As more and more businesses have moved from traditional IT environments to modern cloud infrastructure, cyber security threats have evolved. In turn, as threats become more sophisticated, so too have the security controls to prevent them.
So how have cyber threats evolved over the years? Are traditional security controls still effective in defending against modern attacks?
In this article, we will discuss:
- Traditional IT Environments
- Modern IT Infrastructure
- How cyber threats have evolved
- Is traditional cyber security still effective?
Traditional IT environments
Traditional IT environments consist of several servers and network appliances usually hosted in a private data centre or on a company’s own premises. This infrastructure hosts all the business-critical systems such as databases, email servers, file servers, domain controllers, application servers, etc. This heavily relies on an in-house IT team to spend their time performing maintenance and support tasks.
The advantage of traditional IT infrastructure is that organisations have full control of their IT environment, including deciding the security controls to put in place (often a traditional infrastructure is necessary for certain compliance standards), and data is always accessible meaning if the Internet were to go down, they could still access their data on-site.
However, the disadvantage of traditional infrastructure is that it is neither flexible nor scalable. If there was a sudden influx of traffic to a company’s web application, it would lead to the application becoming unresponsive due to a lack of compute resource. To remediate this issue the IT team would have to order more CPU/RAM and wait for it to be delivered before upgrading the system.
In most traditional IT infrastructures, the security controls consist of physical security, an edge L3/L4 firewall, endpoint signature-based antivirus, VLAN segmentation, and a sub-par patch management program. Assets are often deployed in a set-and-forget fashion, sometimes going years without being patched. More mature environments will have automated patching via tools such as Windows System Update Services (WSUS) or SolarWinds Patch Manager, which will push Windows and third-party software updates. However, they will not update appliance firmware, network appliance OS’, or hypervisors.
There is also usually a lack of vulnerability scanning integrated into traditional patch management programs. That means vulnerabilities that require a configuration change, as opposed to a patch being applied, will not be identified or remediated.
Modern IT infrastructure
Many organisations were pushed to re-invent their IT infrastructure when the COVID-19 pandemic forced almost all organisations to implement a work-from-home (WFH) policy. To enable the WFH culture many organisations began operationalising their services using public cloud services such as Zoom, Office 365, Azure, Amazon Web Service (AWS), and Google Cloud Platform (GCP).
Cloud computing was the go-to solution due to its low upfront cost, on-demand services, elasticity, and simplicity. Furthermore, an added side effect of everyone staying home was a surge in online activity, which led to businesses needing to scale their operations quickly to meet the increased traffic. Thus, further accelerating the adoption of modern IT environments which require data to be accessible from anywhere at any time, extremely scalable, elastic, and agile.
A modern infrastructure is inherently riskier than a traditional on-prem infrastructure primarily due to the fact data is accessible from anywhere at any time, in turn enabling adversaries to launch attacks from anywhere at any time. A defence-in-depth approach should be implemented to mitigate the additional cyber risk by moving to a modern IT infrastructure.
Defence-in-depth is a cyber security strategy in which multiple layers of security are implemented and if one layer is compromised then the attack might be contained in the next layer. It is comparable to a castle under attack, it is built with turrets in each corner whereby archers can launch long-range attacks, it has a large moat surrounding the high walls which are filled with water, a draw bridge, and high walls. If an approaching army manages to navigate through the archer’s wave of arrows, then they must wade through the moat without drowning, next they must climb the castle walls or break the gate open where they are met with the opposition’s soldiers.
A defence-in-depth program involves many controls, some of these controls are Identity and Access Management (IAM), security awareness training, disaster recovery/continuity/incident response policies, Data Leak Prevention software (DLP), supply chain risk management, Next Generation Firewall (NGFW), Endpoint Detection and Response (EDR), Web Application Firewall (WAF), Security Information and Event Management (SIEM), Intrusion Prevention System (IPS)/Intrusion Detection Systems (IDS), application security, and a mature vulnerability management program.
Often implementing a defence-in-depth strategy is too time-consuming and costly for a small-medium sized organisations to monitor, and maintain effectively. Consequently, it is more cost-effective for small-medium sized organisations to outsource many of their activities to MSSPs whereby they benefit from economies of scale and receive expert services at a reduced cost.
How cyber security threats have evolved
The cyber security threat landscape is constantly evolving and becoming more sophisticated, ‘When one object exerts a force on a second object, the second one exerts a force on the first that is equal in magnitude and opposite in direction’ – Steve Katz. In cyber security this means as defences get more sophisticated, adversary attacks get equally more sophisticated, and vice versa.
Long gone are the days when benign malware was written to display a pop-up message such as ‘I’M THE CREEPER, CATCH ME IF YOU CAN!’ like that of Bob Thomas’ creeper (malware) written in the 1970s.
The motivation of threat actors of the past was very different to those of today. In the past ‘hackers’ were often motivated by their inquisitiveness to break things apart to see how they worked, unlike today’s threat actors which are primarily motivated by financial gain.
Adversary sophistication & funding
Today’s cybercrime gangs operate like heavily funded professional organisations with vastly more resources than attackers of yesteryears. They have become very wealthy in recent years due to the Business Email Compromise (BEC) / Email Account Compromise (EAC) scams, ransomware, double/triple ransomware extortion, and denial of service extortion. The FBI’s Internet Crime Complaint Centre (IC3) Internet Crime Report 2021 outlined they received 19,954 complaints relating to BEC/EAC with adjusted losses relating to those incidents totalling, confirming just how lucrativeness of these scams. Additionally, in the past five years, the value of bitcoin has drastically increased, therefore, multiplying all their existing funds. The increased wealth enables the gangs to fund their own R&D as well as outbid nation-states for access to zero-days on the black market.
Trending threats & risks in today’s landscape
As a result of the growing sophistication and resourcefulness of modern cyber gangs, the risk landscape has become an insurmountable problem for security teams around the world. Below is a handful of the common security threats and risks organisations face today:
Cyber-Crime-as-a-Service
A lucrative service for cyber gangs is to make cybercrime accessible to less skilled cyber criminals through malware-as-a-service (MaaS), ransomware-as-a-service (RaaS), phishing-as-a-service (PhaaS), and initial access brokers. MaaS, RaaS, and PhaaS are business models used by malicious actors whereby they rent out their malicious code and the control infrastructure.
An initial access broker will sell pre-established access to systems or stolen credentials, enabling other attackers to facilitate their operations without having to gain initial access. This makes the attacks much more accessible to less skilled or wannabe hackers. The segmentation of services among cybercrime gangs enables them to operate as businesses, selling services to one another, in turn making them much more efficient.
LOTL/Fileless Malware
The increasing sophistication and accessibility of adversary tactics and techniques make it increasingly difficult to identify an ongoing attack, i.e., when an attacker utilises living off the land (LOTL) and/or fileless techniques it renders traditional signature-based anti-virus useless. LOTL attacks utilise commonly used system utilities and tools to further cement their foothold.
By using system tools the threat actors often go undetected due to the fact the tools are utilised by sysadmins regularly, e.g., PowerShell, PsExec, or Windows Management Interface (WMI). Fileless malware is malicious code that is not written to disk, instead, it runs in volatile memory evading endpoint protection due to the absence of files to scan. The rise of LOTL techniques is made clear in RedCanary’s 2022 threat detection report where they outlined the top MITRE ATT&CK techniques they saw in 2021 were ‘T1059.001:PowerShell’ and ‘T1059.003:Windows Command Shell’.
Remote Procedure Call Exploits
A Microsoft remote procedure call (MSRPC) is a client-server protocol often referred to as a subroutine call. The goal of an MSRPC is to enable one program to call a service from another program on a different computer without having any knowledge of the computer network. Adversaries can abuse MSRPC calls to perform an array of malicious tasks, such as privilege escalation, credential dumping, lateral movement, and enumeration. Last year, the PetitPotam and PrintNightmare vulnerabilities were published both of which enable an adversary to elevate their privileges by exploiting an MSRPC call.
Phishing
Regardless of the advancements in cyber security, one of the main techniques adversaries use for initial access is still phishing. Phishing is a social-engineering technique whereby an adversary attempts to trick a victim into performing an unsolicited action, entering their O365 credentials into a fake login portal, paying a fake invoice, or opening an office document with a malicious macro.
The emails attempt to make the victim feel like they need to act urgently, e.g., the email body might suggest that the victim has not paid an invoice and if the payment is not received in x amount of time the service will be stopped. There are many common types of phishing, however email phishing remains the most prevalent.
Supply Chain Compromise
Supply chain compromise is when an adversary compromises software, hardware, manufacturer, or service provider. Targeting industries based on the resources they utilise is an efficient way for an adversary to exploit many victims with a single exploit.
Some infamous supply chain attacks from 2021 were SolarWinds, Kaseya, and Log4j. The SolarWinds and Kaseya supply chain attacks involved the adversaries compromising the software vendors’ update servers to push malware out to the victims, for example, the Kaseya attack led to over 1,000 organisations being infected with ransomware.
The log4j is an open-source Java logging library that is used in many products to provide intelligent logging functionality. The supply chain incident involved the publication of a zero-day vulnerability in the library that enabled an adversary to perform an unauthenticated remote code execution (RCE) attack. Many of the products that use Log4j were/are public facing such as web servers, making them a prime target for adversaries.
Ransomware
Ransomware is form of malware that encrypts the data on a vulnerable system. Once encrypted the user will not be able to access their system or data until they have paid the malware distributor a ransom fee. In 2017 the NHS was taken offline by a ransomware attack known as Wannacry.
Nowadays, adversaries tend to perform double and triple extortion ransomware attacks. Double extortion involves the adversary exfiltrating the victim’s data as well as encrypting it.
Once encrypted the adversary demands ransom for the decryption key as well as for the assurance they will not publish the organisation’s confidential information on the dark web. Triple extortion ransomware follows the same techniques as double extortion but the adversaries will not only attempt to hold the organisation to ransom, they will also attempt to hold anyone that is impacted by the breach to ransom too.
Cyber gangs are constantly evolving their ransomware attacks with the aim of maximising profits; lately, an adversary group known as Fancy Lazarus has been performing distributed denial of attack (DDoS) in addition to the ransomware attack until the victim pays.
Vulnerabilities
A vulnerability is a bug in code. Therefore, so long as the software is being written and compiled by humans, it will be written with vulnerabilities. CISA publishes a list of known exploited vulnerabilities, all of which are actively being exploited in the wild, hence they should be patched as soon as possible. In the last year, some high-profile vulnerabilities were ProxyLogon, ProxyShell, PrintNightmare, and Log4j, all these vulnerabilities have been and still are being used by adversaries to either gain initial access or to deploy ransomware.
More and more vulnerabilities are being disclosed each year, for example in 2021 there were 20,171 vulnerabilities disclosed and as of October 2022, the number of vulnerabilities disclosed has surpassed 2021 with a whopping 20,517 vulnerabilities. As a result of the frequency of vulnerabilities being published, it is critical that an organisation has a vulnerability management program capable of identifying, tracking, and remediating vulnerabilities in their infrastructure.
Nevertheless, a vulnerability management program will not help defend an organisation against threat actors using undisclosed zero-day vulnerabilities; this requires a team of trained security personnel to actively look for suspicious activity in the network using EDR and SIEM platforms – trademarked as threat hunting.
Is traditional cyber security still effective?
Yes, kind of. Traditional security controls are effective at preventing traditional attack vectors, such as an attacker identifying that RDP is open to the internet, gaining access through leaked credentials, and performing a domain takeover. In this instance, the IT team should block inbound RDP access on the edge firewall, which would block any attempt to connect to the RDP service from the Internet.
Alternatively, a user might download a known virus from the Internet which will trigger the anti-virus to quarantine it, providing it has up-to-date signatures. However, if a user received an email with an attachment containing a macro that executes fileless malware or exploits a zero-day it would render traditional security controls ineffective.
Considering the tactics and techniques used by adversaries are continually evolving, the frequency at which vulnerabilities are being disclosed is increasing, and the speed with which adversaries are weaponising the published vulnerabilities, it is fair to say traditional security controls are no longer sufficient on their own to secure an organisation’s IT environment.
As a minimum, all organisations should adopt an EDR solution and a comprehensive vulnerability management program in addition to their traditional security controls. Yet, this leaves the organisation with a lot of residual cyber risk and if finances permit, they should implement a comprehensive defence-in-depth strategy. Implementing a defence-in-depth strategy often entails financing a dedicated security team which can be very expensive, therefore, it is often more cost-effective for small-medium sized organisations to outsource many of the security operation tasks to an MSSP.
Aspire can help
With the threat landscape always changing, an effective cyber security strategy utilising the best and latest threat prevention technologies is vital to protect your organisation and clients.
At Aspire we help organisations stay ahead of emerging security threats. Our RealProtect Managed Cyber Security Services provide 24/7/365 managed detection and response, via our UK-based Cyber Security Operations Centre.
Have any questions about any of our products? Contact us directly and one of our specialists will help.
Dean Wright
