- With high-profile breaches in the news across the world and increasingly sophisticated threats, cybersecurity professionals face more challenges than ever before.
- The threat landscape now requires security teams to ensure that robust frameworks and protocols are in place and to approach budgets and planning with pragmatism.
- HYAS CEO, David Ratner, Ripjar CTO, Joe Whitfield-Seed, and Jay Novak, U.S. Head of Threat Detection & Response at TikTok, discuss the cybersecurity trends to watch and how to meet today’s challenges — as well as those yet to come.
Cybersecurity and data security in general have never been so critical to enterprises — and everyday life. Everything we do is connected, and essentially everything is at risk.
High-profile security breaches dominate headlines just about everywhere. The U.K. Electoral Commission recently reported that hostile actors gained access to the electoral registers, which exposed an estimated 40 million people's personal details. In Northern Ireland, a cybersecurity incident exposed the personal information of 10,000 police officers and civilian staff.
This year, Kaspersky announced a three-year-long suspected supply chain attack targeting Linux Download Manager. This breach demonstrates that the software packages many of us use in our personal and business lives “can be susceptible to all sorts of security challenges,” says Joe Whitfield-Seed, U.K.-based security platform Ripjar’s Chief Technology Officer.
“We're working in an age where there's an increasing mass of security data, or maybe that's a mess of security data. I'm not sure all of the time,” he says with a grin.
David Ratner, CEO of proactive threat intelligence, cyber resiliency and protective DNS solutions company HYAS, says a supply chain attack like the Linux breach reminds us that “we haven't focused enough on how we get proactive — to actually start to understand how our organizations can at least level the playing field, if not get ahead of the bad actors.”
Countless crises compete for security teams’ attention every day, says Jay Novak, TikTok’s U.S. Head of Threat Detection and Response.
“What we really need is the proper frameworks and ways of prioritizing all of the different signals out there in the world,” he explains. “To figure out where we should spend our defensive dollar, what that means in terms of [employees’] time, or specifically around what products or tools we’re purchasing or developing.”
Read on for highlights of a panel discussion hosted by Ripjar in which David, Joe and Jay break down some of the biggest trends that hit hard in 2023 — and share their expert takes on the implications of these issues in 2024 and beyond.
David says one of the biggest industry-wide challenges he sees is attaining a proactive stance instead of merely reacting to security incidents. When an attack occurs, we need to both understand what happened and prepare for what likely will happen next. Without an understanding of cybercriminals’ infrastructure and tactics, threat intelligence can’t make the shift from a reactive understanding of “what happened” to proactive actions and readiness against “what will happen next.”
“So much of cybersecurity has been on the back foot and super reactive,” David explains. “We haven't focused enough on how we get proactive to actually start to understand how we get our organizations at least level to the playing field, if not get ahead of the bad actors.”
He notes that the latest buzz phrase at a recent BlackHat conference was “digital exhaust,” which refers to the telltale signs of a breach, like DNS text records. Those exhaust trails are a major boon to security efforts. David points out that HYAS’ flagship product, HYAS Protect, monitors outgoing DNS activity and detects anomalous patterns, so security teams can identify digital exhaust before cybercriminals have a chance to cause damage.
The Decentralized, Monetized Kill Chain
Malware, especially ransomware, has been a trend for years and it isn’t showing any signs of slowing down. The new wrinkle? There are many more varieties of malware attacks now.
The evolution of malware is the decentralization of every link in the kill chain, says Jay.
“We have the commoditization of initial access — people who are just trolling for access to industry,” he explains. “Then we have long-form, long-tail, almost espionage-like actors who are buying this initial access and trying to identify the parts of the business [where] somebody can make a real impact. And then they're handing off or selling the access to somebody who ultimately has an objective on target.”
This kind of decentralized, monetized kill chain is a hallmark of malware like Qakbot and Conti. The groups behind these attacks “know exactly what they want, they put the tools on the targets and they're getting really, really ... quick at deploying and encrypting and leaving and extorting,” Jay adds.
“The work of security teams now is less about how to defend against ransomware and more about defending against this decentralized kill chain, where we have different groups utilizing different tradecrafts along the way. It's a huge challenge. Commoditization of initial access is probably one of the things that keeps me up at night.”
It’s not hyperbole to say we are now living in the age of AI. But it’s “fair to say it hasn’t revolutionized anything,” says Joe. “It's hard to have a conversation with anybody who works in technology, or any kind of adjacent field, without Gen AI being one of the main topics. But what's that actually translated into so far? It’s fair to say Gen AI hasn't revolutionized anything in the field of cybersecurity. But it would be completely naive to look at it and say [it isn’t] something we should be thinking about pretty continually.”
If we think about the landscape of opportunities and threats, we “can certainly see a whole range of ways Gen AI can be an asset to both the attacker and the defender,” Joe points out.
Engineers try to build safeguards against criminal use of AI, but they’re finding ways to manipulate it anyway.
“We're seeing a lot of indirect prompt injection attacks into LLMs,” David observes. “Instead of the user entering a malicious prompt, the instruction comes from a third party ... [But] regardless of how it happens, if someone can put data into an LLM, they can manipulate what it spits back out.”
The Value of Visibility
Supply chain attacks have been a popular cybercriminal tactic for years but have ramped up since the pandemic (they increased by over 300% compared to 2020). Joe notes that this particular kind of cybercrime exists at the nexus between various organizations, so protecting against them is “usually beyond the control of any one security team or even any one organization,” he says.
Jay thinks there's a lot of value in data fusion and domain information fusion. “We're never going to get to the point, nor would I ever want to get to the point where our supply chain is sharing alerting rules with my organization, or vice versa. But I do need to have a good awareness of all of the things that are happening in the world,” he says.
“I have to understand the blast radius of a publicly reported vulnerability exploit or adversary group and I need to be able to fuse that together with what's in my asset management inventory. What's in my data sources? How do I merge that with threat intel? That data fusion is crucial to be able to protect the supply chain.”
Mitigating supply chain attacks requires effective protection on a number of fronts, including information security postures, controls and tooling. But most importantly, security teams “need really good access to data, both from within your organization and outside of your organization,” Joe says.
David agrees wholeheartedly. “In this brave new world, you need to ensure that you have the visibility to detect anomalies,” he says.
Unintended Consequences of Hybrid and Remote Work
Thanks to the COVID pandemic, almost everyone is a hybrid or remote worker now. This new workplace model creates a number of challenges for security.
Jay thinks that there are always pros and cons to major changes in the way we work. But when it comes to security, he admits we’ve struggled the most with collaborating at the same level online as we do in person. Security ops teams in particular traditionally work together in a sort of battle-station culture.
“My CFC lead talks a lot about SOC life,’” he says. “I describe it as 1 a.m. pizza ... with your battle buddies,” he adds. “You're trying to deal with a really hard issue in person with a whiteboard,” but virtual solutions haven’t quite replicated that collaborative energy. Plus, SOCs need the ability for their tech to seamlessly transition from physical offices to their individual homes.
Another issue is visibility. Of course, enterprises secure their offices and other physical spaces, like data centers. But when people take laptops home, security professionals need to secure their logins and web traffic. Leaving a secure environment provides all kinds of opportunities for adversaries to take advantage.
Finally, remote work creates new entry points for hackers. It “dramatically increases the attack surface,” says David, who notes that even if employees’ devices are secure, other people (or devices) in their homes may not have sufficient security or digital hygiene. Everything from the family printer to a child’s laptop could be a risk. “I firmly believe that you have to be looking at the network layer — what's happening on the network in real time,” he explains. “How is that traffic changing? What new anomalies are popping up? COVID-19 made that happen in spades.”
Resilience Is the Name of the Game
It’s no longer even plausible to think we can prevent breaches entirely. We have to think in terms of when, mitigating risk and putting systems to drive operational and business resiliency in the face of a continuing onslaught of attacks and breaches.
“Our preparation is what’s going to save the day,” says Jay. “We have a leader in our organization [TikTok] who talks about measuring ourselves in the midst of a crisis based on whether we're walking or running. I am somebody who very much wants to walk in the middle of a crisis, and it has to do with our training, preparation, tooling and everything else.”
David adds that we need to pay attention to where traffic flows and understand what baseline activity looks like and what anomalous activities look like before we can respond to those anomalies.
“I think that's where systems like protective DNS come into play,” he says. “It's a reason why CISA and the NSA now recommend everyone have protective DNS as of the Shields Up initiative.”
The evolution of security now is “less and less about setting up my four walls,” he argues. “It's more about understanding what's going on in real time — and it's about making sure your systems can integrate into your stack so they work for you in your environment.”
This discussion was taken from a recent webinar with HYAS, RipJar, and TikTok executives. Watch the webinar on-demand.
Ready to step up your defensive game? Learn how HYAS Protect can transform your cybersecurity strategy from reactive to proactive.
- Threat Reports
- HYAS Labs
- Threat Intelligence
- DNS Security
- Artificial Intelligence
- DNS Tunneling
- Major Attacks
- flow data