What to Know, How to Prepare, and How We Got Here
When 2021 began, everything from the pandemic to the economy felt uncertain. Security threats increased both as a result of those uncertainties and the ever-growing sophistication of the threat landscape.
In this post, we’ll review the events that created security threats in 2021 and continue to pose risks to businesses into 2022. The goal is to help you prepare and better understand the threat landscape surrounding your industry.
SolarWinds and the Expansion of Security Threats Within the Supply Chain
At the tail-end of 2020, attackers carried out the biggest cybersecurity breach of the 21st Century – not because of the attack itself, but because of the massive global supply chain incident that it triggered, ultimately impacting thousands of organizations, including the U.S. government.
SolarWinds is a software company that provides network and infrastructure monitoring tools to businesses across the world. Attackers compromised its performance monitoring system called Orion and were successful in getting more than 18,000 SolarWinds customers to install malicious updates, setting off a multinational supply chain crisis.
This type of threat has actually been around for decades in the hardware world with counterfeit gear concerns, but the SolarWinds incident came as a big wake-up call for CISOs and organizations.
The 2022 Outlook:
The SolarWinds breach shone a bright spotlight on the question, “How can you trust the solutions you use?”
The answer to this question is, trust needs to be earned. All of the solutions and partners your company uses should be able to show proof of their security testing and program efforts to work with you and your contracts should reflect this requirement in order for them to do business with your company. The Department of Defense is already taking this approach with government contractors to ensure they have security controls in place to protect sensitive data.
No vendor should be asking for an exception to your existing security solutions and controls in order for their product to work. These old requirements are no longer acceptable, and vendors have to account for that. And any vendor that needs direct access to your ecosystem should be subject to your scrutiny and controls.
The Expansion of the Threat Landscape
In 2021, the threat landscape widened with many significant security events. There was an increase in zero-day vulnerabilities surfacing in key solutions like Exchange, and in security solutions like VPNs and firewall appliances. Additionally, old attack mechanisms like drive-by hacking began to increase again due to the onslaught of new vulnerabilities found in desktop applications like web browsers (Chrome, Edge, Firefox), MS Office suites, and Adobe Acrobat.
The 2022 Outlook:
To tackle this onslaught, we recommend that you take a two-pronged approach:
- Be aware of your assets and exposure. Having an ongoing vulnerability management or penetration testing program is a way to have continued visibility of the assets and vulnerabilities your organization may face, while your team patches these issues.
- Acquire proper security visibility that is monitored 24/7 to ensure you can identify attacks against your solutions and execute a timely response before the threat gets out of hand for your organization.
Ransomware – Hitting Businesses and Headlines Everywhere
Ransomware continues to make the big news. 2021 did show positive signs that organizations are finally evaluating newer anti-malware solutions and migrating to Endpoint Detect and Respond (EDR) solutions, which we’ve been advocating for years. However, even with these newer solutions, gaps still exist in many enterprises that allow ransomware attacks to occur.
The 2022 Outlook:
Based on the numerous Incident Response services we performed this year, most companies that have implemented an EDR solution are still failing to enable a key protection mechanism – “script control”. After breaking in, most threat actors leverage scripting (powershell, wscript, python, batch files, and java script to name a few) to gain persistence, move laterally, exfiltrate data, and grab and detonate payloads and ransomware.
This scenario is well known, yet time and time again companies have not enabled these features in their protection suites. This lack of response needs to change, if for no other reason than the simple fact that 85% of your employees do not need these solutions, nor do they know how to use them. So why leave them enabled or unmonitored?
Additionally, every Incident Response we performed found signs of compromise that could have or should have been detected days if not weeks in advance of the ransomware event occurring.
Why did these compromises go unnoticed? In most cases, the continued use of legacy SIEM solutions that do not support EDR or process tracking data for their correlations/detections is leaving a significant blind spot for most SOCs. And most importantly, a lot of SOCs are understaffed or incapable of providing 24/7 monitoring of the enterprise. Having a continual penetration testing program in place can help illustrate these blind spots and assist in finding ways to gain visibility into some of your legacy security investments.
An MSSP can also help you replace your legacy SIEM solution with newer technology while also addressing key staffing issues.
Security Threats in Manufacturing and Critical Infrastructure
2021 renewed the focus on critical infrastructure security. The Colonial Pipeline attack was the first time a cyber attack on critical infrastructure impacted a large subset of the public in the United States. This attack caused gasoline shortages at the pump across a dozen states and a panic among residents who found gas pumps dry.
For years, only the energy sector, and specifically the bulk power grid, has made significant attempts to secure their infrastructure. Of course, these actions were forced on them by the implementation of the NERC CIP regulations in 2006. When former-President Donald Trump signed America’s Water Infrastructure Act (AWIA) in 2018, hope was renewed that the drinking water utility sector could finally be nudged towards a more secure infrastructure. At the end of the day, AWIA is all talk and no teeth and most water utilities are barely scratching the surface with their assessments and self-certifications.
The manufacturing segment has become a prime target for attacks against Operational Technology (OT) and Internet of Things (IoT) devices as they move to automate factories and update SCADA control systems. Again, many of them have been forced into action by ransomware and other attacks against their corporate environments.
Several of our IR engagements this year have showcased organizations that kept their plants operational through luck as their corporate IT environments went dark under the specter of ransomware.
The 2022 Outlook:
Without a doubt, the best option going forward is to implement a monitoring solution with some sort of preventive capability specifically intended for industrial controls environments. These solutions augment traditional SIEM platforms and provide enhanced IDR capability with an understanding of the specialized protocols utilized in critical infrastructure and manufacturing automation environments. These environments are typically highly sensitive to disruption and don’t lend themselves to automation of backups.
Do yourselves a favor and execute these steps for better security in 2022:
- Establish a configuration management program with baselining and backups.
- Integrate an industrial controls vulnerability management program alongside your corporate one.
- Find a trusted partner who thoroughly understands these types of ecosystems and will take the time to assess the environments and plan for a more secure future.
Currently, the vast majority of network environments are ripe for compromise that can crush a business, no matter how large. The DirecDefense Connected Systems and Managed Services practices stand ready to help you face down these challenges, no matter how large your OT footprint.
2022 will bring some new security threats, but a lot of the issues we faced in 2021 will continue to harass organizations as well. The team at DirectDefense is here to assist you in testing, measuring, and managing your security efforts and aiding in developing your organization’s security strategies. Contact us today to discuss how we can help strengthen your security footprint.