FortiGuard Labs Perspectives
Digital transformation has unlocked massive potential for organizations and recent shifts to remote work have forced new learnings in business agility. Both have also paved the way for a new wave of advanced cybersecurity threats. Cybercriminals are becoming more sophisticated, using tools such as machine learning and AI to take advantage of the expanding attack surface and bypass traditional safeguards. Faced with endless alerts and a flood of data being collected from endpoints, network and IoT devices, cloud environments, and other areas, IT teams are struggling to keep pace, let alone stay ahead of threats.
To learn more about important takeaways for the threat landscape, we asked Aamir Lakhani and Jonas Walker from Fortinet’s FortiGuard Labs threat intelligence team to share their perspective on what threat teams and organizations should be aware of as the landscape has shifted so dramatically recently.
Overall, if you had to look at the threat landscape at a big picture level, is it getting more intense, or is everything relative?
Jonas: It gets more intense as many organizations proceed to adopt the digital transformation. These days, organizations manage physical networks, private and public could network, IT/OT devices, and are moving many devices to the edge. On top of that, the current pandemic accelerates many of these processes, and unfortunately, security is often not a priority and implemented too late. Malicious threat actors are well aware of this and come very well prepared. Devices that connect to the Internet are targets for cybercriminals. The more devices, the larger the attack surface, and the more likely an attacker will be successful with initial access attempts before moving laterally through networks.
Aamir: It is more intense. In the past, we only had to protect users from applications and networking threats. Today, there are exponentially more applications being used, more attacks, and more opportunities for attackers. Instead of just worrying only about Windows, we need to protect Mac OS, Linux, iOS, Android, and IoT operating systems. Cybersecurity not only needs to protect information services but also operational (OT) security as well. The threats are well beyond what is on a traditional computer screen and are now present in cars, manufacturing equipment, and critical infrastructure. Our likes, dislikes, bank accounts, preferences, and authentication access questions have been digitized and are targets for attackers to steal, use, and profit. The volume and velocity of attacks are on a scale that sits between ridiculous and insane. Additionally, attackers increasingly understand technology better and better and in some instances have more resources and support than in the past. In the spirit of Aldous Huxley, let’s say it is a brave new world.
Do you think organizations or users, in general, are more informed and are savvier today than from when you first entered the field?
Jonas: Employee awareness has increased, but it’s far from where it needs to be. Before we are allowed to drive a car on the street, we need to get a driver’s license. With the Internet, it’s different. Everyone who can purchase a smartphone, a laptop, or even an IoT device can connect to the Internet and do whatever they want. There is no license to use connected devices or to install software on your systems. On the other hand, you have sophisticated attackers who are specialized in offensive measures and can attack you from all over the world as long they have internet connectivity.
On the bright side, ransomware – especially WannaCry – was a big wake up call for many organizations. It can hit anyone, and the impact will be substantial. Overall awareness and the average security skillset is increasing, which is good. Nevertheless, there is room for improvement since any environment is only as secure as its weakest link.
Aamir: I first started playing around cybersecurity when I was ten years old, and I would say most ten-year-olds were not that savvy about cybersecurity. In all seriousness though, I think people are much more aware of cybersecurity problems and how their data can be at risk.
Today, most people understand what a basic cyber scam is and that they may attempt to steal their identity or trick them with a phishing email. Granted, not everyone can recognize the attack, but they understand the basic script for the attack. Users have also gone through media sensationalism on significant data breaches, which has raised their overall awareness, but such coverage may lead to people getting numb to new attacks and breaches.
In the past, large corporations almost looked at their InfoSec divisions as a burden rather than partners. I think as we have seen a more cooperative relationship between InfoSec and other organizations within companies, we have also seen a corresponding rise in awareness. We have also seen a much larger emphasis on user awareness training, which is on the roadmap of almost every CISO, which means users understand the potential risks.
We are starting to see differences in the way people use social media. Social sharing is becoming more familiar with Generation X. Generation Z and some Millennials prefer more ephemeral networks where they can control the conversation. Some people may attribute that to the lack of interest in participation in Generation Z, but I think it is that they are more aware of the dangers of information leakage.
Lastly, we are making technology easier to consume with privacy. People are starting to understand that when they do not protect their information or their data, it can be a trade-off for long-term gains.
What are some of the “low-hanging fruit” threats that you think not everyone knows about?
Jonas: From an offensive view, it has never been as easy for attackers to practice social engineering with all the public information available. This kind of information is not per se bad, but can be leveraged effectively for social engineering attacks. This digital data is an opportunity for cybercriminals.
To protect environments effectively, organizations must first realize that cybersecurity is priority one. Otherwise, it’s a lost fight long term! A robust cybersecurity strategy is critical to surviving in the long term. It’s perfectly fine to realize that help is needed and bring outside help to tackle the challenges. Penetration testing is very effective if done correctly and shows exactly how attackers would exploit vulnerabilities in corporate environments. From a technical point of view, it’s important to keep track of administrative accounts and passwords in general. In my opinion, every employee should use multi-factor authentication wherever possible and use a password manager. Last but not least, invest in your people as much as possible. Awareness training and explaining why rules exist can make a big difference.
Aamir: We are often asked by many customers what recommendations we can give them. Overall, it isn’t easy to answer because of the uniqueness of each environment we see. I regularly discuss this challenge with my FortiGuard Labs colleague Anthony Giandomenico, who has coined the phrase Core-4 around the solutions organizations use to address the “low hanging fruit” regarding cybersecurity. Core-4 is about what organizations should think about when protecting and understanding their four core pillars of cybersecurity. These four areas include:
- Identifying authorized and unauthorized devices on your organization’s network
- Reduce unnecesary access
- Adding applications to the safe list
What is one threat on the horizon that is not being talked about much that will deserve attention in the coming months or years?
Jonas: I firmly believe fully self-driving cars will disrupt the auto and travel industry entirely in the next years. Cars are no longer cars as we know them, it’s a super-powerful computer on four wheels. It is fascinating and I cannot wait to experience it. On the other hand, if security is not treated with the absolute priority, it will be a big cybersecurity concern.
Aamir: I think Jonas was spot on when he spoke around cars and IoT in general. Medical devices, manufacturing equipment, and even restaurant supplies incorporate IoT devices that are connected, they have automatic updates, and use the Internet to add functionality. Current connectivity technologies have prohibited some of the widespread adoptions of these devices. I do think 5G technologies are going to be a game-changer in this manner. Not only does 5G make the Internet ubiquitous globally to IoT devices. The reduction in latency and the ability for efficient meshes means more concentration of devices in a single area. 5G is not only addressing bringing the Internet to rural areas and areas not previously covered by broadband Internet, but it is also expanding the attack opportunity for threat actors.