Keysight has released its 2023 Security Report. This report explores the key threats in 2022 and what you can expect in 2023. The key take away discussed in the report.
1. Ransomware will be a constant threat that must be addressed ahead of time by IT security departments
Ransomware security attack successes are an indicator of a weakness in most enterprise security architectures — along with the fact that humans (users through email phishing attacks) continue to be a weak link in the security chain. The first key conclusion from this report is that since ransomware will be a constant threat, IT security departments must address the threat ahead of time. This means having a prepared protocol ahead of time that describes how security engineers will need to react to a suspected ransomware threat.
For instance, are data backups being created? If so, how often? In addition, where are backups being stored so that a bad actor can't get to them? When should security engineers restore data to the network from those backups? Should a backup of the network be created of the infected, or suspicious, current network configuration and what are the handling procedures for that specific backup? These data storage concerns need to be documented and addressed long before an attack is recognized.
The general IT security response plan should also be validated and/or updated to specifically address ransomware issues. For instance, how should a potential attack be handled and mitigated? Here are a few example issues to address:
- Should the network be immediately shut down and who is authorized to make this type of decision?
- What isolation techniques can be deployed?
- How should ecommerce transactions and records be handled?
- How often should the network be investigated for a potential ransomware attack, i.e. how often should specific breach and attack (BAS) and threat hunting activities be performed?
- If there is a standby network available (either active load sharing, active / standby, or cold standby), when should this be engaged to isolate the security threat but still preserve business continuity?
2. AI is being weaponized by bad actors to improve their various threat vectors
A second conclusion is that since artificial intelligence is being weaponized by bad actors to improve their various threat vectors, you need to start preparing for this threat now. AI will probably be used to create autonomous attacks, especially when combined with the compute power of cloud computing networks.
In addition, AI lowers the skill level required for a would-be cybercriminal. Instead of engaging in proof of concepts (POC) to gain knowledge about systems, they can build malware attack scripts much easier using ChatGPT or some other AI system. These attacks will be created that are based on the cyber kill chain model; with each step being automated. Different evasions can also be created by AI solutions to create multiple malware variants with little time or effort required. This will make it much harder to stop an attacker.
In addition, AI will make it easier and faster to run spear phishing campaigns. The AI will be able to gather website and web link information that is tuned to individual people. This allows for better (more personalized) attacks designed to convince people to give up additional personal information and credentials.
At the same time, one benefit from AI is that the security engineer can use the technology as well to automate BAS solutions and (potentially) threat hunting solutions. This empowers the engineer with a force multiplier and enables them to constantly look for signs of lateral movements, C&C, etc.
3. You cannot defend against what you cannot see – you must deploy network visibility and breach and attack simulation technology.
The third conclusion is that since you cannot defend against what you cannot see, you need to deploy network visibility technology immediately to expose security threats. The first step is to accurately capture and validate potentially suspicious packet data. Flow data and log data can, and should, also be used in threat analysis. However, both of these data sources have challenges. For instance, flow data provides only group and general data observations. While log data has more detail than flow data, specific malware threats can delete or corrupt log data and files — allowing certain threats to slip by unnoticed.
Packet data, however, doesn't lie. It is a consistent source of truth and needs to be utilized as such, even though it requires more work. Taps and packet brokers allow you to collect the packet data across your network, filter it to capture just the data you need, and then pass that data on to one or more security tools for data analysis. In addition, your network will need continuous breach and attack testing. Annual penetration testing and quarterly cyber range red team/ blue team testing aren't good enough anymore. Not to say those activities should be eliminated, but additional proactive testing with a BAS solution should be included as well.