Non-Traditional Attack Vectors: Three Questions Every CISO Needs To Ask
Published on November 5, 2019 by Gabriel Torok
Malicious actors — like any thieves — live by a simple rule: If the front door is locked, break the window.
It’s why threats like fileless malware and crypto-jacking have seen substantial gains over last few years. It’s why — despite increasing employee education and IT training — hackers are still hooking phish by developing more sophisticated and authentic-looking email spoofs. Cybercriminal communities, meanwhile, continue to grow on the dark web, allowing attackers to share info, purchase exploit kits and identify potential targets.
What does this mean for CISOs? That typical defense efforts are being outpaced as familiar attack vectors are replaced with non-traditional threats. But it’s not all bad news; here are three questions every CISO needs to ask to help close the doors, bolt the windows and leave hackers out in the cold.
Zero Sum Game
Consider zero-day attacks. One of the most worrisome vectors for CISOs, zero-day attacks exploit security vulnerabilities that go undetected during the development and testing process, and are not known to the developers prior to the attack. In the wild, applications and services with zero-day flaws can be exploited by hackers to gain system access, steal data or install backdoors.
As noted by Tech Radar, these vulnerabilities continue to plague organizations — multiple zero-day flaws were recently found in new Android VoIP software, allowing malicious actors to deny voice calls, spoof caller IDs and remotely execute code. The sheer volume and variety of zero-day attacks, however, has prompted significant response from the infosec community. These threats are now on corporate radar and once detected, developers are often able to deploy fixes in hours or days, rather than weeks or months.
What’s more, CISOs and cybersecurity teams are taking the fight to attackers, committing resources to detection and disposal methods capable of handling new threats in real-time. These efforts are bearing fruit; evolving AI and deep learning technologies offer the promise of automated zero-day defense.
But hackers aren’t looking for a stand-off. Most have no interest in proving their mettle head-to-head; instead, they’re finding even more ways to compromise critical assets by leveraging apps and services that naturally exist outside organizational controls.
Ready to put the “brakes” on new network break-ins? Here’s what you need to know.
How Secure Are Your Trusted Partners?
Security environments aren’t monolithic in a cloud- and mobile-first world; no matter how well-defended internal assets may be, every company leverages third-party software and services to fill niche roles and deliver specialized functions.
Hackers recognize this critical dependency and are working to actively exploit it — consider the classic Target breach of 2014 that saw the retail giant compromised thanks to lacking security at a trusted HVAC vendor. Third-party attacks remain a top threat for organizations; as noted by CSO Online, 56 percent of organizations surveyed in 2018 suffered a partner-related breach. For attackers, this vendor vector makes sense: Why struggle with enhanced security at ground zero of your network infrastructure when they can skirt existing controls by compromising applications you already trust?
Here, a two-fold security solution is required. First, companies must lay out clear guidelines for providers around application security and access — and then regularly conduct assessments to ensure actions follow agreements. This helps eliminate potential vulnerabilities and lower the overall risk of network compromise.
What’s the Risk of Factory Firmware?
As noted by Dark Reading, firmware attacks are becoming more common as threat actors recognize the disconnect between commercial IoT devices and CISO oversight. While networks and applications may be secure, factory-installed firmware offers a way to compromise device functions or render them inoperable.
Firmware-focused providers are developing ways to automate the vulnerability detection and remediation process, while tools such as runtime application self-protection (RASP) help frustrate attacker efforts if they make it past initial firmware compromise. Next-gen RASP can identify unexpected app requests or resource calls stemming from firmware failures and deploy countermeasures — such as generating intelligence reports and terminating app sessions — immediately.
Where are Your Apps Most Vulnerable?
Hackers recognize the ubiquity —and potential vulnerability — of apps. Apps running in zero trust environments are easy to reverse engineer and hack. Therefore, rather than attack well-protected servers and databases directly, malicious actors target the critical lines of communication: Apps.
This is especially problematic when applications run in untrusted environments, such as public cloud servers or mobile device networks. An attacker can easily download your company’s app from a mobile marketplace and then analyze it for potential vulnerabilities. If successful, malicious actors can then backtrack along secure server connections and exploit other weaknesses to make trouble.
Reducing the risk of insecure app environments means implementing a combination of passive and active defenses. Obfuscationand encryption help defend apps from static analysis, while runtime application self-protection techniques leverage interlocking checks and responses. These detect potential indicators of compromise (IoCs), such as code tampering, debugging, and emulation.
From “Good” to “Great”
For CISOs, “good” cybersecurity means implementing patch management schedules and zero-day controls to ensure traditional vulnerabilities are covered. But in a world of evolving cyberthreats, good isn’t good enough — as attackers target trusted partners, compromise factory firmware and exploit untrusted environments, “great” is the expectation.
Making the move starts by recognizing your risk. Next, CISOs must prioritize non-traditional attack vectors with solutions capable of detecting compromise, deploying countermeasures and defending applications in real-time.
Good means taking stock. Great means looking ahead. Make non-traditional threats a top priority to steal a march on malicious actors.