The Talos Year in Review is available now and contains a wealth of insights about how the threat landscape has shifted in 2023. With new ransomware strains emerging from leaked source code, commodity loaders adding more reconnaissance measures to their belts, and geopolitical events influencing APT activity, there’s a lot to dissect.
From a defender’s point of view, what does that mean heading into 2024? Do you need to consistently shift tactics too, to stay one threat ahead?
The thing is, we will never be “done” with cybersecurity. There will always be new threat actor groups. New strains. New tactics. And even if the defender community dismantles a botnet, like for example the takedown of Qakbot in August, it doesn’t mean the group behind it will cease to operate. We’ll never reach that scenario in the game of Battleship when you’ve found the final target and smugly mutter, “This is your last boat.”
There’s two ways of looking at that. You can either say, “What’s the point?” Or “We know we’ll probably get hit at some point. What can we do to ensure we eradicate the threat as quickly as possible?” So much of cybersecurity is about balancing and reducing risk. Knowing what risks you can accept, and what risks you absolutely can’t.
That base visibility is key. As we at Talos commonly say, whomever knows the network best, owns the network.
For example, Veradigm, a healthcare IT organization that the Cisco Talos Incident Response (Talos IR) team has been working alongside for many years to proactively assess and constantly improve their security posture, recently detected an intrusion and potential information-stealing attack. Luckily, their preparedness coupled with their Talos IR partnership enabled them to swiftly pinpoint the issues before bad actors could execute their plan.
The key to Veradigm’s successful response? Visibility across the network, having a clear plan, and being able to answer these four questions as quickly as possible:
· How did they get in?
· Are they still in?
· What did they do?
· How could they get in again?
Veradigm has also participated in multiple Talos IR tabletop exercises to stress test processes and adjust as needed to respond and succeed more quickly.
Aligned to that, experts from across Cisco recently sat down to discuss proactive threat hunting in general, and the benefits this type of activity can have to help organizations find vulnerabilities and weak points that hadn't been spotted before. Check out the discussion below:
One of the newer cross-regional trends we observed this year (and wrote about in the 2023 Year in Review) is an increase in the targeting of network devices, from both APTs and cybercriminals. The intent can differ between these disparate adversaries: the former is more driven by espionage and secondary target selection while the latter aims more for financial gain.
Both groups rely on exploiting recently disclosed vulnerabilities as well as weak/default credentials. This is one of the reasons why use of valid accounts was a top MITRE ATT&CK technique observed this year, and consistently a top weakness in Talos Incident Response engagements.
Patching isn't easy, and isn't necessarily without risk. It all comes back to that balance again.
We got a question on the Reddit AMA thread that we ran earlier this week, about the difficulties of patching network infrastructure. I thought my colleague Lexi DiScola's response was such a good one I wanted to highlighted it here.
The question was, "Eventually these [networking] devices may get patched, but not without a significant planned downtime, ranting from org leaders, and/or hesitation from the networking team (if there is one). Especially in larger orgs, where the number of devices may be in the hundreds or thousands. What have you observed to be the biggest barriers to patch management that you see regarding network devices?"
Here was Lexi's answer:
"One of the biggest barriers in securing these devices is that they are often not prioritized by security teams - whether that be for the reasons you listed, and/or because there is a lack of awareness around the significant level of access they can enable. As there is often limited monitoring of these devices, security teams may not even realize they are being leveraged as initial access vectors during large scale intrusions. This lack of awareness is further highlighted by the fact that many of these devices are vulnerable due to organizations using default passwords and configurations, vulnerabilities that are often quickly remediated in other network infrastructure. We recommend organizations improve monitoring and defensive measures for these devices, patch security flaws, remediate insecure default configurations, and improve employee awareness."
In terms of other recommendations based on the trends in the Year in Review Report? Well, if you thought you were about to read a blog about security recommendations without the mention of multi-factor authentication, I’m sorry to break it to you, because that’s about to happen. MFA really is one of the best things you can do to limit your threat surface.
In this episode of the Talos Takes podcast, we address the basics of implementing MFA in any environment, why any type of MFA is better than no MFA, the pitfalls of certain types of authentication, and whether going passwordless is the future.
Read the full Year in Review below (no form filling necessary!):
