Thinking like an attacker to manage cyber risk

Security Threats05 Aug 2022

Bharat Mistry at Trend Micro explains how managing a cyber attack can be made a little easier if you put yourself in the shoes of the attacker

Effective cyber defence requires organisations to think like attackers. That means mapping all exposed IT assets and assessing the risk of compromise.

But how can security teams achieve such a feat when their digital attack surface is growing and changing every single minute? They certainly cannot do so with disparate point solutions and ad hoc responses. The stakes are too high for failure.

It’s a challenge that affects organisations in all sectors, although some more than others. New Trend Micro research reveals that healthcare organisations only have an estimated 59% visibility into their total attack surface, versus an average of 62% across all verticals.

Whatever the industry-specific challenges, continuous risk management combined with protection, detection and response across all IT assets and threat vectors should be table stakes for today’s CISOs.

Mapping the surface

Trend Micro alone blocked over 94.2 billion threats for customers in 2021. Even that number is likely to represent just the tip of the iceberg.

This figure is illustrative of the growing professionalism and scale of the cyber crime underground. An economy worth trillions of dollars annually feeds off a fluid marketplace where threat actors trade tools, knowledge, data and malware with impunity. They increasingly rent out their specialised expertise as a service or sell it in pre-packaged deals – in a complex supply chain to rival anything the legitimate economy has to offer.

This alone would make our adversaries a formidable prospect. But their job has been made easier by several years of digital transformation, supercharged during the pandemic, which experts claim pushed many organisations over a “technology tipping point” forever. This has expanded the attack surface immeasurably.

Take software vulnerabilities. Trend Micro’s Zero Day Initiative (ZDI), the world’s largest vendor agnostic bug bounty programme, released advisories for over 1,600 bugs in 2021, 10% higher than in the previous year. It’s well on the way to achieving the same number in just the first half of 2022 alone.

These vulnerabilities can be found across cloud containers, IoT systems, home workers’ laptops and in open-source code. They illustrate perfectly the challenge organisations face as they try to manage their evolving attack surface.

The digital supply chain is particularly at risk. Use of open-source code is reaching new heights as DevOps teams race to gain competitive advantage for their organisation by speeding products to market. It’s claimed they downloaded over two trillion of these packages last year. Yet that same code is often riddled with flaws.

Recent research revealed the average application development project contains 49 vulnerabilities spanning 80 direct dependencies, and many hard-to-find indirect ones. It’s claimed that threat actors are even injecting new vulnerabilities into open-source code packages and then exploiting them downstream. Such attacks are said to have grown by 650% from 2020 to 2021.

The pandemic also gave rise to cloud investments on a massive scale, and the birth of the new hybrid workplace. The two will combine to further expand the attack surface whilst making it more opaque.

Keeping track of every home worker’s laptop and ensuring patches are up to date and endpoint protection is applied is a continuous challenge. Yet much harder to mitigate is the threat of remote workers making more risky decisions at home than in the office.

The scale of the challenge

It’s perhaps no surprise therefore that nearly three-quarters (73%) of the global IT and business leaders we polled are concerned with the size of their digital attack surface. A third (31%) say they’re “very concerned”. And around half in the financial services (49%) and telecoms (2%) sector warn that their attack surface is “spiralling out of control.”

A big part of the challenge is visibility. Only half (51%) of organisations claim to have completely defined their attack surface, and more (62%) admit visibility gaps, rising to 65% in financial services and 68% among telcos.

The challenge is particularly acute in the cloud, where the dynamic and ephemeral nature of containers and other assets ensure environments are in constant flux. Threat actors are already taking advantage, in crypto-mining and other attacks.

Unifying visibility and control

Without comprehensive visibility into the attack surface, organisations can’t hope to gain control of cyber risk. Yet nearly a third (30%) complain that they have too many tools, and a fifth (21%) that data silos are preventing them from managing the problem effectively.

The two are related. Point solutions bought or acquired over the years add complexity, cost and extra work for IT teams. They’re often not properly integrated, leaving visibility and coverage gaps for threat actors to exploit.

This is where platform-based approaches make sense—by unifying attack surface management with threat prevention, detection and response technologies. By taking advantage of a more centralised and consolidated offering, security teams can work more productively to understand and mitigate risk across the distributed IT environment. And there will be fewer blind spots for the bad guys to hide in.

The digital world is only going to grow in complexity over the coming decade. That’s why IT security must simplify.

Bharat Mistry is Technical Director at Trend Micro

Main image courtesy of iStockPhoto.com