4 Areas of Concern Keeping Incident Responders up at Night

Strong security culture and cyber hygiene are paramount to ensuring that organizations are ready to tackle new threats, outsmart creative cybercriminals, and maintain a healthy cybersecurity footprint. However, CISOs have their work cut out for them. The task of securing an organization -- and maintaining a secure posture -- is becoming increasingly difficult thanks to complexities such as an expansive and dynamic attack surface, intricate supply chain risks, and diminishing security budgets.

The following four areas of concern are based on countless Unit 42 incident response engagements and offer insight into where most organizations remain vulnerable or minimally protected.

Supply Chain Attacks

DevOps and agile software development practices are crucial, as they enable organizations to achieve accelerated development cycles, ultimately allowing for more rapid release timelines. However, this breakneck level of speed often requires the use of third-party code in vendor applications. The necessity of leveraging third-party code introduces the perfect storm: Attackers can hide vulnerabilities within code snippets to launch supply chain attacks. If an attacker compromises a third-party developer's code, they may have the opportunity to infiltrate thousands of organizations. Drawing lessons from examples such as Log4j, it is obvious why securing the software supply chain at every step is imperative to avoid disastrous effects.

Nearly three-fourths (74%) of respondents to a recent survey feel that security slows down DevOps. But ultimately, paying extra attention to security upfront may save significant resources and energy in the future. Organizations should ensure that intentional guardrails and security controls are incorporated into each step of the secure code development strategy. This includes laying out ownership, milestones, and metrics for embedding security processes and tools into all stages of the continuous integration/continuous development pipeline.

Cloud Security and Identity and Access Management (IAM)

An improperly configured cloud environment could leave the door unlocked for malicious actors to “walk” right in without the requirement of exploiting a vulnerability or using a sophisticated technique. Poor configuration is essentially the same as handing over the keys to the castle, so it’s no surprise that cybercriminals commonly search for this low-hanging fruit.

To better secure your cloud environment, you can safeguard IAM permissions by regularly checking for misconfigurations, default, and overly broad permissions, as well as instituting procedures to identify exposed IAM access keys on an ongoing basis. Additionally, ensuring that access to cloud controls is locked down is vital to minimizing risks of misconfiguration and other errors. Individual users should only be granted access on a need-to-know basis, and careful consideration should be taken when provisioning new access.

A Growing Attack Surface

Modern attack surfaces are, at their core, dynamic and constantly expanding. This is a natural result of adopting evolving technology to make businesses more effective and efficient. However, the larger an attack surface grows, the harder it is to manage and maintain visibility into all assets.

As a result, attackers are becoming increasingly masterful at scouring the internet in search of vulnerable systems. This practice lowers the amount of time that an organization has to patch a vulnerability, and often, an attacker knows about a vulnerability before the organization does.

It’s important for an organization not to limit innovation or progress in the name of managing the attack surface. Instead, it should become a champion for visibility. Security teams are working diligently with the resources and the data they have, but visibility is often the most critical factor as to whether an asset is secure. If you don’t know where your organization’s exposures live, ensuring you’ve appropriately patched everything is nearly impossible. Attackers only need a single crack to find their way in, and they thrive on the complexity and ever-changing nature of attack surfaces. The best option for security teams is to ensure they maintain, at a minimum, the same view of their attack surface as a threat actor does.

Overloaded Security Teams

Unfortunately, the security industry is facing a talent shortage. ISC reports a global cybersecurity workforce gap of 3.4 million people -- a staggering number that is felt by those on the front lines. Security team resourcing challenges continue to expand, not coincidentally, as attack strategies become more complex. The average cybersecurity team faces many hurdles, such as trying to thwart sophisticated threat actors while relying on a patchwork of poorly implemented tools and immature or undefined processes.

Provide relief to your cyber team by automating wherever you can. Today’s advancements offer many tools that leverage machine learning and artificial intelligence that can streamline processes for a team. This can help your team prioritize scarce resources, consolidate visibility and control over a dynamic network, and reduce response and recovery tasks. As a result, many hours of manual labor spent trying to piece together information from disparate sources across multiple tools can be saved.

The threat landscape is constantly evolving, and today’s incident responders are kept up late, knowing these vulnerabilities are looming. As a CISO, you must adequately prepare to protect against today’s and tomorrow’s most critical threats. As an added bonus, when your board comes to you with questions about your organization’s security posture, you will be well-equipped to answer them.