If the first month-plus of 2024 is any indication, this year is likely to be anything but ordinary in the cybersecurity realm. In January alone, a triad of events unfolded, each more riveting than the last, setting the stage for a year that promises to be as unpredictable as it is exciting.
The following recent events have me reflecting on processes and controls that can help you better protect your organization’s most sensitive assets:
1. Nation-State Threat Actors Target High-Tech Companies
ATP29, the threat group behind the 2021 Solarwinds attack and linked to the Russian Foreign Intelligence Service (SVR), resurfaced in January when two tech giants – Microsoft and HPE – reported that the group lurked into their systems and accessed, monitored and exfiltrated data from various employee accounts, including those of executives.
Before these high-profile attacks, ATP29, also known as Cozy Bear, is believed to be responsible for the 2015-16 breach of unclassified networks at institutions such as the White House, the U.S. Department of State and the Democratic National Committee (DNC). Reports indicate that the same group successfully operated in Germany, South Korea and Ukraine.
A few days ago, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued multiple critical vulnerabilities and exposures (CVE) advisories that identify vulnerabilities in products or services from a reputed cybersecurity vendor used by many government agencies. CISA has warned that bad actors from China, part of the Volt Typhoon group, are exploiting these vulnerabilities and the potential risk to nation-states.
It’s certain now that the espionage and reconnaissance activities of nation-state threat actors are not limited to hacking critical infrastructure owned and operated by national government agencies. Instead, the increasing reliance of government agencies on an ever-growing technology ecosystem makes any supplier a potential victim. And the next victim could be you.
2. Unmitigated CVE 10 Invites Exploitation Attempts
On Jan. 16, 2024, Atlassian published an advisory on a critical vulnerability in its out-of-date versions of Confluence Data Center and Server that allows an unauthenticated attacker to achieve remote code execution. If successfully exploited, this vulnerability allows unauthenticated remote attackers to achieve remote code execution (RCE) on an affected instance. Days after publishing this advisory with a CVE score of 10, the Shadowserver Foundation observed nearly 40,000 exploitation attempts of this CVE. I assume these exploitation attempts were observed in instances that did not heed the warning to patch.
CVEs with a score of 10 indicate critical severity and require an immediate AppSec remediation plan. Security breaches often occur from known vulnerabilities left unmitigated, thus underscoring the importance of a mature change management process. The inability to patch or upgrade the software immediately despite an advisory often reflects complex or ill-defined change management processes. Additionally, interdependency can slow patching or upgrading with potential downstream impact on other processes.
3. Ransomware Continues to be Evergreen
The CyberArk 2023 Identity Security Threat Landscape Report finds that 89% of 2,300 global respondents have faced at least one ransomware attack. Ransomware is a big, if not the biggest, cybersecurity problem in the connected digital world and the first month of 2024 was no different. Tigo, a large telecommunications company in Paraguay; Kenya Airways, one of the largest airlines in Africa; AerCap, the largest aviation leasing company based out of Ireland; and Swedish government agencies are just a few examples of enterprises or government bodies that have suffered a ransomware attack in January 2024.
With the advent and adoption of GenAI, I expect ransomware attacks to increase substantially and potentially impact organizations of all sizes – even yours.
Buckle Up This Year – We’re Likely In For a Ride
Brace yourself for what I expect to be a roller coaster ride in 2024 for several reasons. This year, over 49% of the world’s population is expected to participate in national elections in over 64 countries. As a result of this, in addition to the regular threat landscape, we’ll see nation-state actors increasingly targeting rival government agencies, tech providers supporting the critical infrastructure and netizens to maximize their bounty – whether it be influence, espionage or purely monetary gains. In the wake of these impending attacks, I recommend that you bolster your organization’s defenses by considering the following:
Encrypt your email. Email accounts are often the lowest-hanging fruit that bad actors target regularly and incessantly. In today’s world, compromised emails are a gateway not just to financial bounty but to espionage for nation-state actors. In a world of cybersecurity and cyberwarfare, you must implement end-to-end email encryption (including attachments) to protect your organization’s data and, in turn, your customers.
Bring Your Own Key (BYOK). Your encryted data is secure only as long as the encryption keys are secured. BYOK lets you fully control the encryption key used to encypt your data. Since you are fully responsible for hosting, managing access, rotating, and revoking the encryption key, you maintain control over your data, particularly in complex multi-cloud environments.
Review and iterate change and risk management processes. Change management based on risk assessment offers a systematic method for modifying security procedures, technologies and operations that ensure every change is assessed, planned, communicated, monitored and, most importantly, reduces the risk of disruption and vulnerabilities. Ensure emergency cyber response (ECR) processes are in place to execute robust patch management cycles within 24 hours of a critical severity CVE advisory. This will help you contain the vulnerability swiftly and keep the genie in the bottle.
In this changing technological landscape, I recommend assessing the residual impact of change management to protect your organization’s sensitive assets. Sometimes, during the risk assessment process, you may discover that upgrading or patching might offer less than a 50% chance of improved protection, in which case you may choose to accept the risk and stay with the existing software version. In this case, robust compensating controls are your best savior.
Ensure compensating controls. This addresses any weaknesses of existing controls or compensates for the inability to meet specific security requirements due to various constraints. Virtual Private Network (VPN) and phishing-resistant multi-factor authentication (MFA) are implemented to bolster your defense in depth capabilities.
Consider the value of SaaS. Your AppSec teams might benefit from leveraging SaaS offerings, considering that patching and preventing vulnerabilities are daily tasks that consume a considerable amount of time. Be sure to evaluate not just your SaaS vendor’s processes to secure its environment but the focus and rigor it applies to the best practices on patching cadence based on a vulnerability’s severity. SaaS offerings provide proactive application and infrastructure support, including weekly or monthly patch management. They can effectively and efficiently implement patches or upgrade software in case of CVEs with scores of nine or 10 that require immediate attention. You’ll also potentially improve the availability of services by leveraging SaaS.
Bad Planning is Worse for Security Than Complexity
This first month of this year reminded us of the challenges we face in the digital age and our capacity to rise to these challenges. I encourage you to review your change management process and risk assessment cadence. Ensure you have the right compensating controls and consider if it’s time to adopt SaaS. Also, as you consider implementing these recommendations, the complexity of your environment or processes may seem like a roadblock to improved security. In my experience, it’s an ill-defined plan that is often the roadblock to security than the complexity itself. So, I’d suggest starting with your risk assessment plans, making them robust and agile enough to address your business goals and working backward to implement the above suggestions.
See you next month.
Omer Grossman is the global chief information officer at CyberArk. You can check out more content from Omer on CyberArk’s Security Matters | CIO Connections page.