http://www.digitaljournal.com/tech-and-science/technology/q-a-domaintools-2019-cybersecurity-report-card-survey/article/563789

Q&A: DomainTools — 2019 cybersecurity report card survey Special

Posted Dec 18, 2019 by Tim Sandle
DomainTools have recently issued their third annual Cybersecurity Report Card survey in which security analysts, threat hunters and other cyber professionals self-grade the security posture of their organizations. We examine the findings.
Untitled
Thomas Samson, AFP/File
The DomainTools report looks at the current state of cybersecurity and reflects on how well (or poorly) the industry has performed during 2019, and provides an indication of how 2020 may play out.
To gain an insight into the report, the process and metrics, Digital Journal spoke with Tarik Saleh, Senior Security Engineer & Malware Researcher, DomainTools.
Digital Journal: What is the current state of play with cyber-threats?
Tarik Saleh: Cyber attacks are a really interesting dichotomy today. We have successful, large-scale and very high impact attacks that are extremely unsophisticated. A good example of this is the infamous Equifax breach, which affected over 143 million people. According to public data, we know that Equifax used the credentials (username and password) of “admin” to protect one of the pieces of infrastructure compromised by the attackers.
The other side of the coin in regards to the really sophisticated cyber attacks are the introduction of more precise and detailed technologies being abused. One of these pieces of new technology is called “DeepFake”, which essentially allow someone to use AI to spoof someone’s voice or face into a form of media. This DeepFake technology was recently weaponized by a sophisticated scammer to attack a CEO of an unnamed UK-based energy firm. The CEO received a DeepFake voice message spoofing the CEO’s boss instructing him to transfer approximately 243,000$ USD to the attackers bank account.
The state of cyber threats and attacks are, really, all over the place. We as defenders really need to be aware of how to detect and respond to the latest and greatest types of threats, but also even the types of attacks that worked in the 1990s.
DJ: Where are these threats coming from?
Saleh: The threat landscape and the actors behind it are extremely large in scope. Some more elite threat groups are largely associated with nation states, such as North Korea, Russia, China or the United States. The security industry has given these advanced adversaries cryptonyms based on the region where they originate, such as “Fancy Bear” or “Anchor Panda”. These sophisticated groups often target critical services in the financial, medical and even infrastructure space. If your organization does not fall into this category, you still run the risk of being attacked by these groups as they often will compromise small/medium businesses, gain a foothold and conduct attacks from those networks.
In the same elite category, there are also private groups that generally have different motivations than nation state threat groups. These are organized cybercriminal groups, who often build technical teams to support their operations. These groups specialize in collecting PII (such as your credit card or social security numbers), phishing for valuable accounts (banking), generating medical spam scams or selling malware, such as ransomware, crypominers or RAT’s (Remote Access Tools) to the blackmarket.
And while that we often talk about sophisticated threat actors, cyber crime has become a commodity. A significant of cyber crime is conducted by non-sophisticated threat actors who lack the technical skills to design malware or exploits. These groups generally purchase malicious software from hacker blackmarkets or use open-source flavors of these hacker tools. While they are generally lower on the technical spectrum, they can and are still effective and compromising companies and individuals.
Lastly, we have to acknowledge Hackvist threat groups.
These types of individuals or groups are motivated by social and political change. Hackvists’s goals are generally to disrupt their victim’s operations in order to drive awareness to their cause. As such, we see Hackvist groups focus on DDoS (Distributed Denial of Service) attacks heavily. These types of attacks focus on saturating network and web application services of their victim’s, causing them to fall offline. Victims of Hackvist’s attacks are extremely diverse just as the Hackivst’s themselves, however, their targets are often large corporations, governments or high-value individuals that have influential power.
To summarize, cyber threats are extremely broad and complicated but are still quantifiable.
DJ: What are the key trends from the DomainTools report?
Saleh: There are several trends that we observed this year, some of which are surprising.
One of the most surprising is the confidence organizations and teams are having in their security posture, compared to previous years. In 2017, 15% organizations ranked their overall cybersecurity program effectiveness with an “A” grade. For the past several years, we’ve seen security vendors invest heavily into responding and innovating means to mitigate the latest types of attacks really pay off. As such, in 2019 almost 30% of organizations polled give themselves a grade of “A” for their cybersecurity program. Stronger security detection capabilities from vendor solutions are not as cost-prohibitive as they were previously, so we are seeing them adopted in smaller environments more frequently now.
We’ve also noticed the rise in automation in the security space. Automation has gone from a “nice to have” to now a hard set requirement, and a “need to have”. It’s often too costly or difficult to throw more humans at the problem to solve security. Which is why automation is the biggest differentiating factor in how security teams can scale out handling intrusions or other security events as the organization grows.
Security solutions now need to understand how security operations teams and other security teams workflows operate, from end to end. This entails understanding what security events come into these teams, the frequency of them, where these events are stored and the entire analysis pipeline.
DJ: What top three most common threat vectors businesses are seeing?
Saleh: Phishing, malware and spam attacks have been the common types of attacks for several years now. However, a new attack vector has been on the rise lately: BEC (Business Email Compromise).
BEC attacks are conducted from cyber criminals with the goal of masquerading themselves as executives of the company they are targeting and traditionally are financially motivated. A typical BEC attack blends phishing, social engineering and occasionally malicious software together to dupe employees into believing an email message from the attacker impersonating an executive to transfer money or divulge private confidential information to the attackers.
These types of attacks have a low technical barrier to entry for attackers. Infrastructure to conduct BEC attacks are often done by leveraging the same tools and techniques used by phishers: register a domain, clone a website you want to impersonate, distribute the URL to your victims and lure them into disclosing their credentials. Legitimate and commonly used services (such as Google’s Gmail) are often used as apart of the attackers kill chain for BEC attacks, which makes detection for organizations much more difficult since these services are often whitelisted and trusted.
Spam, malware and phishing attacks have been going strong for years but organizations need to be aware of how to detect and respond to the new threat on the block, BEC attacks.
DJ: How is automation assisting organizations in tackling cyber-threats?
The only way to make sure your security teams are able to respond effectively in the security landscape is to ensure you have automation baked into your security platforms. Having your security operations team manually perform lookups on IOC’s (Indicators of Compromise) or having to manually perform vulnerability scans against new infrastructure are both good examples of the pain points caused by lack of automation in security. A lack of automation causes major bottlenecks for the entire business, especially if the rollout of a new product is waiting for security to review it.
A new form of security automation has come to fruition recently, and it combines both the DevOps and security teams. This new form of security is called DevSecOps, and it has ensured that security is baked into the SDLC (Software Development Life Cycle) as opposed to ensuring security compliance is met after a product has been built or has already shipped. By ensuring that security checks such as vulnerability scanning or static code analyzers are run against newly deployed applications prior to going to a production environment, security is able to scale with the business and catch bugs before they go public.
In addition to DevSecOps, more companies and organizations are becoming more streamlined in their security operations space. New platforms that security team’s are adding to their workflows are SOAR’s (Security Orchestration Automation & Response). SOAR’s operate much like a traditional SIEM (Security Information & Event Management) platform except they can follow the entire security incident response lifecycle. SIEMs traditionally only make you aware of a security event, whereas SOAR platforms enable organizations to follow response playbooks that a human analyst would generally follow.
An example of this would be an organizations SOAR platform automatically network isolating a laptop that has a known malware infection detected on it. Being able to automate the manual nature of security incident response is becoming a lifesaver to businesses and our 2019 report reflects this. Organizations are recognizing the value of automation.
DJ: How important is it for a major firm to have full in-house SOC support?
Saleh: While outsourcing your security operations center can be the best economic choice for organizations, they also bring their own hurdles. One of the biggest negatives for outsourced SOC’s are the analysts often lack business context behind SIEM alerts. Context is one of the most important components to a successful security team that is doing analysis work. I’d argue that you cannot effectively perform sophisticated security work (such as Threat Hunting operations) without intimately understanding the context of your business and the network behind it.
One important additional component to having context is also around one of the core tenets of security detection teams is alarm building. Without having the appropriate context of how business events appear in your SIEM, you lose the ability to develop sophisticated alarming to alert you when a security incident has occurred.
While the costs of building a security operations team might seem daunting initially, the real benefits are around the risk reduction to the business.