Earlier this year we held a live broadcast, featuring cybersecurity threat analysts from across Cisco Secure. We discussed the most significant cyber threats of 2021, what we’re seeing now, and how defenders can best protect their organizations in the year ahead. In the first of this three-part series, we’ve compiled some brief highlights from the broadcast. Be sure to watch the videos for more in-depth analysis.
Colonial Pipeline, and The New World of Infrastructure Security
From all the threats you could have chosen to talk about, why did you choose Colonial Pipeline?
Matt Olney, Director of Cisco Talos Threat Intelligence and Response: There’s two things that I found interesting about Colonial Pipeline…
One is the real-world impact of the attack, i.e what happened to gas supplies on the East Coast of the United States. The attack inspired political pressure, and that subsequently led to an increase in response speed from the US government on ransomware activities.
On the flip side, the reaction from the bad actors was also interesting. It was very much an ‘Icarus’ situation. They knew that they had overstepped. And there was an immediate and profound response from that environment.
What do we know about the bad actor side of this attack?
MO: Immediately, there was chatter on underground forums and the dark web about the fact that this was a mistake.
In fact, various ransomware groups rolled out a formal policy. It said, “This group does not attack critical infrastructure or hospitals.”
We also saw various underground forums instigate certain new rules, which told people that they could not advertise ransomware services here. This was likely because they wanted to evade the attention of law enforcement, and the kind of attention that being associated with ransomware brings. This hasn’t gone away in the months since.
The bad actors have understood that this event changed the calculus, in terms of how countries treat ransomware actors.
You gave a quote in an article just after the attack – “It’s time to move beyond ransomware thoughts and prayers.” Why did you say that?
MO: Up until this point, a lot of government response up had been about information sharing; getting the message out. Then they would rely on traditional law enforcement methodologies to go after these groups.
Unfortunately, it’s been clear for a while that this wasn’t viable. The arrest record was incredibly poor, in contrast with the catastrophic impact that ransomware can cause.
The ransomware threat continues to be at a critical level for certain actors and, therefore, you need to treat those actors as National Security threats. That means you need to bring in the full scope of government response.
Additionally, with ransomware, we’ve always been concerned about the breadth that a supply chain attack could bring. In 2017, we saw what a ransomware-like event could look like when delivered through supply chain, with NotPetya. That attack caused over $10 billion in damages globally.
To be clear, that was a purely destructive state-sponsored attack, not ransomware, but it was intended to look like ransomware.
Supply chain is the hardest problem in security right now. I can’t think of anything else that is that is as flummoxing.
Watch the full video with Matt on Colonial Pipeline, ransomware, and supply chain attacks:
Security Debt: An Increasing Target of Opportunity
What is security debt and why is it becoming increasingly critical?
Dave Lewis, Advisory CISO, Cisco Secure: Security debt is when organizations use systems that have depreciated or aren’t being properly maintained. As a result, this introduces all sorts of targets of opportunity for an attacker.
I characterize it as technological debt, that has manifested as a security issue.
From an attacker point of view, how could they exploit security debt within an organization?
DL: The attacker can look at it from many ways. They might use Shodan or scanning or do something as simple as open-source intelligence, like going through LinkedIn and seeing what people put in their resumes i.e they work on a particular product.
They can then distil down the products that were possibly used in that environment, and then compare against vulnerabilities that are either published or they can find on the dark web. They can then build up a profile of that organization, and target it based on what intelligence they’ve gathered.
What is your advice to organization’s listening who might have security debt and want that debt to be addressed?
- DL: Find out what are the assets within your environment, who are the users in your environment, and what are the applications and the hardware? Make these inventories available so you know what it is that you’re trying to protect.
- Have a risk register to be able to track issues as they are identified. You can also use this for auditors. Your risk register can tell them that you’ve identified issues, and the roadmap you have in place for those issues.
- The biggest piece of the puzzle — define repeatable processes. I’ve worked in organizations in the past where when something went wrong, everybody would run around with their hair on fire, trying to figure out who had to do. Make sure that you have a process in place which can identify the people within your call chain you have to call when something goes wrong, and who has which tasks to take care of. Importantly, don’t tag it to an individual by name. Tag it to a role, and that will help solve the problem of when people come and go throughout the organization.
Watch the full video on Security Debt:
Read more about how to manage Security Debt in Duo’s latest Trusted Access report.
The most critical vulnerabilities (you might not be thinking about…)
Jerry, what can you tell us about the world of vulnerabilities?
Jerry Gamblin, Director of Security Research, Kenna Security (now part of Cisco): Last year, we saw over 20,000 CVEs (Common Vulnerabilities and Exposures) for the first time ever. That’s 55 CVEs a day.
I don’t know many security teams that are staffed to the level of being able to look at 55 CVEs a day and can understand which ones important and which ones are not.
We run a model every night, and it looks like there’s going to be over 23,000 CVEs this year. So, we know that this is a problem that is growing bigger.
The truth is that while we talk a lot about vulnerabilities that are popular (everybody knows about Log4j and the Microsoft Exchange vulnerability that came out early 2021), we’re seeing more vulnerabilities come through on Chrome and Edge in huge waves.
PrintNightmare was one of the most impactful vulnerabilities of 2021. It was so widespread that in the end, Microsoft set an instruction to go back to needing an admin to install printers. It really changed the dynamic of how security teams work in this arena.
What occupied your team’s time during 2021? Can you highlight some of the top vulnerabilities?
JG: We spent a lot of time on the Chrome V8 engine. Microsoft also made a substantial change this year when they moved from Internet Explorer. Now it’s based off Chromium, so we’re making sure our customers understand the switch from an open-source browser from a closed source browser.
We’re also seeing a lot of virtualization vulnerabilities becoming increasingly common. We saw a lot of VMware vulnerabilities this year that we have hadn’t seen in the past.
And we’re starting to see the emergence of what we internally call “Pile-on CVEs.” (We don’t have a good term for it yet…).
For example, a base CVE might come out, and then over the next couple of weeks, you might say, “I looked at the code because it was interesting. And I found this CVE, and this CVE, and this CVE…”
What do these findings and activities that happened in 2021 tell you about what defenders might have to face this year? Are there any vulnerability trends that you can point to?
JG: We know that CVSS isn’t a great predictor of exploitability – and we’re not saying anything here that CVSS themselves don’t say themselves. When we launched our latest Priority to Prediction report, we made the news because we said Twitter is a better indicator of exploitability. What you have to look for generally isn’t in the CVSS score.
Organizations really need to move to a risk-based vulnerability management system, where you’re looking at potential remote code executions. Or if there is a released exploit code for it (that’s the biggest thing that you can do). And what can you do to make sure that the vulnerabilities on your network are being addressed properly?
To help you stay up to date, our blog, blog.Kennasecurity.com has the Prioritization to Predication report which discusses how you can reduce risk with vulnerability prioritization based on risk and real-world exploitation data. And I have a personal project that runs a notebook every day at CVE.ICU that does open-source data analysis on the CVE data set.
Watch the full video on the top vulnerabilities:
For more resources on how to deal with critical threats, head to cisco.com/go/critical-threats.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels