Skybox 2021 Vulnerability and Threat Trends Report reveals emerging security challenges and growing need for exposure analysis
By Ran Abramson, security analyst, Skybox Research Lab SEPT 14, 2021
Skybox’s recently published Mid-Year Vulnerability and Threat Trends Report 2021 found increased activity of cybercrime.
Among the usual threat suspects, there is also a boom in cryptomining malware and ongoing growth of ransomware. There are now even malware-as-a-service, and off-the-shelf tools that make attacks ready-packaged for bad actors.
Being a smooth cybercriminal has never been easier. You don’t have to be a clever hacker to be a security danger — you just need a nefarious plot and gall to exploit a company or government’s vulnerabilities.
Our research analysts discovered that companies are increasingly vulnerable in sensitive areas, such as operational technology (OT) and network devices, which put vital infrastructure at risk. Compounding security complexity is an international ecosystem and digital marketplace that allow attackers to move money and collect ransoms easy, making cybercrime a big business that’s hard to prosecute.
Despite the doom and gloom of a digital world being more dangerous and hybrid cloud networks more complicated to secure, the report concludes on a positive note: namely, the emergence of a modern Security Posture Management Platform, which performs real-world hybrid network exposure analysis, as a powerful combatant against attacks. Security Posture Management provides comprehensive visibility across the entire network, allowing companies to precisely identify the most salient threats and facilitate timely, cost-effective remediations.
For CISOs, the evolution of exposure analysis — coupled with network policy and vulnerability management — is good news to an otherwise scary story.
Here is a cross-section of key findings presented in this report:
Overall vulnerabilities continue to climb.
There were 9,444 new vulnerabilities reported in H1 2021, not far off last year’s record-setting pace. These new vulnerabilities add to a huge cumulative total, making it harder than ever for security organizations to target remediation efforts on the most urgent threats.
OT vulnerabilities surge, putting critical infrastructure at risk.
New vulnerabilities in OT were up nearly 50% versus H1 2020. These vulnerabilities pose a growing threat to critical infrastructure and other vital systems; a fact made manifest in a series of high-profile attacks on facilities such as oil pipelines, water supplies and food processing facilities. To make matters worse, it can be difficult or impossible to eliminate OT vulnerabilities through scanning and patching.
Threat actors are taking increasing advantage of vulnerabilities.
More vulnerabilities mean more opportunities for exploits, and threat actors are definitely taking advantage. The number of different vulnerabilities exploited in the wild increased 30% relative to the same period last year.
Cryptojacking is the hot new malware trend.
While new malware samples increased in almost every category, cryptojacking topped the list. Instances of this type of malware, which hijacks computer systems for cryptocurrency mining, more than doubled. This is just the latest example of how dynamic an industry malware has become, quickly adapting its offerings and business models to serve emerging markets.
Network infrastructure is increasingly at risk.
Network device vulnerabilities rose by nearly 20% compared to H1 2020. Products such as routers, VPNs and firewalls—intended to power and protect networks — are in many cases providing new entry points for malicious actors. As with OT systems, network devices can be difficult to scan and patch.
To learn more proprietary insights about the state of security and cybercrime, click here to download the report.
What will President Biden’s Executive Order on improving the nation’s cybersecurity accomplish?
A proactive security posture strategy is needed.
By Skybox Security AUG 17, 2021
This blog is an excerpt of our deep dive perspective on the public and private sector implications stemming from this federal directive. Get the full report.
At first blush, President Biden’s executive order on national cybersecurity1 may appear to be timely – a direct response to a series of crippling ransomware attacks on critical U.S. infrastructure. As the world attempted to recover from a devastating pandemic, hackers successfully targeted hospitals, then daily necessities such as food, water, and energy supplies, causing panic and disruptions. Immediate federal government action to address these and future threats is certainly necessary.
Unfortunately, the executive order is neither perfectly timed nor a comprehensive enough response to one of the most serious national security challenges of our time. The cybersecurity industry has been sounding the alarm bells on ransomware threats for years. Concerns were on the rise well before the pandemic, as organizations began accelerating latent digital transformations and expanding access to insecure operational technology (OT) assets. However, since the pandemic, this has been further compounded by the massive expansion of cloud migrations and meteoric rise in VPN deployments, opening up exponential numbers of new entry points for cyberattacks. There were consequences: Digitizing without adequate OT/IT security enabled hackers in Russia, North Korea, and Iran to seize control of key American businesses without even setting foot on U.S. soil – attacks that could have been prevented.
Read our perspective on Biden’s executive order and the implications for security transformation.
- Developing a long-term framework for preventative security posture management
- Creating a modern digital infrastructure based on principles of zero trust
- Identifying security weaknesses, rather than deploying patchwork solutions
- Supercharging intelligence sharing to fuel proactive and informed decisions
- Incentivizing proactive cybersecurity to make rapid, substantial progress
The first step toward a new future
We’re just several months past the Biden Administration’s Executive Order, and the future impacts and adoption of suggested measures are not yet clear. Nevertheless, the order signals a bold and critical first step in a long-term journey to improve the cybersecurity posture of both the United States and its industries. As one senior administration official put it, the executive order “makes a down payment towards modernizing our cyber defenses and safeguarding many of the services on which we rely…It reflects a fundamental shift in our mindset – from incident response to prevention, from talking about security to doing security.”24
The high-profile incidents of the past several months have belatedly crystallized cybersecurity’s central role in U.S. national security and economic prosperity. President Biden’s administration has taken a significant step in the right direction, but plenty of work still remains. From private sector incentives, to a holistic focus on risk exposure, to automated solutions and beyond, the public and private sectors must advance together following the executive order, then continue marching in tandem to ensure a robust and cohesive approach to cybersecurity preparedness.
The 90-day deadline has passed
The three-month deadline mandated in this executive order is not realistic. Many federal agencies are just beginning to grasp the magnitude of what is required to comply. Additionally, major gaps in the order must be addressed in order to manage cyber exposure at scale. Furthermore, private sector organizations were all but ignored. This is problematic due to the increasingly pervasive threats to critical infrastructure companies that are prime attack targets of nation state actors.
At Skybox Security, we believe that context and intelligence is crucial to fortifying our nation’s cybersecurity programs. Skybox works with public and private sector organizations alike to develop stronger security efficacy through creating mature, consistent security posture management programs. Skybox is the only platform that gives teams with the ability to collectively visualize and analyze hybrid and multi-cloud networks, providing a full picture of their attack surface.
This allows public and private sector organizations to get ahead of the security incident by looking for vulnerabilities in the same way attackers do. They can zero in on the vulnerabilities with the highest risk score, walk the path of a potential breach and understand if vulnerabilities are exploitable and exposed - all while determining the optimal remediation strategy.
Contact a Skybox Security expert to learn more about how our vulnerability and threat management and security policy management solutions can help you manage your cyber exposure at scale.
(24) Biden Orders Fed Cybersecurity Boost; Targets Prevention, Reporting, Breaking Defense, Brad D. Williams, May 12, 2021
CISA Alert – Top routinely exploited vulnerabilities
The board wants to know: Are we exposed to known vulnerabilities?
By Bill Rowan, technical director, Skybox Security AUG 11, 2021
Threat actors continue to exploit known software vulnerabilities. Many are years old. All have available patches from vendors.
Most in the cybersecurity world have seen the recent top 30 exploit list, released in August 2021 by the U.S. Cybersecurity Infrastructure (CISA) and FBI, along with their counterparts in the U.K. and Australia. The top four vulnerabilities listed were discovered between 2018 and 2020, underscoring that many organizations across the public and private sectors still aren’t patching known vulnerabilities fast enough.
To prevent ransomware attacks, we simply can’t keep leaving our defenders drowning in vulnerabilities.
A new approach to vulnerability and threat management
Skybox Research Lab found that traditional remediation tactics only address critical- and high-severity vulnerabilities – while leaving 40% of “low-risk” vulnerabilities unpatched for years. Cybercriminals are targeting these low-hanging fruit hiding in plain sight, turning them into backdoors to deploy complex attacks that are increasing at record rates.
With industry-leading prioritization capabilities, Skybox Security identifies exposed vulnerabilities that will reduce our customer’s attack surface the most. To regain control over complexity, Skybox Security delivers the three most critical cybersecurity metrics for advanced Vulnerability and Threat Management:
- Total number of vulnerabilities across hybrid infrastructure
- Total number of vulnerabilities exploited in the wild
- Total number of exploits on critical assets
Skybox Security Vulnerability Control – identifying CISA alert exploits
If you don’t know where to start with Vulnerability Management, remediating these popular exploits is a good initial step. Using Skybox Security’s customizable dashboards, customers can easily and quickly build views to identify any risk associated with published alerts.
Here is a customizable dashboard created by Skybox Security for the CISA Alert (AA21-209A):
Skybox Security Vulnerability Control – Top routinely exploited vulnerabilities view
Now that Skybox identified which vulnerabilities from the CISA list are in this environment, we then prioritize which vulnerability occurrence needs to be addressed first. For example, below is the drill down into CVE-2020-1472, where Skybox identifies exploitability, exposure, and asset importance to provide a Vulnerability Risk Score.
Skybox Security Vulnerability Control – prioritization view
When looking at the risk of all vulnerabilities identified in this CISA Advisory, Skybox Security measures risk beyond CVSS. In fact, the riskiest vulnerability occurrence is based on a CVE with a lower CVSS score (7.8). However, this vulnerability was bubbled to the top of the list by Skybox automatically because it is on a “Very High” importance asset. This is an excellent example of why using just CVSS scores to prioritize remediation is not enough to prevent a ransomware attack.
Skybox Security Vulnerability Control – CISA list view
Skybox Security Solutions View – identifies remediation options
Once exposed vulnerabilities are identified, Skybox Security automatically presents several remediation options – including available patches, IPS signatures, firewall rules, security tags, configuration changes, and software updates. Advancing beyond the traditional scan-and-patch tactics, Skybox automatically identifies possible remediation solutions that will fix the highest number of vulnerabilities and address exposed assets across hybrid infrastructure.
A Skybox Security customer commented that our platform is “the one tool to rule them all.” We understand that Fortune 1000s are utilizing a complex security toolkit and dealing with accelerated digital transformation. Armed with our advanced insights, customers can confidently show the board they remediated millions of malware exploits over the last quarter.
We have a verifiable, data-driven response to, “What are you doing about the latest ‘celebrity’ vulnerability?” No other strategy can enable organizations to confidently quantify their unique and complex attack surface, no matter the environment or industry.
3 trends shaping security posture management for 2021
Explore emerging vulnerability and threat trends. Learn how to prioritize critical vulnerabilities, close the remediation gap, and validate security posture.
By Skybox Research Lab JULY 19, 2021
With the flurry of new threats, it’s more important than ever to take a proactive approach and be aware of emerging cybersecurity trends. The Skybox Security threat intelligence team tracks more than 120,000 vulnerabilities on more than 14,000 products. In this post, our in-house research analysts look back and the first half of 2021 and explore emerging vulnerability and threat trends.
As hackers become more advanced, assume an attack is imminent.
As we’ve seen in recent headlines, no one is immune from cyberattacks. All companies – large and small – are fair game from schools, hospitals, energy companies, and meat suppliers. The increased complexity and enhanced sophistication of attacks are here to stay. Additionally, organizations can’t manage the sheer volume of vulnerabilities and explosive rate of change due to the cybersecurity skills crisis. To change the paradigm, security teams need to evolve how they manage their attack surface. Emerging security solutions are taking a new approach to measuring risk and automating remediation. By aggregating vulnerability severity, asset importance, exploitability, and exposure in a single view, it is now possible to wipe out the “perfect storm” threats that pose the greatest risk to the business and its reputation.
Cybersecurity insurance is no longer good enough, and banks are taking notice too.
With increasingly sophisticated ransomware attacks and skyrocketing multi-million-dollar demands, we may see the $7+ billion cybersecurity insurance industry begin to buckle. As cybersecurity insurance’s cost vs. risk model continues to be tested, we are likely to see more stringent requirements and a spike in cyber insurance denial claims. But insurance isn’t the only industry turning the screws. A recent report found banks are now imposing higher interest rates and requiring more collateral from companies that have breached customer data (e.g., financial information, SSN). Moving forward, these industry giants will likely require enterprises to go beyond a “detect and response” approach and take a more preventive stance. As a result, we may see a greater need for increased real-time threat intelligence and vulnerability prioritization capabilities, such as risk scoring and prescriptive remediation analysis. In doing so, organizations can better prioritize critical vulnerabilities, close the gap and validate their overall security posture.
Critical infrastructure will continue to be a favorite target among bad actors.
Cybercriminals see critical infrastructure as low-hanging fruit, as seen with the Colonial Pipeline breach. And it’s very likely these will become even more attractive targets as we set our sights on recovery and economic activity increases post-pandemic. The rise of industrial IoT sensors coupled with outdated legacy IT systems makes critical infrastructure an easy target for cybercriminals. As a result, security and facility leaders in operational technology-dependent industries must evolve their thinking and take action to avoid ending up in the crosshairs of a hacker. Today, it is possible to walk the path of a potential breach with a multi-dimensional, hybrid network model. Through attack simulation and exposure analysis, cybersecurity teams can identify and proactively remediate attack vectors ahead of incidents.
About Skybox Research Lab
The force behind the intelligence used by Skybox Security’s solutions, the Skybox Research Lab is a team of security analysts who scour data daily from dozens of security feeds and sources. The Research Lab validates and enhances data through analysis based on their knowledge of attack trends, cyber events, and the TTP of today’s attackers. Their ongoing investigations focus on vulnerabilities exploited in the wild to deliver distributed crimeware – including ransomware – and on other outstanding client and server-side vulnerabilities. All vulnerabilities are analyzed when taking the prevalence and importance of the affected products. This analysis is incorporated into Skybox Vulnerability and Threat Management solution, which prioritizes the remediation of exposed and actively exploited vulnerabilities.
Skybox Q&A: CRO Rob Rosiello identifies today's and tomorrow's top cybersecurity issues as the world reopens
Rob Rosiello, Chief Revenue Officer July 12, 2021
Rob Rosiello joined Skybox Security in 2019 with a track record of developing high-performing sales teams and customer-focused culture, building on his more than 25 years of IT infrastructure and networking expertise. Today, he's offering big-picture insights into how CISOs are managing the reopening of enterprises following the COVID-19 pandemic. Especially during a time of unprecedented cyberattacks on critical infrastructure and supply chains.
What is top of mind during your recent conversations with CISOs?
Rob Rosiello: CISOs are facing the most sophisticated threat landscape ever. There is certainly no shortage of worries that are top of mind in my recent conversations with security leaders. They know threat actors do not take vacations and are constantly planning the next cyberattack. Some common themes that I have heard involve "the new normal" in the midst of Covid and a focus on protecting critical infrastructure.
As it relates to the "new normal," CISOs are focused on how to continue to tackle business continuity and remote access challenges caused by the pandemic, including the significant investment in VPN and endpoint security. Also, how best to scale environments with performance to support what has become our prolonged 'new normal.' In particular, customers have shared that the velocity of the remote access deployments inevitably had security compromises. As a result, choices had to be made to support moving business initiatives forward. The ongoing challenge is to continue to shut down those "compromises" and fortify their ability to address the ever-dynamic threat landscape.
Second, business leaders are becoming increasingly concerned about the preponderance of malware and ransomware attacks on critical infrastructure – something I think of as the latest flavor of nation-state warfare. For the past ten years, people have focused on financial, intellectual property, brand impact, and personal cybercrimes such as identity theft. However, recent ransomware attacks have aimed at fundamental infrastructure, targeting our food supply chains (meat giant JBS) and our largest fuel system (Colonial Pipeline). It's clear now that emerging infrastructure technologies, application-centric security focus, and operational technology (OT) can be a major point of weakness.
Beyond just securing OT assets, is there any bigger picture solution?
RR: Given the scope of the problem, it's critically important for every company to break down internal silos to address the entire threat landscape. At the most senior levels of companies, this needs to be a mandate that isn't sponsored solely by the CISO. Because the damage has moved beyond reputational and is now impacting the ability to execute business, it must also be top of mind beyond the CEOs and CFOs, and extend to executives across all functions: supply chain, marketing, sales, etc.
I would tell a C-suite executive that silos within an organization – particularly within the tech stack functions – are vulnerabilities that we should assume threat actors are already looking to attack and exploit. These silos create pathways for sophisticated attacks, and we need to eradicate the operational challenges that come with a siloed approach to tech delivery.
Given recent events, CISOs tell us that this is now their opportunity to look more holistically across their environments. Part of that involves removing legacy elements that are creating security issues. For example, in some cases, customers think they've decommissioned old applications only to find these applications are still connecting to the network via remote outposts – unintended side doors for threat actors. The Oldsmar, Florida water treatment plant cyber attack is an example of this.
Because CISOs are looking at their networks more comprehensively, they also realize the complexity and scope of their weak spots. OT vulnerabilities alone represent an exponential challenge, adding 10, 15, or 20 times more assets to the attack surface equation. This can be a shock to the system for organizations that have under-invested in cybersecurity or maintained 'don't-ask-don't tell' OT cultures. Now, recent infrastructure attacks make this impossible to ignore.
The types of problems you're talking about vary dramatically from company to company, though?
RR: Skybox Security is unique in that we meet our customers where they are along their journey. We don't create a forcing function where customers have to consume our portfolio of solutions and services all at once. Our Security Posture Management portfolio has the best in breed elements in both policy and vulnerability management. For example, one of our customers started with security policy management and then easily added vulnerability threat management capabilities after a year. We can also begin with our VC essentials portfolio that helps customers obtain a foundational understanding of their vulnerability landscapes. Then, add other key capabilities such as firewall assurance or exposure analysis and advanced analytics when the time is right.
Customers aren't just looking for usability. Security leaders want incremental wins along the way as they build towards a fuller solution. Skybox Security provides that tangible, incremental value throughout the implementation process, working together to identify initially critical areas so customers can begin tightening their security postures immediately. These things include important foundations to security posture management like configuration compliance, rule usage analysis, rule recertification, and network assurance.
We understand customers deal with incredibly complex environments in increasingly regulated environments. This is why we integrate with more than 150 technology partners to address the many nuances of a network and the environments our customers operate across – whether that means dealing with hybrid clouds, private clouds, public clouds, OT/IT, policy management, and/or vulnerability threat management. In addition, we work with some of the best and brightest channel and integration partners in the industry to deliver comprehensive solutions to the complex environments our customers are accountable for.
Given the complexity of environments and that large number of technology partners, how can CIOs practically manage infrastructure at that scale?
RR: Our customers are generally a part of the Global 2000. As a result, they have some of the most complex environments – many of them deal with 30 cybersecurity tools or more at any given time. In recent conversations, they've made clear that they're not trying to cut cybersecurity costs but rather seek to achieve operational excellence and agility by reducing complexity. This comes in the form of tools consolidation but also in maximizing the talent in their organizations.
CISOs are strained for talent right now. One customer said their primary goal was to reduce their tools from 28 to 10, freeing their teams to do more proactive, thoughtful work instead of what I call keystroke work. They don't want their talent to be keystroke operators of tools.
Nobody buys technology for technology's sake. They buy technology so they can seize an opportunity or solve a problem. So, first, we help our customers analyze how each tool supports their business goals. Then, we streamline their systems while considering the implications from both threat landscape and posture management perspectives. I'm proud that the majority of our customers have been with us for multiple years. That's because we are their partner that supports them throughout their journey, not a vendor simply selling technology.
How do you see the cybersecurity industry evolving over the next couple of years?
RR: If I had a crystal ball, I'd say security will shift from a detect-and-respond modality to a more proactive, front-end business process. I believe the industry will eventually evolve to predicting where the next attack will be and shut down threats before they occur. This is why digital risk protection, application security, integrating OT in the visible network environment, and breaking down silos will be fundamental to fortifying a customer's security posture approach.
Beyond silos, we also need to think about how we tackle OT security. The Colonial Pipeline ransomware attack and other similar situations in recent months have demonstrated that we need to rethink how we think about our digital infrastructure. Services like Amazon are becoming modern critical infrastructure. Suppose somebody shut down Amazon for a day. While some people would be unhappy that they didn't receive their packages, but more importantly, they may also become sick because they didn't receive their medication.
This is where I believe the next phase of cyber warfare is taking place: the supply chains. When threat actors try to shut down food supply, agriculture, or energy again – targeting their trucking fleets or delivery infrastructure the result will be no food on the shelves because the meat can't leave the plants. The B2B partner infrastructure is critical in a host of industries. These are areas that must be reinforced along with a company's own infrastructure.
For the cybersecurity industry, the next two or three years must be about reinforcing supply chains and ecosystems, securing the linkages between customers and their suppliers, and reducing vulnerabilities in mission-critical business applications. These are the big challenges, and we're ready to assist our customers in taking them on.
Post-pandemic cyber threats
A discussion with Skybox Security CEO & Founder
Originally published on TechStrongTV JUNE, 2021
As we move into a post-Covid world, there are sure to be new cyber threats.
TechStrong TV Journalist Charlene O’Hanlon sits down with Skybox Security Founder and CEO Gidi Cohen to discuss some of the security issues that organizations will have to deal with due to their quick pivot to remote work and digital transformation.
The threat landscape is constantly evolving, and there will always be the next wave of threats.
Skybox Security named 'Top 30: Key Private Company'
Equity analysts identify private companies best positioned as long-term winners
Gidi Cohen, CEO and Founder APRIL 9, 2021
"There are two types of companies: those that have been hacked and those that have been hacked but don't know it," Dimitri Alperovitch, Executive Chairman at Silverado Policy Accelerator.
This quote introduces the latest security software sector update from Truist Securities, a leading global investment firm. Analysts examined the vendor landscape based on hundreds of conversations with public and private companies, experts, VARS, and, most importantly, customers. While the paper starts with a bleak statement, the research highlights companies that are illuminating a new path forward for cybersecurity.
Defending against a new age of cyberthreats
After nearly 20 years in the cybersecurity industry, I've seen network threats and vulnerabilities grow from local to a global scale – and modest to critical in impact. Due in part to digital transformation, cloud migration, and IT/OT convergence, today's security professionals face the most complex, sophisticated threats ever seen in the digital age.
With our Security Posture Management Platform, Skybox has become a trusted partner to over 500 of the world's most security-conscious companies. We provide visibility into threats that lie within their fragmented hybrid networks, security controls, and change management processes. And we deliver the insights they need to choose the most optimal remediation strategy. With Skybox, our customers can focus on the most strategic business initiatives while ensuring their business remains protected.
Many people in the industry said we couldn't achieve what we set out to do – that it wasn't possible. We have proven them wrong. In the same way Google Maps allows users to understand their terrain, location, and how to interpret traffic lights, we are helping large companies make sense of their complex, modern infrastructure.
Our mission is to provide CISOs, CIOs, and their teams with the intelligence and context to make informed security decisions. We are honored to be recognized as a near-term disruptor with the size and scale to become the market winner in our space.
Cyberattacks in the COVID-19 era
Vaccination and COVID testing programs are helping to leave the door open to cyberattacks. We look at how the healthcare sector can prevent this.
Healthcare is an attractive area for cyber attackers. Security teams in healthcare organizations are typically smaller and less well-funded than in other sectors, and vast quantities of patient data are generated and accessed. An increased reliance on applications and data during the pandemic is why cyberattacks have increased globally by 45% since November 2020.
"The largest motivation for cyber attackers is financial gain," says Alastair Williams, Director of Solutions Engineering for EMEA at Skybox Security. "Patient information is incredibly valuable on the dark web."
Identity theft is another reason. The more information you have, the more chances you have of being successful with assuming an individual's identity to register for bank accounts, credit cards, or Amazon accounts."
Blackmail is another motivation. "There can be situations where people have information about their medical history or current medical condition they don't want in the public domain," Williams explains. "Maybe they're suffering from an illness that would jeopardize their opportunities or a celebrity is seeking medical assistance privately."
Another aspect that must be taken into consideration is espionage. "There may be individuals looking to get a competitive gain with the development of COVID vaccines or types of treatment," Williams says.
Terry Ray, Senior Vice President at Imperva, says there's a multibillion-dollar incentive for countries to manufacture their own vaccine. "People might think doctors and physicians are collaborating enough that everybody knows how everybody is doing, but there's still intellectual property at each one of their organizations, containing information on how they are getting mRNA results from their vaccines. If you're able to hack into one, and you have all of the intellectual property from these vendors, you can pick and choose and build it yourself, particularly in countries where there may be fewer trade laws and regulations."
National vaccination programs are presenting another opportunity for hackers. "Whenever a new iPhone gets released it's a major target for phishers, getting people to click on a link to see all the new features of the iPhone," Ray explains. Now think about COVID-19 vaccine testing sites, with information where vaccines are available. People will click on these links.
"My 77-year-old mother-in-law just got her vaccination. To do it, she had to go to a website and sign up for a date and time. How is that website secured? What does it know about her? What's sitting behind her information that shows why she can't get the vaccine instead of somebody else? We've seen a major uptick in people trying to get in and be able to gather that information in the last 90 days," Ray says.
There are also attacks designed simply to sow chaos. "There are some hackers that just like to cause problems," Williams says. "The medical industry may be impacted by that. A good example was the WannaCry ransomware attack back in 2019." WannaCry was a worldwide attack that spread to more than 150 countries and became the biggest cyberattack in the UK's National Health Service (NHS) had ever experienced. Malware encrypted data on computers belonging to 81 out of 236 NHS trusts across England, as a result thousands of appointments and operations were canceled. A subsequent investigation found that this could have been prevented.
Ray says organizations should first address what he calls "low hanging fruit." The application side is the primary access point for everything that's going to happen anywhere in the organization," he says. "It doesn't matter what EMR or systems you're using, whether you've outsourced or bought things in-house, the majority of your users are going to access patient data through an application, so you've got to make sure those are secure. You can't go low budget – you need a solution that can tell you the difference between Terry in Texas and Ivan somewhere in Eastern Europe and tell you that if they both log in with the same credential at the same time, that's a problem."
Williams says visibility is the key, and for this, a data-driven approach needs to be adopted. "One way to do that is to take the configuration settings of how a device has been set up, like a network infrastructure component that's facilitating accessibility to the data that we're trying to protect and bring that together all like a jigsaw puzzle."
"Then, it's about being able to ask questions based on what you see, like whether your ingress and egress points are configured securely. Once you've gone through the process of getting that visibility, you can then analyze these to make sure that they are configured with accordance with an industry best practice, regulatory recommendations, or some sort of vendor recommendation around how that device should be securely configured."
Ray hopes that healthcare organizations can get to the point where data security is a mainstream concern. "The barrier to most people is that they perceive data security as being very complex," he says. "Not a lot of security people know anything about protecting databases or file servers; they'll fully admit it. I would say it's about education, and it doesn't have to be complex, but you can't do it manually. In the case of a large hospital system that may have hundreds to thousands of databases, and thousands of people accessing those databases, a small security team that's supposed to do something manually about all the people that have different roles over the database, will never manage it."
Instead, security systems should be modernized by implementing automated controls using machine learning and artificial intelligence. Ray adds: "Healthcare has to get its security teams over the hump to realize this is something they can do – they can solve this problem with technology."
Three critical flaws with today’s vulnerability management programs
More needs to be done to prevent vulnerability exploits
Peter Margaris APRIL 9, 2021
The recently published Vulnerability and Threat Trends report by Skybox Security dramatically highlights some of the fundamental root causes of increased cybersecurity attacks that consume most enterprise security teams’ containment efforts. Let’s take a look at just a few of the eye-opening realities we can learn from the report so we can better assess what is needed to establish more effective vulnerability management programs:
• 18,341 new vulnerabilities were discovered in 20201. Keep in mind that this is a cumulative number that has consistently grown each year. So, total vulnerabilities keep mounting and most will remain out there as an “exploitable threat vector” for many months and possibly even years. It’s like leaving one of the windows in the back of your house indefinitely open and assuming nobody will ever bother to access your house through that particular window simply because it hasn’t happened yet. The reality we must deal with is that 85% of exploited vulnerabilities are more than two years old and the accumulation of these keep growing each year.
• Attack vectors are broadening with new vulnerabilities being discovered across a greater number of different products, software, applications, and device types. This growing breadth of vulnerabilities now cuts across mobile devices, tablets, OT and IoT devices, different browsers, and e-business applications, giving threat actors more opportunities than ever to wage sophisticated attack campaigns. We saw this play out with the recent SolarWinds attack.
• Forty percent of new vulnerabilities are classified as “medium severity”. This may sound like it’s not a big deal because they aren’t “critical” or “high”, but the bad news is that threat actors are increasingly targeting these medium vulnerabilities because they know many organizations focus primarily on ones that are categorized as critical and high. While existing vulnerability management programs continue to focus on closing critical and high severities that they can find, threat actors are going around them and methodically looking for and finding the open window that allows them to get in or to move around laterally and advance an ongoing campaign once they are already in.
• There was a 128% increase in Trojans and a 106% increase in new Ransomware samples2. This close correlation in rate of increase is far from a coincidence. As highlighted in the report, threat actors are waging sophisticated cyberattack campaigns using combinations of different malware types to achieve their desired state - for example the combined use of Emotet and Trickbot to provide a back-door entry for Ryuk Ransomware3. The large number of medium severity vulnerabilities being bypassed by enterprise teams, increases the likelihood that these types of multi-stage attacks will find a way to succeed.
There is additional evidence cited in the report that highlights the stark reality we face – that many vulnerability and threat management programs in place today are simply not good enough. They might be efficiently patching volumes of vulnerable assets, but with attack vectors continuing to grow and be exploited it’s obvious that an ongoing cadence of scanning and basic prioritization efforts followed by patch management is a losing strategy. If the goal is to reduce the greatest amount of business risk and tighten security efficacy as much as possible, then it’s obvious that more needs to be done.
Let’s examine three critical flaws that exist within vulnerability management programs that are in place across organizations today:
Flaw #1: Vulnerability analysis with incomplete data sets
This is a major problem since the efficacy of vulnerability prioritization and remediation efforts depends entirely on the data sets that you are working with. Vulnerability assessments need to be actionable, accurate, continuous and based on centralized, normalized, and complete sets of data. Having multiple disconnected discovery methods or relying on data from periodic scans is simply not good enough in today’s world, considering the rate at which new applications and endpoints are being added and with enterprise network configurations being in a state of constant change.
First, you need to ensure that you are merging and correlating all vulnerability scan data from various sources into one normalized source. That’s not enough, however. You need to then augment this data by passively collecting vulnerability asset data from configuration, patch, and asset management systems, from endpoint security systems (EDRs, EPPs), from network security devices (firewalls, IPS/IDS, etc.), from network infrastructure devices (routers, switches, load balancers, etc.), from various cloud assets, OT systems, and any other relevant parts of your hybrid network that may be considered “unscannable”. This provides a continuous and normalized “single source of truth” that is absolutely critical to ensure that vulnerability analysis and the ensuing prioritization and remediation efforts are effective.
Flaw #2: Failure to properly calculate exposure risk in conjunction with Vulnerability Prioritization
This is probably the biggest problem. Many organizations are failing to calculate their true exposure risk because they are merely factoring the correlation between critical and high severity vulnerabilities with known exploits. This common and overly simplistic approach doesn’t take into account the many possible vectors and paths that today’s sophisticated cyberattack campaigns may take in finding a way to exploit vulnerable assets across your environments. Some of these attack paths may be via lateral movement within your networks. A complete and accurate exposure analysis can only be achieved by leveraging a network model that understands your unique hybrid network context, all security controls that are in place, and provides a multi-dimensional analysis and simulation of all potential attack paths.
In this explainer video you will learn how Skybox Security’s network model enables you to see and remediate vulnerabilities across disparate and highly complex hybrid environments.
With a significant volume of vulnerabilities that require analysis, having an accurate representation of exposure is by far the most critical factor for assuring your prioritization efforts enable your teams to successfully zero in on addressing what matters most – vulnerabilities that pose real business risk regardless of their classified severity level.
Flaw #3: Limited remediation – with an over-reliance on patch management
Many organizations still rely heavily on patching vulnerabilities by severity level, but what’s most important is to have multiple options for addressing these so you can eliminate exposure risk in the most effective and efficient way possible. Patching an asset or groups of assets may not be possible, and better ways to prevent vulnerability exploits can include reconfiguring security controls, applying IPS signatures, altering network topologies, and even determining where potential zero trust strategies and/or isolation technologies need to be applied.
Remember that reducing business risk is the goal
Achieving arbitrary volumetric patching goals may satisfy SLA requirements, but still leave your organization at significant risk of experiencing a major cyberattack. So, the only true measure of a successful vulnerability management program is whether you are eliminating exposure to these risks, and as a result, preventing potential business impacts from a breach.
There are too many vulnerabilities expanding across today’s rapidly evolving networks for security and network teams to maintain status quo with their vulnerability assessment, prioritization and remediation efforts. Teams need a more comprehensive approach that starts by making sure complete sets of data are being analyzed, and that exposure risk is properly assessed with a network model that ensures resulting prioritization efforts are pointed at reducing business risk and optimizing the company’s overall security posture. The SolarWinds attack was a “game changing” event in the world of cybersecurity and it highlighted the criticality of having cyber hygiene best practices in place and an effective vulnerability management program that is centered around remediating exposure risk.
The business of cybercrime: malware-as-a-service gains pace
Ron Davidson March 29, 2021
The specter of another SolarWinds maintains a constant consideration across the industry. The truth is that the likelihood of another global, mass cybersecurity event only increases as time goes on. We know that threat actors are working hard to make this happen. Skybox Security’s latest research, the Vulnerability and Threat Trends Report, revealed that the creation of new malware samples nearly doubled over 2020 as attackers sought to take advantage of pandemic-related disruption.
Cybersecurity teams need to evolve their programs so they aren’t operating on a knife-edge. It’s possible to reduce the anxiety that dominates the modern security leader’s headspace through maturing their security posture management programs. For this transformation to be truly effective, organizations need to gain a deep understanding of the current threat landscape, including insight into how the malware cybercrime industry is likely to evolve.
The race to innovate
Consider how threat actors are developing their tools. It’s like holding a mirror to the corporate world. All innovations used by businesses have also been embraced by malware developers and distributors. There will always be relative technological parity between the two parties – this isn’t a race that organizations can hope to win. But they can work to increase their security programs' scalability in anticipation of further innovation and disruption.
Like the organizations that they target, threat actors are also continuously working to identify new revenue streams. In recent years, we have seen the development of malware-as-a-service (MaaS) models. These are malware packs that can be bought off-the-shelf on the dark web, just like normal IT software is purchased. Inevitably, the MaaS a model that will gain traction because it drastically lowers the technological bar to carry out attacks. And they work in a very similar way to widely-adopted software-as-a-service (SaaS) products. The malware is nicely packaged and is instantly ready for use. Although you would still need to know how to deploy the malware, you no longer need to possess the technical skills required to write the exploit itself.
MaaS wouldn’t exist if it weren’t profitable: Threat actors always chase the money. It’s widely accepted that cybercriminals mainly turn a profit with ransomware when it’s used in targeted attacks, whether they be on government agencies, critical infrastructure, or large enterprises. It is, therefore, possible to infer that confidence in the potential success of ransomware attacks is increasing. This is a testament to the sophistication of both the malware itself and the exploit tactics used by threat actors.
In practice, this means that it’s now easier than ever for bad actors to carry out attacks. It also means that we are likely to see an increase in attacks targeting businesses.
Zero in on what matters
So, what can be done? Among other things, cybercriminals take advantage of traditional security practices that rely on scanning. They count on overworked, overloaded security teams who can’t possibly patch every vulnerability. Organizations need to take a new approach to security posture management – one that is centered on exposure analysis.
Exposure analysis is only possible when disparate data repositories – such as patch and asset management systems, configuration data, threat intelligence feeds, and device data – are brought together with data normalized and modeled. This can be achieved with a network model that understands all devices, vulnerabilities, configurations, and security controls – delivering a dynamic representation of hybrid environments across corporate networks, private cloud, public cloud, and OT.
It also requires multi-factor risk prioritization that supplements scanning data with third-party data such as EDR, CMBD, network connectivity, OT security, threat intelligence, and more. This analysis must also consider whether a vulnerability has been exploited in the wild. In fact, our Skybox Research Lab tracks tens of thousands of new vulnerabilities yearly on more than 8,000 products to provide this data to customers.
Through taking a new approach to exposure analysis, it is possible for organizations to stay one step ahead of cybercriminals. By optimizing remediation strategies to focus on the highest exposure risk, they can address the rise in vulnerabilities, expanding attack surfaces, sophisticated threat actors, and talent shortages.