Cybersecurity – Attack and Defense Strategies, 3rd edition E-Book

Cybersecurity – Attack and Defense Strategies

Third Edition

Improve your security posture to mitigate risks and prevent attackers from infiltrating your system

Yuri Diogenes

Dr. Erdal Ozkaya

BIRMINGHAM—MUMBAI

Cybersecurity – Attack and Defense Strategies

Third Edition

Copyright © 2022 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Senior Publishing Product Manager: Dr. Shailesh Jain

Acquisition Editor – Peer Reviews: Gaurav Gavas

Project Editor: Janice Gonsalves

Content Development Editor: Georgia Daisy van der Post

Copy Editor: Safis Editing

Technical Editor: Srishty Bhardwaj

Proofreader: Safis Editing

Indexer: Hemangini Bari

Presentation Designer: Rajesh Shirsath

First published: January 2018

Second edition: December 2019

Third edition: September 2022

Production reference: 1220922

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham

B3 2PB, UK.

ISBN 978-1-80324-877-6

www.packt.com

Contributors

About the authors

Yuri Diogenes has a Master of Science in Cybersecurity Intelligence and Forensics Investigation from UTICA College and is currently working on his PhD in Cybersecurity Leadership from Capitol Technology University. Yuri has been working at Microsoft since 2006 and, currently, he is a Principal PM Manager for the CxE Microsoft Defender for Cloud team. Yuri has published a total of 26 books, mostly around information security and Microsoft technologies. Yuri is also a Professor at EC-Council University where he teaches on the Bachelor in Cybersecurity program. Yuri has an MBA and many IT/security industry certifications, including CISSP, MITRE ATT&CK® Cyber Threat Intelligence Certified, E|CND, E|CEH, E|CSA, E|CHFI, CompTIA Security+, CySA+, Network+, CASP, and CyberSec First Responder. You can follow Yuri on Twitter at @yuridiogenes.

Thank you to my wife and daughters for their endless support; my great God for giving me strength and guiding my path each step of the way; to my co-author Erdal for another great partnership; and to the entire Packt Publishing team for another amazing release.

Dr. Erdal Ozkaya is known as a passionate, solutions-focused professional with a comprehensive, global background within the information technology, information security, and cybersecurity fields. He is committed to the delivery of accurate, accessible resources to inform individuals and organizations of cybersecurity and privacy matters in the internet age. Erdal is a well-known public speaker, an award-winning technical expert, the author of more than 20 books, and a writer of certifications. Some of his recent awards are: Global Cybersecurity Leader of the year (InfoSec Awards), Best IT Blogs by Cisco (Top 5), Best CISO for Banking and Financial Sector, Top 50 Technology Leaders by IDC, CIO Online, and Microsoft Most Valuable Professional. You can follow Erdal on Twitter @Erdal_Ozkaya.

Thank you to my family for their endless support, to my co-author Yuri for good friendship and partnership, to all our readers who made this book multi-award winning, and to the entire Packt Publishing team for another amazing release.

About the reviewer

Thomas Marr is an experienced information security professional with a lengthy history of supporting organizations ranging from technology start-ups to Fortune 500 companies to the United States Department of Defense. Thomas is also a proud veteran of the United States Army where he served on active duty as a military intelligence analyst, specializing in signals intelligence and open source intelligence. In addition to his work with Packt Publishing as a technical reviewer, Thomas actively provides technical expertise to information security community projects as an SME on CompTIA’s Certification Advisory Committee for Cybersecurity. He continuously evaluates industry-respected certifications including Security+, PenTest+, CySA+, and CASP+.

Thank you to my supportive family and the dream team at Packt Publishing for their teamwork in producing this book.

Join our community on Discord

Join our community’s Discord space for discussions with the author and other readers:

https://packt.link/SecNet

Preface

COVID-19 pushed organizations to accelerate their digital transformations, and with that they had to rapidly adopt a more flexible policy to enable remote work. This new environment created a series of cybersecurity challenges for organizations, and new opportunities for threat actors to perform their malicious operations. Throughout this book, you will learn about the importance of security posture management to improve your defense. You will also learn about attack methods, and patterns to recognize abnormal behavior within your organization with Blue Team tactics. In addition, this book will teach you techniques to gather exploitation intelligence and identify risks, and will demonstrate the impact of Red and Blue Team activity.

Who this book is for

This book is for the IT professional venturing into the IT security domain, pen testers, security consultants, or those looking to perform ethical hacking. Prior knowledge of computer networks, cloud computing, and operating systems is beneficial.

What this book covers

Chapter 1, Security Posture, defines what constitutes a good security posture and explores the importance of having a good defense and attack strategy.

Chapter 2, Incident Response Process, introduces the incident response process and the importance of establishing a consistent plan. It covers different industry standards and best practices for handling incident response.

Chapter 3, What is a Cyber Strategy?, explains what a cyber strategy is, why it’s needed, and how an effective enterprise cyber strategy can be built.

Chapter 4, Understanding the Cybersecurity Kill Chain, prepares the reader to understand the mindset of an attacker, the different stages of an attack, and what usually takes place in each one of these stages.

Chapter 5, Reconnaissance, covers the different strategies to perform reconnaissance, showing how data is gathered to obtain information about the target and how this information is taken into consideration to plan an attack.

Chapter 6, Compromising the System, shows current trends in strategies to compromise a system, and explains some techniques to exploit vulnerabilities in a system.

Chapter 7, Chasing a User’s Identity, explains the importance of protecting the user’s identity to avoid credential theft, and covers the main strategies used to compromise a user’s identity, all with the intent to improve your identity protection.

Chapter 8, Lateral Movement, describes how attackers perform lateral movement operations once they gain access to the system.

Chapter 9, Privilege Escalation, shows how attackers can escalate privileges in order to gain administrative access to a system.

Chapter 10, Security Policy, focuses on the different aspects of the initial defense strategy, which starts with the importance of establishing guardrails in the beginning of the deployment pipeline and goes over best practices, security awareness training, and key security controls.

Chapter 11, Network Segmentation, looks into different aspects of defense in depth, covering physical network segmentation as well as the virtual and hybrid cloud.

Chapter 12, Active Sensors, explains the importance of having network sensors that can alert about threats based on patterns and behavior. It also covers the different types of network sensors and demonstrates some use case scenarios.

Chapter 13, Threat Intelligence, discusses different aspects of threat intelligence, both from the community and from major vendors.

Chapter 14, Investigating an Incident, goes over the steps to investigate an incident, explores the differences of investigating an on-premises incident versus a cloud-based incident, and finishes with a couple of case studies.

Chapter 15, Recovery Process, focuses on the recovery steps and procedures for a compromised system, and explains the criticality of the options available and how to evaluate the best recovery option.

Chapter 16, Vulnerability Management, describes the importance of vulnerability management to mitigate attempts to exploit known vulnerabilities.

Chapter 17, Log Analysis, goes over the different techniques for manual log analysis, since it is critical for the reader to gain knowledge of how to deeply analyze different types of logs to hunt suspicious security activities.

To get the most out of this book

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: https://static.packt-cdn.com/downloads/9781803248776_ColorImages.pdf.

Conventions used

There are a number of text conventions used throughout this book.

CodeInText: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. For example: “Mount the downloaded WebStorm-10*.dmg disk image file as another disk in your system.”

Any command-line input or output is written as follows:

Bold: Indicates a new term, an important word, or words that you see on the screen. For instance, words in menus or dialog boxes appear in the text like this. For example: “Select System info from the Administration panel.”

Get in touch

Feedback from our readers is always welcome.

General feedback: Email [email protected] and mention the book’s title in the subject of your message. If you have questions about any aspect of this book, please email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you reported this to us. Please visit http://www.packtpub.com/submit-errata, click Submit Errata, and fill in the form.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit http://authors.packtpub.com.

Share your thoughts

Once you’ve read Cybersecurity - Attack and Defense Strategies, Third Edition, we’d love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content.

1

Security Posture

Over the years, investments in security have moved from nice to have to must have, and now organizations around the globe are realizing how important it is to continually invest in security. This investment will ensure that a company remains competitive in the market. Failure to properly secure their assets could lead to irreparable damage, and in some circumstances could lead to bankruptcy. Due to the current threat landscape, investing in protection alone isn’t enough. Organizations must enhance their overall security posture. This means that the investments in protection, detection, and response must be aligned. In this chapter, we’ll be covering the following topics:

Let’s start by going into a bit more detail about why security hygiene is so vital in the first place.

Why security hygiene should be your number one priority

On January 23rd, 2020, Wuhan, a city with more than 11 million people, was placed in lockdown due to the novel coronavirus (2019-nCoV). Following this major event, the World Health Organization declared a global health emergency on January 30th. Threat actors actively monitor current world events, and this was an opportunity for them to start crafting their next attack. On January 28th, the threat actors behind Emotet started to exploit the curiosity and lack of information about the novel coronavirus (2019-nCoV) to start a major spam campaign, where emails were sent pretending to be official notifications sent by a disability welfare provider and public health centers. The perceived intent of the email was to warn the recipient about the virus and to entice the user to download a file that contained preventive measures. The success of this campaign led other threat actors to follow in Emotet’s footsteps, and on February 8th, LokiBot also used the novel coronavirus (2019-nCoV) theme as a way to lure users in China and the United States.

On February 11th, the World Health Organization named the new disease COVID-19. Now with an established name, and the mainstream media utilizing this name in its mass coverage, this prompted another wave of malicious activities by the threat actors that were monitoring these events. This time Emotet expanded its campaigns to Italy, Spain, and English-speaking countries. On March 3rd, another group started to use COVID-19 as the main theme for their TrickBot campaign. They were initially targeting Spain, France, and Italy, but rapidly became the most productive malware operation at that point.

What do all these campaigns have in common? They use fear around COVID-19 as a social engineering mechanism to entice the user to do something, and this something is what will start the compromise of the system. Social engineering via phishing emails always has a good return on investment for threat actors, because they know many people will click on the link or download the file, and this is all they need. While security awareness is always a good countermeasure to educate users on these types of attacks and ensure that they are more skeptical before acting upon receiving emails like that, you always need to ensure that you have security controls in place to mitigate the scenarios where even an educated user will fall into this trap and click on the link. These security controls are the proactive measures that you need to have in place to ensure that your security hygiene is flawless and that you’ve done everything you can to elevate the security state of all resources that you are monitoring.

The lack of security hygiene across the industry was highlighted in the Analysis Report (AR21-013A) issued by the Cybersecurity and Infrastructure Security Agency (CISA). The report, called Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services, emphasized that most threat actors are able to successfully exploit resources due to poor cyber hygiene practices, which includes the overall maintenance of resources as well as a lack of secure configuration.

Without proper security hygiene, you will always be playing catchup. It doesn’t matter if you have great threat detection, because as the name says, it is for detection and not prevention or response. Security hygiene means you need to do your homework to ensure that you are using the right security best practices for the different workloads that you manage, patching your systems, hardening your resources, and repeating all these processes over and over. The bottom line is that there is no finish line for this, it is a continuous improvement process that doesn’t end. However, if you put in the work to continually update and improve your security hygiene, you will ensure that threat actors will have a much harder time accessing your systems.

The current threat landscape

With the prevalence of always-on connectivity and advancements in technology that are available today, threats are evolving rapidly to exploit different aspects of these technologies. Any device is vulnerable to attack, and with the Internet of Things (IoT) this became a reality. In October 2016, a series of distributed denial-of-service (DDoS) attacks were used against a DNS provider used by GitHub, PayPal, etc., which caused those major web services to stop working. Attacks leveraging IoT devices are growing exponentially.

According to SonicWall, 32.7 million IoT attacks were detected during the year 2018. One of these attacks was the VPNFilter malware.

This malware was leveraged during an IoT-related attack to infect routers and capture and exfiltrate data.

This was possible due to the amount of insecure IoT devices around the world. While the use of IoT to launch a massive cyber-attack is something new, the vulnerabilities in those devices are not. As a matter of fact, they’ve been there for quite a while. In 2014, ESET reported 73,000 unprotected security cameras with default passwords. In April 2017, IOActive found 7,000 vulnerable Linksys routers in use, although they said that it could be up to 100,000 additional routers exposed to this vulnerability.

The Chief Executive Officer (CEO) may even ask: what do the vulnerabilities in a home device have to do with our company? That’s when the Chief Information Security Officer (CISO) should be ready to give an answer because the CISO should have a better understanding of the threat landscape and how home user devices may impact the overall security that this company needs to enforce. The answer comes in two simple scenarios, remote access and bring your own device (BYOD).

While remote access is not something new, the number of remote workers is growing exponentially. 43% of employed Americans report spending at least some time working remotely, according to Gallup, which means they are using their own infrastructure to access a company’s resources. Compounding this issue, we have a growth in the number of companies allowing BYOD in the workplace. Keep in mind that there are ways to implement BYOD securely, but most of the failures in the BYOD scenario usually happen because of poor planning and network architecture, which lead to an insecure implementation.

What is the commonality among all the technologies that were previously mentioned? To operate them you need a user, and the user is still the greatest target for attack. Humans are the weakest link in the security chain. For this reason, old threats such as phishing emails are still on the rise. This is because they deal with the psychological aspects of the user by enticing the user to click on something, such as a file attachment or malicious link. Once the user performs one of these actions, their device usually either becomes compromised by malicious software (malware) or is remotely accessed by a hacker. In April 2019 the IT services company Wipro Ltd was initially compromised by a phishing campaign, which was used as a footprint for a major attack that led to a data breach of many customers. This just shows how effective a phishing campaign can still be, even with security controls in place.

The phishing campaign is usually used as the entry point for the attacker, and from there other threats will be leveraged to exploit vulnerabilities in the system.

One example of a growing threat that uses phishing emails as the entry point for the attack is ransomware. In just the first three months of 2016, the FBI reported that $209 million in ransomware payments were made. Trend Micro predicted that ransomware growth would plateau in 2017, but that the attack methods and targets would diversify. This prediction was actually very accurate as we see can now in the latest study from Sophos that found that ransomware attacks dropped from 51% in 2020 to 37% in 2021.

The following diagram highlights the correlation between these attacks and the end user:

Figure 1.1: Correlation between attacks and the end user

This diagram shows four entry points for the end user. All of these entry points must have their risks identified and treated with proper controls. The scenarios are listed here:

Notice that these are different scenarios, but they are all correlated by one single entity: the end user. This common element in all scenarios is usually the preferred target for cybercriminals, which is shown in the preceding diagram accessing cloud resources.

In all scenarios, there is also another important element that appears constantly, which is cloud computing resources. The reality is that nowadays you can’t ignore the fact that many companies are adopting cloud computing. The vast majority will start in a hybrid scenario, where infrastructure as a service (IaaS) is their main cloud service. Some other companies might opt to use software as a service (SaaS) for some solutions, for example, mobile device management (MDM), as shown in entry point 2. You may argue that highly secure organizations, such as the military, may have zero cloud connectivity. That’s certainly possible but, commercially speaking, cloud adoption is growing and will slowly dominate most deployment scenarios.

On-premises security is also critical, because it is the core of the company, and that’s where the majority of the users will be accessing resources. When an organization decides to extend their on-premises infrastructure with a cloud provider to use IaaS (entry point 1), the company needs to evaluate the threats for this connection and the countermeasure for these threats through a risk assessment.

The last scenario description (entry point 4) might be intriguing for some skeptical analysts, mainly because they might not immediately see how this scenario has any correlation with the company’s resources. Yes, this is a personal device with no direct connectivity with on-premise resources. However, if this device is compromised, the user could potentially compromise the company’s data in the following situations:

Having technical security controls in place could help mitigate some of these threats against the end user. However, the main protection is the continuous use of education via security awareness training.

Two common attacks that are particularly important to bear in mind during awareness training are supply chain attacks and ransomware, which we will discuss in more detail in just a moment.

Supply chain attacks

According to the Threat Landscape for Supply Chain Attacks, issued by the European Union Agency for Cybersecurity (ENISA) in July 2021, around 62% of the attacks on customers were possible because of their level of trust in their supplier. Keep in mind that this data is based on 24 supply chain attacks that were reported from January 2020 to July 2021. It is also important to add that the trust relationship mentioned above is a reference to MITRE ATT&CK technique T1199, documented at https://attack.mitre.org/techniques/T1199. This technique is used by threat actors that target their victims through a third-party relationship. This relationship could be a non-secure connection between the victim and the vendor. Some of the most common attack techniques leveraged in a supply chain attack include the ones shown in the table below:

Attack

Use Case Scenario

Malware

Steal credentials from users.

Social engineering

Entice users to click on a hyperlink or download a compromised file.

Brute force

Commonly used to exploit VMs running Windows (via RDP) or Linux (via SSH).

Software vulnerability

SQL injection and buffer overflow are common examples.

Exploiting configuration vulnerability

Usually happens due to poor security hygiene of workloads. One example would be widely sharing a cloud storage account to the internet without authentication.

Open-source intelligence (OSINT)

Use of online resources to identify relevant information about the target, which includes systems used, usernames, exposed APIs, etc.

Table 1.1: Common supply chain attack techniques

To better understand how a supply chain attack usually works, let’s use the diagram shown in Figure 1.2 as a reference:

Figure 1.2: Example of a supply chain attack

In the example shown in Figure 1.2 there is already an assumption that the threat actor started its spear-phishing campaign targeting the supplier and it was able to obtain some valid user credentials that will be leveraged in step 3. Many professionals still ask why the threat actor doesn’t go straight to the victim (in this case, the customer) and the answer is because in this type of attack the threat actor identified a supplier that has more potential for a bigger operation and it is easier to compromise because of the supplier’s weaker security defenses. Many times, the true victim has more security controls in place and it is harder to compromise.

Another scenario that attracts threat actors to this type of attack is the ability to compromise one supplier that is utilized by multiple companies. The SolarWinds case is a typical example of this, where the malicious code was deployed as part of a software update from SolarWinds’ own servers, signed with a compromised certificate. The update was targeting the most widely deployed SolarWinds product, Orion, a Network Management System (NMS).Now every single customer that uses this software and receives this version of the update will be compromised too. As you can see, the threat actor doesn’t need to compromise many targets, they just need to focus on one target (the supplier) and let the chain of effects take place.

To minimize the likelihood that your organization will be compromised by a supply chain attack, you should implement at least the following best practices:

Throughout this book you will also learn many other countermeasure controls that can be used for this purpose.

Ransomware

Cognyte’s Cyber Threat Intelligence Research Group released some eye-opening statistics regarding the growth of Ransomware in their Annual Cyber Intelligence Report. One alarming finding was that in the first half of 2021 the number of ransomware victims grew by 100%, but 60% of the attacks came from the same three major ransomware groups, which operate as Ransomware-as-a-Service (RaaS):

Conti: documented in the MITRE ATT&CK at https://attack.mitre.org/software/S0575/

Avaddon: documented in the MITRE ATT&CK at https://attack.mitre.org/software/S0640/

Revil: documented in the MITRE ATT&CK at https://attack.mitre.org/software/S0496/

In the same report it was also revealed that the manufacturing industry accounts for more than 30% of victims, which makes it rank number one in the top five industries hit by ransomware, followed by financial services, transportation, technology, and legal and human resources.

To protect against ransomware, you must understand how it typically works, from the beginning to the end. Using Conti and Revil, mentioned earlier as an example, let’s see how they operate across the kill chain:

Figure 1.3: Examples of how RaaS compromises a system

As shown in Figure 1.3, different RaaSes will utilize different methods to move across the cyber kill chain; they may have one or more phases that will leverage a common technique, but for the most part they will have their own unique qualities. By understanding how they operate you ensure that you are prioritizing the improvement of your cybersecurity hygiene to address your infrastructure’s weaknesses.

Using Microsoft Defender for Cloud as an example of a security posture management platform, you can review all recommendations according to the MITRE ATT&CK framework. For the example, let’s start by filtering all recommendations that are applicable to the Initial Access phase:

Figure 1.4: Recommendations applicable to the Initial Access phase of MITRE ATT&CK

Notice the arrow in Figure 1.4 that points to the Tactics filter, where you can select the MITRE ATT&CK phase. By utilizing this capability in Microsoft Defender for Cloud, you can start prioritizing the security recommendations that are currently open based on the MITRE ATT&CK tactic, and ensure that you are enhancing your security posture.

The point of this demonstration is to show you that there is no “silver bullet” to protect your organization against ransomware, and if a vendor comes to you to try to sell a black box saying that it is enough to protect against ransomware, run away from it, because that is not how protection works. Just by looking at the diagram shown in Figure 1.3, you can see that each phase targets different areas that will most likely be monitored by different security controls.

Let’s use as an example the initial access of Conti RaaS, which is RDP Brute Force. Management ports shouldn’t be always enabled for internet access anyway, and that’s the reason a security posture management platform such as Microsoft Defender for Cloud has a recommendation specifically for that, as shown in Figure 1.5:

Figure 1.5: Recommendation to close management port

You can see the MITRE ATT&CK tactic and technique mapped for this recommendation, and the workloads that are vulnerable if this recommendation is not remediated. This is the preventive work that needs to be done: the security hygiene. In addition, you should also have threat detection to identify scenarios that were not predicted, now that there is a threat actor trying to exploit a management port that is open. For that, you also need security controls that can identify this type of attack. Microsoft Defender for Servers has threat detection for RDP Brute Force attacks.

Other mitigation controls that you can add in place are shown in the table below:

Scenario

Core Mitigation

Remote access to a company’s resource

Endpoints

User account

Email and collaboration

Table 1.2: Mitigation controls for ransomware attacks

While this list brings some key mitigations, you must also ensure that your infrastructure is secure enough to make it harder for the threat actor to escalate privilege or advance to other attack phases in case they were already able to compromise a system. To decrease the likelihood that the threat actor will be able to continue moving forward on their mission once they are able to compromise a system, you should address the following scenarios:

Scenario

Core Mitigation

Privilege access

Detection and response

Table 1.3: Scenarios and mitigations to prevent threat actor escalation

Additional security controls and mitigations may be necessary according to the organization’s needs and industry. As mentioned earlier, some threat actors are actively investing in certain industries, hence the potential need to add more layers of protection.

Using the assume breach mindset, we know that it is important to be ready to react in case your organization gets compromised. In the case of ransomware, what should you do once you learn that a threat actor has already compromised a system and escalated privilege? In this case the intent is always to minimize the financial leverage that the threat actor may have. To accomplish this, you need to ensure that you have:

Having each of these elements in place significantly reduces the financial leverage a threat actor will have should a breach occur.

While there are several different techniques that threat actors can use to stage attacks – such as supply chain attacks and ransomware – it is also important to note that there are multiple different entry points they can attack from. A user is going to use their credentials to interact with applications in order to either consume data or write data to servers located in the cloud or on-premises. Everything in bold has a unique threat landscape that must be identified and treated. We will cover these areas in the sections that follow.

The credentials – authentication and authorization

According to Verizon’s 2020 Data Breach Investigations Report , the association between the threat actor, their motives, and their modus operandi varies according to the industry (to access this report, visit https://www.verizon.com/business/resources/reports/2021/2021-data-breach-investigations-report.pdf?_ga=2.263398479.2121892108.1637767614-1913653505.1637767614). The report states that attacks against credentials still remain one of the most common. This data is very important, because it shows that threat actors are going after users’ credentials, which leads to the conclusion that companies must focus specifically on the authentication and authorization of users and their access rights.

The industry has agreed that a user’s identity is the new perimeter. This requires security controls specifically designed to authenticate and authorize individuals based on their job and need for specific data within the network. Credential theft could be just the first step to enable cybercriminals to have access to your system. Having a valid user account in the network will enable them to move laterally (pivot), and at some point find the right opportunity to escalate privilege to a domain administrator account.

For this reason, applying the old concept of defense in depth is still a good strategy to protect a user’s identity, as shown in the following diagram:

Figure 1.6: Multi-layer protection for identity

In the previous diagram there are multiple layers of protection, starting with the regular security policy enforcement for accounts, which follows industry best practices such as strong password requirements, including frequent password changes and high password strength.

Another growing trend to protect user identities is to enforce MFA. One method that is seeing increased adoption is the callback feature, where the user initially authenticates using their credentials (username and password), and receives a call to enter their PIN. If both authentication factors succeed, they are authorized to access the system or network. We are going to explore this topic in greater detail in Chapter 7, Chasing a User’s Identity. Another important layer is continuous monitoring, because at the end of the day, it doesn’t matter if you have all layers of security controls if you are not actively monitoring your identity to understand normal behavior and identify suspicious activities. We will cover this in more detail in Chapter 12, Active Sensors.

Apps

Applications (we will call them apps from now on) are the entry point for the user to consume data and transmit, process, or store information on the system. Apps are evolving rapidly, and the adoption of SaaS-based apps is on the rise. However, there are inherent problems with this amalgamation of apps. Here are two key examples:

If you have a team of developers that are building apps in-house, measures should be taken to ensure that they are using a secure framework throughout the software development lifecycle, such as the Microsoft Security Development Lifecycle (SDL) (Microsoft’s full account of SDL can be found at https://www.microsoft.com/sdl ). If you are going to use a SaaS app, such as Office 365, you need to make sure you read the vendor’s security and compliance policy. The intent here is to see if the vendor and the SaaS app are able to meet your company’s security and compliance requirements.

Another security challenge facing apps is how the company’s data is handled among different apps, the ones used and approved by the company and the ones used by the end user (personal apps).

This problem becomes even more critical with SaaS, where users are consuming many apps that may not be secure. The traditional network security approach to support apps is not designed to protect data in SaaS apps, and worse, they don’t give IT the visibility they need to know how employees are using them. This scenario is also called Shadow IT, and according to a survey conducted by the Cloud Security Alliance (CSA), only 8% of companies know the scope of Shadow IT within their organizations. You can’t protect something you don’t know you have, and this is a dangerous place to be.

According to the Kaspersky Global IT Risk Report 2016, 54% of businesses perceive that the main IT security threats are related to inappropriate sharing of data via mobile devices. It is necessary for IT to gain control of the apps and enforce security policies across devices (company-owned and BYOD). One of the key scenarios that you want to mitigate is the one described in the following diagram:

Figure 1.7: BYOD scenario with corporate app approval isolation

In this scenario, we have the user’s personal tablet that has approved applications as well as personal apps. Without a platform that can integrate device management with application management, this company is exposed to a potential data leakage scenario.

In this case, if the user downloads the Excel spreadsheet onto their device, then uploads it to a personal Dropbox cloud storage and the spreadsheet contains confidential information about the company, the user has now created a data leak without the company’s knowledge or the ability to secure it.

Data

It’s always important to ensure that data is protected, regardless of its current state (in transit or at rest). There will be different threats according to the data’s state. The following are some examples of potential threats and countermeasures:

State

Description

Threats

Countermeasures

Security triad affected

Data at rest on the user’s device.

The data is currently located on the user’s device.

An unauthorized or malicious process could read or modify the data.

Data encryption at rest. It could be file-level encryption or disk encryption.

Confidentiality and integrity.

Data in transit.

The data is currently being transferred from one host to another.

A man-in-the-middle attack could read, modify, or hijack the data.

SSL/TLS could be used to encrypt the data in transit.

Confidentiality and integrity.

Data at rest on-premise (server) or in the cloud.

The data is located at rest either on the server’s hard drive located on-premise or in the cloud (storage pool).

Unauthorized or malicious processes could read or modify the data.

Data encryption at rest. It could be file-level encryption or disk encryption.

Confidentiality and integrity.

Table 1.4: Threats and countermeasures for different data states

These are only some examples of potential threats and suggested countermeasures. A deeper analysis must be performed to fully understand the data path according to the customer’s needs. Each customer will have their own particularities regarding the data path, compliance, rules, and regulations. It is critical to understand these requirements even before the project is started.

As you can see from the topics we have covered so far, there are many different areas to consider within the current landscape of security threats. You must consider the unique issues facing apps, data, credentials, supply chain attacks, and ransomware in order to better prepare for threats.

With this in mind, we will now move on to discussing cybersecurity challenges – more specifically, we will look into how particular attacks have shaped the cybersecurity landscape, and how techniques used by threat actors have evolved over time.

Cybersecurity challenges

To analyze the cybersecurity challenges faced by companies nowadays, it is necessary to obtain tangible data and evidence of what’s currently happening in the market. Not all industries will have the same type of cybersecurity challenges, and for this reason we will enumerate the threats that are still the most prevalent across different industries. This seems to be the most appropriate approach for cybersecurity analysts that are not specialized in certain industries, but at some point in their career they might need to deal with a certain industry that they are not so familiar with.

Old techniques and broader results

According to Verizon’s 2020 Data Breach Investigations Report, 2020 showed an interesting trend with COVID-19 as the main theme for attackers. While some new techniques were utilized, some old ones were still at the top:

These old techniques are used in conjunction with aspects related to lack of security hygiene. Although the first one in this list is an old suspect, and a very well-known attack in the cybersecurity community, it is still succeeding, and for this reason it is still part of the current cybersecurity challenges. The real problem is that it is usually correlated to human error. As explained before, everything may start with a phishing email that uses social engineering to lead the employee to click on a link that may download a virus, malware, or Trojan. This may lead to credential compromise and most of the time this could be avoided by having a stronger security posture. As mentioned in the Analysis Report (AR21-013A) issued by the US Cyber Security & Infrastructure Security Agency, “threat actors are using phishing and other vectors to exploit poor cyber hygiene practices within a victims’ cloud services configuration.” Poor cyber hygiene basically means that customers are not doing their homework to remediate security recommendations, which includes weak settings or even misconfigurations.

The term targeted attack (or advanced persistent threat) is sometimes unclear to some individuals, but there are some key attributes that can help you identify when this type of attack is taking place. The first and most important attribute is that the attacker has a specific target in mind when he/she/they (sometimes they are sponsored groups) start to create a plan of attack. During this initial phase, the attacker will spend a lot of time and resources to perform public reconnaissance to obtain the necessary information to carry out the attack. The motivation behind this attack is usually data exfiltration, in other words, stealing data. Another attribute for this type of attack is the longevity, or the amount of time that they maintain persistent access to the target’s network. The intent is to continue moving laterally across the network, compromising different systems until the goal is reached.

One of the greatest challenges when facing a targeted attack is to identify the attacker once they are already inside the network. Traditional detection systems such as intrusion detection systems (IDSes) may not be enough to alert on suspicious activity taking place, especially when the traffic is encrypted. Many researchers have already pointed out that it can take up to 229 days between infiltration and detection. Reducing this gap is definitely one of the greatest challenges for cybersecurity professionals.

Crypto and ransomware are emerging and growing threats that are creating a whole new level of challenge for organizations and cybersecurity professionals. In May 2017, the world was shocked by the biggest ransomware attack in history, called WannaCry. This ransomware exploited a known Windows SMBv1 vulnerability that had a patch released in March 2017 (59 days prior to the attack) via the MS17-010 bulletin. The attackers used an exploit called EternalBlue that was released in April 2017, by a hacking group called The Shadow Brokers. According to MalwareTech , this ransomware infected more than 400,000 machines across the globe, which is a gigantic number, never seen before in this type of attack. One lesson learned from this attack was that companies across the world are still failing to implement an effective vulnerability management program, which is something we will cover in more detail in Chapter 16, Vulnerability Management.

It is very important to mention that phishing emails are still the number one delivery vehicle for ransomware, which means that we are going back to the same cycle again; educate the user to reduce the likelihood of successful exploitation of the human factor via social engineering and have tight technical security controls in place to protect and detect. Threat actors are still using old methods but in a more creative way, which causes the threat landscape to shift and expand – this will be explained in more detail in the next section.

The shift in the threat landscape

As mentioned earlier in this chapter, supply chain attacks added a series of new considerations to the overall cybersecurity strategy for organizations, exactly because of the shift in the threat landscape. Having said that, it is important to understand how this shift occurred over the last five to ten years to understand some of the roots and how it has evolved.

In 2016, a new wave of attacks gained mainstream visibility, when CrowdStrike reported that it had identified two separate Russian intelligence-affiliated adversaries present in the United States Democratic National Committee (DNC) network.

According to their report, they found evidence that two Russian hacking groups were in the DNC network: Cozy Bear (also classified as APT29) and Fancy Bear (APT28). Cozy Bear was not a new actor in this type of attack, since evidence has shown that in 2015 they were behind the attack against the Pentagon email system via spear-phishing attacks . This type of scenario is called a government-sponsored or state-sponsored cyber-attack.

The private sector should not ignore these signs. According to a report released by the Carnegie Endowment for International Peace, financial institutions are becoming the main target for state-sponsored attacks. In February 2019 multiple credit unions in the United States were targets of a spear-phishing campaign, where emails were sent to compliance officers in these credit unions with a PDF (which came back clean when ran through VirusTotal at that time), but the body of the email contained a link to a malicious website.

Although the threat actor is still unknown, there are speculations that this was just another state-sponsored attack. It is important to mention that the US is not the only target; the entire global financial sector is at risk. In March 2019 the Ursnif malware hit Japanese banks. Palo Alto released a detailed analysis of the Ursnif infection vector in Japan, which can be summarized in two major phases:

We keep emphasizing the importance of security hygiene, and there is a reason for that. In 2021 we saw the Colonial Pipeline attack, where the threat actor was able to take down the largest fuel pipeline in the United States, which lead to shortages across the East Coast. Guess how this all happen? By compromising only one password. The account’s password was actually found on the dark web. While the end result was a ransomware attack, the entire operation was only possible due to this single password compromise.

For this reason, it is so important to ensure that you have strong security hygiene via the enhancement of your security posture and also that you are continuously monitoring your workloads. This security monitoring platform must be able to leverage at least the three methods shown in the following diagram:

Figure 1.8: Continuous security monitoring, facilitated by traditional alert systems, behavioral analysis, and machine learning

This is just one of the reasons that it is becoming foundational that organizations start to invest more in threat intelligence, machine learning, and analytics to protect their assets. We will cover this in more detail in Chapter 13, Threat Intelligence