Threats Are Increasingly Sophisticated
When news first emerged detailing the scale and sophistication of the SUNBURST attacks, many global security teams faced an uncomfortable reality. How could a threat, albeit a state-sponsored one, fly under the radar of so many organizations, and linger for so long without detection?
Here was an attack that circumvented most of the tools that security leaders rely on: perimeter defenses, endpoint detection, and antivirus. The SUNBURST attacks highlighted the deficiencies of rules- and signature-based detection methods, and exposed the security blind spots left by logging and agent-based approaches.
But even supply-chain attacks as sophisticated as SUNBURST cannot hide from the kind of network-based spotlight NDR shines on malicious activity.
Cybercrime Is on the Rise
In the context of the SolarWinds campaign, today's enterprise IT security leaders are increasingly concerned about the threat from nation states. But financially motivated cyber crime is still a more fearsome threat. Backed by an underground economy said to be worth over $1.5 trillion annually, cyber criminals have the tools and the know-how to get what they want. The line is blurred between the activity of cyber criminals and that of state-backed operatives.
Some recent ransomware campaigns increasingly leverage APT-style tools and tactics—including the compromising of Remote Desktop Protocol (RDP) endpoints, credential theft, and lateral movement, and abuse of legitimate Windows tools to hide their activity. Attackers use these techniques to deploy ransomware, as well as to steal data used to guarantee extortion payments are made.
The Attack Surface Is Expanding
The job of cyber defense is made that much harder by the nature of modern IT environments. The traditional notion of a network perimeter perished with the advent of cloud applications, bring your own device (BYOD) policies that opened the door to ubiquitous mobile devices, third-party services, and IoT devices. The latter are particularly problematic as manufacturer updates may be slow and endpoint security is difficult to apply.
A 2019 study claimed that 84% of risk professionals believe their organization will suffer an IoT breach in the following two years. This challenge is set to explode as 5G networks come online, ushering in a new era of enterprise IoT devices with new risks and vulnerabilities, and a dramatically increased traffic to monitor and secure.
Digital transformation efforts encompassing cloud, mobile, and IoT are both expanding the corporate attack surface and making it harder for security teams to gain visibility into suspicious traffic. Cloud is an area of particular opacity. In discussing shared responsibility between cloud providers and cloud customers, Gartner claims that, through 2025, 99% of cloud security failures will be the customer's fault.
The challenge is compounded by the push for "encryption everywhere". Various sources estimate that the vast majority of traffic today is being encrypted, making it difficult to inspect that traffic. Adversaries can disguise their own malicious activity within the encrypted traffic (like in the Chinese hacking of the US Office of Personnel Management) to cross the perimeter or move laterally inside networks. Some 91% of organizations are concerned about losing security visibility due to encryption and cloud adoption.
All of this comes amidst a massive and potentially permanent shift in the workforce itself which has driven a proliferation of new remote endpoints to protect. Organizations are understandably concerned about home workers taking additional risks online that they might not take in the office, sharing devices and networks with others, and exposing themselves to phishing attempts. Threat actors also stepped up attacks on RDP servers and VPN infrastructure, while many IT teams struggled to prioritize a response at the height of the pandemic.