The past year has seen the number and severity of incursions increase while budgets have been slashed due to a weakened economy. A new study from VMware finds that since Russia’s invasion of Ukraine, there has been an uptick in cybersecurity attacks. The 125 cybersecurity and incident response professionals VMware surveyed report the attacks have included double extortions, data auctions and blackmail, as well as attacks on APIs.
In equally troubling news, separate research from Palo Alto Networks’ Unit 42 team revealed that in 2021 the average ransomware demand increased 144%, to $2.2 million, as scores of new gangs sprung up to exploit pandemic uncertainty.
As we look toward 2023, organizations are asking themselves what they can do to maintain a security posture that is robust but also cost-effective. As I have done in past years, the following is my guide to key developing trends everyone at all levels can leverage—not just CISOs and cybersecurity specialists.
The world has changed. The days of concealing vulnerabilities are over.
GitHub recently announced vulnerability reporting, as one of the highlights of GitHub Universe, its global developer conference focusing on cloud, security, community, and AI. For those unfamiliar with the term, “vulnerability reporting” is the practice of revealing flaws in computer software or hardware. Disclosure can come from security researchers, IT security teams, in-house developers, third-party developers and other stakeholders with direct knowledge of the systems at risk.
While there is nothing new about looking for vulnerabilities, GitHub’s announcement shows that transparency is the best policy. By allowing the community to report bugs privately, organizations should seize the opportunity to rectify the situation before making a patch publicly available.
As I see it, a bug contains critical information that is better disseminated than hidden. Disclosure can mean a short-term loss, but it is an investment in long-term trust, as the threat landscape has grown more varied and complex.
Never mind the old-school crews. Welcome to the age of the well-organized, well-funded hacker.
Hackers working with economists to determine the return on investment (ROI) of an incursion. Hackers outsource testing for speed and effectiveness. This may sound like plot-points of the latest blockbuster film that makes cybersecurity professionals chuckle, but it is absolutely what’s happening.
The SolarWinds hack, which took place over a period of 9 months in 2019-2020, is perhaps the best example of this new generation of bad actors.
Among its revelations:
- Hackers were able to access thousands of enterprises and agencies worldwide by gaining access to SolarWinds’ Orion IT monitoring and management software,
- The decision to hack this software wasn’t random. The hackers conducted thorough threat analysis.
- The hackers aren’t just well-organized; they are also state-funded and state-sponsored – in large measure by Russia and other rogue nations. According to the FBI Crime Report, hackers are protected with bribes or doing pro bono work for the government,
- Hackers have moved on to supply-chain and other systemic targets—a change that depends on dispersed and diversified teams.
To address this more complex threat, we need to shift as far left in the cycle and the kill chain as possible to prevent the opportunities before they are exploited. Detect and respond solutions will never get ahead of the adversary; only with prevention do we have a chance.
Wargaming is becoming a popular way to test the security and agility of an organization.
Threats are no longer distant, abstract events, or five-alarm fires raging out of control. Smart organizations have turned to wargaming to evaluate their incident response preparedness. Experiences run the gamut from customized simulations and “tabletop” exercises that simulate a real attack.
Deloitte is among the leading exponents of cyber wargaming. Its clients include Booz Allen, on behalf of a Fortune 500 manufacturer who wanted to test their supply chain against IT and OT (operational technology) threats.
Wargaming is no substitute for experience. But its growing popularity shows that security has become an active, vital function across the entire organization. It is no longer a specialized function.
Everyone should do security these days. It’s not just about the CISO.
Today’s top technology companies have empowered most operators to do security. Google, Amazon, Apple, Meta. They have all built security into the DNA for the organization, with security as a daily function rather than a specialist activity.
As we prepare for the coming year, organizations need to think how they can change their own culture, or, better yet, strive for culture confluence where all cultures in a company come together synergistically around cybersecurity. The key to moving forward is strong top-down buy-in so a bottom-up security posture is given room to develop.
Chetan Conikee is Co-Founder & CTO of ShiftLeft, a disruptor and innovator in the world of DevSecOps and NextGen SAST and SCA.