2020 was an unusual year where circumstances shifted at record pace. Amidst the scramble and confusion, security teams rose to the occasion. Perhaps most significantly, organisations had to rapidly protect and scale their remote access while facing new security risks.
The past year has shown us just how cyber threats can impact our lives, and the need for everyone to prepare for evolving attacks in the future. Let’s examine what happened last year in the world of security, celebrate those who were able to keep governments, businesses, and individuals cyber safe, and look to how we can prepare for 2021.
One thing that Cisco’s cyber threat intelligence team Talos knows for sure— 2020’s election security landscape was more complicated and yet more secure than it was in 2016. While many were focused on foreign election interference, domestic disinformation campaigns were quick to rise as well. Talos Director Matt Olney says that the commercialization of disinformation campaigns, or Disinformation-as-a-Service, is now more widespread but also easier to spot. State and local officials were able to take what they saw in 2016, build the right procedures, and come better prepared four years on.
“As a result, a conversation with an election official in 2020 is fundamentally different than how it would be in 2016,” says Olney, “Gone are the times where I would say, ‘Let me tell you about this threat,’ because they’ve spent the last four years learning about those threats.”
In that time, the federal government created procedures and processes for election security as well—the Election Infrastructure Information Sharing and Analysis Center (EI-ISAC) created in 2018 uses network sensors and network flow monitors to be available at low cost to any state. The Cybersecurity and Infrastructure Security Agency, also created in 2018, works towards the security of the United States’ cybersecurity and communications infrastructure.
Talos worked on the ground with the State of Mississippi, providing them a tabletop scenario that presumed some level of compromise had occurred. The group worked with the state’s security office, as well as their communications and public relations teams. As Olney states, it’s crucial to understand that security attacks are not just technical—the most important moment of any potential security incident “…is the moment when the Secretary of State steps up to the podium and begins to talk about what happened.”
Healthcare also became a critical point of 2020 with the coronavirus outbreak, and CISO of Steward Healthcare Edmond Kane says that some bad actors used this to their advantage. Massive upticks in threats emerged through the pandemic, whether because of the rapid move to remote working or luring unsuspecting users into phishing, disinformation campaigns, and even COVID-related scams.
Kane says that this is insidious because healthcare IT is the essential backbone of modern patient care – individual’s lives depend on whether this infrastructure is secure. A big challenge in the healthcare industry is legacy and outdated technology. Healthcare professionals and businesses are constantly balancing the risk of introducing new IoT technology and devices that may be insecure, while legacy technology may not be up to speed.
Ultimately, communicating the value of security is vital because every person in the industry needs to know how to be vigilant. In healthcare, the consequences move beyond just information.
“Healthcare is not about cybersecurity, it’s about patients,” says Kane, “And it’s our role to get in there and help them make sure that security doesn’t enter the bedside of the patients.”
The shift to remote working in 2020 meant two things— making sure all employees could safely work from home and ensuring that they could still access the company resources and assets. Because of this, many turned to Remote Desktops, the technology that allows users to connect to a computer from a remote location. Voila, your office computer is now at your home desk, but RDP (remote desktop protocols) often pose security concerns as well.
These include stolen credentials, man-in-the middle attacks (a cyberattack where a bad actor puts themselves in the communication line between two parties), and remote code execution (a vulnerability where an attacker can run their own code on a machine or server of their choosing). Any remote desktop solution, if compromised, grants an attacker entry into the organization. Organisations who use RDP must implement extra security measures to keep themselves and their employees safe. Cisco outlines a few key steps:
- Don’t connect RDP directly to the internet. Instead, use VPN before RDP to allow employees to get the access they need while staying secure
- Add MFA (multi-factor authentication) – an extra security step that ensures users are legitimate by having them provide two pieces of evidence to prove their identity
- Block failed login attempts after a reasonable number
Ransomware trends saw the adoption of new tactics, techniques and procedures (TTP) on corporate networks in 2020. As malware gained traction and popularity, many actors refined their approaches and adopted new strategies like adding countdown timers on their ransom, threatening permanent deletion of data, and even big game hunting.
Big game hunting is when attackers leverage compromised systems as initial access points to the network. From there, the attack moves to gain access to additional systems while escalating privileges. The ransomware is only activated once these systems are accessed, so that the attacker creates maximum damage on the victim.
Online sales postings have also become more frequent, where attackers try to sell access to multiple networks to other threat actors. In addition, bad actors are now exfiltrating large amounts of company data before unleashing ransomware to conduct what is called “double extortion.” Double extortion also creates massive disruption in businesses who have to deal with compromised networks as well as the threat of the actors releasing their intellectual property, trade secrets, and other confidential information.
So, what can organizations do? Cisco recommends that businesses employ a comprehensive approach, including prevention, detection, and response. These include:
- Email security
- Patch management
- Least functionality
- Least privilege
- Systems and network monitoring
- Network segmentation
- Backup and recovery
- Policies and procedures
- Security Awareness Training
According to Verizon’s 2020 Data Breach Investigations Report, stolen credentials are the second most common activity conducted by attackers during a breach. This is crucial because using authorised passwords is one way bad actors can gain access to a network while staying under the radar.
Like the ransomware trends, credentials are being used for future attacks— “credential dumping” is a technique when an attacker scours a computer for more credentials for further intrusions. Because there are plenty of areas within operating systems where credentials are stored, like memory, databases, or files, attackers can easily attempt to copy passwords once they have infiltrated and dump the credentials.
To defend against credential dumping, organizations can:
- Monitor access to LSASS (Local Security Authority Subsystem Service) and SAM (Storage Area Management) data bases
- Watch for command line arguments used in credential dumping attacks
- Monitor logs for unscheduled activity on domain controllers
- Look for unexpected and unassigned connections from IP addresses to known domain controllers
If you want to learn more, read Cisco Secure’s Defending Against Critical Threats report.