Author: David Kennedy & Randy Pargman
One thing can be said for 2020: no one expected things to go the way they did. Cybersecurity pros are always on high alert for the latest attacks, but the pandemic caused the entire world to shift to new ways of working and collaborating. At the end of 2020, the SolarWinds breach and subsequent breaches of their customers including high profile government offices became the one of the largest cyberattacks the US has seen. This breach will have lasting impact for months, if not years, to come.
Those working in cybersecurity should be recognized for their efforts and successes to thwart the latest attacks in a very challenging year. What takeaways can we bring forward from 2020, and what should we prepare for in 2021? We asked our Senior Director of Counterintelligence and Threat Hunting, Randy Pargman, and our Chief Technology Officer and co-founder, David Kennedy, for their insights.
Going in to 2020 (prior to March), what were you anticipating as the biggest cybersecurity challenge for organizations? How did that change when the world shifted to remote work?
PARGMAN: At the start of the year, it seemed that the biggest challenges facing IT and security professionals would be how to efficiently leverage their understaffed teams efficiently to respond to all the innovations that the threat groups come up with to bypass detection and security controls. Under normal circumstances, security teams at every company I know has to deal with a shortage of resources and more work than is appropriate for their team size, and they rise to the challenge by working harder and automating as much as they can. The pandemic and quick pivot to a remote workforce made this even harder, by adding even more pressure to IT professionals to stand up new remote access systems and keep them both online and secured. The requirement to make things work had to take priority over security controls in some circumstances for business to continue, which forced the already overworked teams to have to work even more unplanned hours to mitigate the new risks. I hope that everyone takes the time to recognize and thank their hard-working IT and security staff for keeping things running this year!
KENNEDY: Cybersecurity almost always faces challenges around staffing and being able to keep up with how fast an organization moves and the adoption of fundamental security principles. I think going into 2020, the main concern was from what organizations could do to best protect themselves against threats like ransomware, but also how to make it harder for any attacker to go after an organization. Timing, budget and the difficulty of implementing certain aspects of a security program often cause organizations to lag behind, and prior to the pandemic, it was challenging for organizations to have the adequate amount of staff and support for their security programs.
2020 was obviously a crazy year. What was the craziest thing that you saw from a security standpoint?
PARGMAN: One thing about working in the cybersecurity field is that it is never boring—every week seems to bring some new crazy scheme by attackers into the spotlight. It’s hard to pick just one craziest thing from 2020, but the big Twitter hack in June stands out as crazy for three reasons. First, it showed that any organization, even a huge technology company with serious security controls and authentication safeguards, can be breached through social engineering of employees. Second, it demonstrated how a security incident in one organization can have cascading effects for everyone who depends on that organization for services. Finally, the craziest part of the entire incident is that even though it seemed most likely that a serious nation-state threat group would be the only ones to pull off such an attack against Twitter, it turned out to be a small group of young hackers who used their access to pull off some scams, download some messages and gain notoriety. It was also surprising and satisfying to see law enforcement make arrests just a few months after the incident.
What’s interesting to note is that at the same time the Twitter hack was getting lots of public attention, the stealthy attackers behind the Solar Winds SUNBURST malware had already put their attack into motion months before and were quietly stealing information and burrowing deeper into the networks of the government agencies and companies that they had selected to target. Quite often, the most damaging hacks are not the ones that cause the biggest splash, but the ones that go undetected for the longest time. That’s why it is so important to focus on constantly improving threat hunting and detection strategies, and to have the visibility to look not just for signatures of known attacks, but for unusual patterns of behavior to find the stealthy intruders.
KENNEDY: What was really positive to see was how fast organizations adopted and overcame a work from home perspective. We had a number of customers that had never fully tested that capability and with minor hiccups, were able to allow their staff to still complete the mission of the organization, do it in a secure fashion, and still be operational during an uncertain time. We have always had the ability technologically within the past ten years at least to accomplish this, but there really hasn’t been a need. The remote workforce, online meetings, conferences, and more have all made a huge impact to still allow organizations to operate and share information but from their own homes. While that comes with challenges, I think it was a huge win for both information technology and security.
What was the biggest takeaway from 2020 in terms of businesses needing to ramp up their security?
KENNEDY: With moving to work from home, as well as more of a shift to third-party trusted providers via the cloud and other services, it’s never been more important to understand the complexity and risks associated with this. It’s no different than on-premises infrastructure and the attack surface is much larger due to having multiple customers. With the SUNBURST attack we saw where one software development company can be a conduit to hundreds, and thousands of customers all at one. These types of threats need to be incorporated into our threat models and adjusted accordingly in order to build and architect an infrastructure that can withstand or at least identify earlier on these complex attacks. For businesses, having more visibility and security from the ground up is going to be important moving forward, even more now than before.
PARGMAN: Many organizations that had been depending on perimeter security controls such as firewalls, web proxies and network monitoring systems suddenly had to adjust to an entirely remote workforce with workstations moving out from the protected corporate network and into employees’ home networks. With that shift, it became more important than ever for security teams to have visibility into what is happening on those endpoints, since they no longer had the protection or monitoring of the network to protect them as they did before.
Any industries hit particularly hard by cyberattacks in 2020?
KENNEDY: I think we’ve consistently seen a lot of industries hit hard, but the medical field especially hit hard during these times. Ransomware has been a major target and often considered “soft targets” for these adversaries to go after. Security is often lacking in the medical field due to the sensitivity around equipment and procedures. Often a viable attack method for bad actors and something that is taken advantage of.
PARGMAN: As we saw with the Universal Health Services ransomware attack in September, and the subsequent warning from the FBI and DHS to all hospitals and healthcare providers, the healthcare industry is particularly vulnerable to ransomware extortion attacks. Any industry that depends on its computer systems to remain constantly available to support critical services such as life and safety, or whose main line of business can be completely halted by computer systems being unavailable – those are the industries that will be hit hardest by ransomware attacks that lock up systems. That means that those industries will also benefit the most from having redundant backup systems and continuous detection to stop threats in the early phases before the attackers gain complete control of critical servers.
How do you think the threat landscape will change in 2021?
PARGMAN: Unfortunately, the trend of ransomware incidents is still increasing steadily as we close out 2020, so it is not hard to predict that these types of attacks against large organizations will only continue to increase going into 2021.
KENNEDY: I see ransomware continuing to advance and go after larger and larger organizations. In addition, with the SolarWinds supply chain attack, adversaries and organized crime groups look at the level of success here and attempt to emulate. We saw this several years ago with ransomware groups taking more of a research and development approach similar to nation states and how they approach their victims. I think managed service/security providers, cloud providers, software development companies, and organizations alike that have a lot of access to tens, hundreds, thousands, or more are all on notice now as a major attack surface for a lot of organizations.
What is the one thing businesses should do in 2021 to improve their security posture?
PARGMAN: Challenge assumptions that had been made when your security architecture was first designed, especially if it relied on a walled castle approach with perimeter defenses protecting internal systems from attack. Now that we’ve all had time to adjust to remote work and employees operating from networks at homes and vacation rentals around the world, take stock of what has changed and what visibility your security team has to monitor for threats to your distributed computer systems. Re-evaluate employee security education, enforce multi-factor authentication, and most of all, increase your visibility of events happening on laptops, workstations and servers regardless of where in the world those computers are located.
KENNEDY: Focusing on the basics is important (basic doesn’t mean it’s easy!). As Randy has mentioned, your security architecture should be segmented and designed to protect systems even if an adversary is internal. Concepts like patch management, multi-factor authentication, network segmentation, and threat modeling all provide a strong level of defense with the issues we see today. These are more preventative in nature, we have to highly focus on understanding that if an attacker is successful, do we have the ability to identify them earlier in the stages of a breach and before serious damage occurs.