversaries, how their tactics change, and the organization’s growing and changing attack surface. This is crucial because as the attack surface changes, so do attackers’ ways of burrowing into networks.
Minimizing the attack surface
Security experts advise CISOs to work to keep the organization’s attack surface to a minimum.
That means identifying software and system vulnerabilities and patching and mitigating these risks. It also means minimizing the number of entry points into an organization and using multifactor authentication.
Organizations should consider turning to systems that help automate attack surface management so that security teams fully understand their assets and can better prioritize their risks.
Experts also advise additional security program elements to ensure the program adapts to changing threats. One is utilizing adaptive access controls that can adjust the level of access, and trust provided to a user based on the context of access, such as when accessing from a risky network or geographic location. Another is maintaining comprehensive logging and monitoring. Such telemetry data is essential. When continuously analyzed, it can quickly respond to new threats and identify changes in attacker behavior so that the security program can be adjusted accordingly.
Finally, other areas that need to evolve as the threat posture changes include incident response plans. Few things are worse than turning to the incident response plan during a crisis only to find it outdated, irrelevant or encrypted. User security awareness training also needs to adapt as attacker tactics change.
Dynamically responsive defenses, proactive governance
This section covers the need for dynamic defenses and how to gain the insights necessary to change security policies as threats evolve. This is vital because as attackers become more agile and adjust their tactics, organizations need defenses that also actively adapt.
This requires a governance policy that constantly re-evaluates risk and security processes that can adapt to changing threat contexts and attack techniques. That calls for threat intelligence that keeps up with a changing threat landscape and uses that insight to adapt. Threat intelligence is critical to keeping security defenses dynamic, providing context and actionable insights to help organizations proactively identify, prevent, and respond to cyber-attacks. The crucial aspect is proactively attaining threat intelligence and putting that intelligence to use within the organization.
Generally, such threat intelligence is collected from various sources, including security logs, open-source intelligence, and threat intelligence feeds. Then, this data is used to identify patterns, indicators of compromise, and tactics, techniques, and procedures used by threat actors.
“By acting proactively — including updating defense mechanisms or developing security policies and processes — organizations can stay ‘left of boom,’ avoiding the impact from a particular attack or otherwise minimizing its effect,” says Bryon Hundley, Vice President of Intelligence Operations at the Retail and Hospitalist Information Security and Analysis Center. “Threat intelligence is the compass that guides cybersecurity efforts, allowing for more informed decision-making and a stronger security posture in an ever-evolving threat landscape.”
In an era characterized by sophisticated and rapidly evolving cyber threats, the ability to gather, analyze, and act on timely and actionable intelligence sets apart reactive security postures from proactive ones, Hundley says, adding that threat intelligence also must involve a deep understanding of the environment being protected.
To effectively gain the insights necessary to change security policies as threats evolve proactively, organizations should consider the following steps:
- If the organization doesn’t have a threat intelligence program, create one. If you don’t have the staff to dedicate to threat intelligence gathering and analysis, consider outsourcing to gain those capabilities. By collecting, analyzing, and sharing curated intelligence with the right teams throughout the organization, one’s security posture can adapt to the threat landscape.
- Harness quality, pertinent threat intelligence sources. These include open-source intelligence, such as the open, deep, and dark web. Other sources should include intelligence feeds from industry groups, government agencies, and threat intelligence vendors.
- The magic happens in intelligence analysis. Many factors go into this mix, including its relevance to the organization (such as industry tech stack specifics), its timeliness and its accuracy and source credibility. By keeping current, your security posture can adapt as threats evolve.
- Keep security policies and defenses up to date. As threat intelligence analysis warrants, update security policies and defensive controls better to defend your organization against the most pressing threats. Updating web applications and network firewalls, intrusion detection/prevention system rules and incident response playbooks are vital things to consider. Continuously update cybersecurity policies and incident response plans based on what the latest threat intelligence research indicates regarding the nature of threat actors’ activities, the tools and tactics they employ, and the state of your organization’s technology environment and defense. Also, hold regular tabletop exercises for exercising your business continuity and disaster recovery plan.
- Finally, to meet today’s fast-changing threats, it’s also crucial to have adaptive network and endpoint security toolsets as needed. Here’s what to look for:
- Security defenses that disrupt and delay attackers: When signs of a device being compromised are identified, modern security defenses should place the at-risk device into a temporary, more aggressive security mode and block activities associated with attack techniques, such as attempted running of remote admin tools, launching untrusted executables, rebooting the machine into Safe Mode, and more.Creates additional response time: Active adversaries execute “fast” ransomware attacks in hours, making quick detection and response crucial. Adaptive protection should provide defenders additional time to investigate and respond to underway “zero day” attacks. By disrupting the attack chain this way, defenders have time to ensure the adversary fails in their objectives.
- Automatically raises defenses: When defenses are increased as an attack is detected, users are protected with heightened defenses when needed.
In conclusion, active adversaries are infiltrating organizations of all sizes, often evading detection by turning off security protections and abusing legitimate IT tools. While the most common initial entry vectors exploited unpatched vulnerabilities and compromised credentials, active adversaries also craft custom malware, deliberately striking during off-hours and blending into the victim’s environment.
To enhance resilience, organizations must adapt with them, which means implementing effective tactics against specific types of attacks and ensuring they’re operating with an adaptable set of security policies and governance efforts informed by timely and accurate threat intelligence.
D2 Cybersecurity offers a range of services to help you stay secure and make the most out of your digital experiences. From Cyber Awareness Education to Information Security Gap Assessments, we’ve got you covered! Contact us today to find out how we can help secure your organization.