Building resilience in a persistently elevated threat climate
Recently, cyber security has posed quite a challenge for Australians, with high-profile cyber breaches exposing sensitive information to as many as 14 million people.
Aside from the media scrutiny, the scale of the damage caused by these attacks has seen the Australian government fast forward plans to overhaul cyber security laws in an effort to strengthen our security posture and better prepare our nation to withstand future attacks.
This measured response is necessary as, unfortunately, the threat landscape remains vast, and the perpetrators will continue to test our cyber resilience and our ability to thwart their efforts as they evolve and become more sophisticated.
A Shifting Threat Landscape
Each year, in order to identify their root causes, broaden our understanding of attacker behaviour and provide actionable intelligence that guides security professionals at critical moments, our Rapid7 research team analyses thousands of security vulnerabilities.
Our latest annual Vulnerability Intelligence Report examines notable vulnerabilities and high-impact attacks in 2022 to highlight trends that continue to drive significant risk for organisations of every size.
To illustrate how fast-moving the threat landscape is, today is radically different than it was even a few years ago. In the past three years, we've seen zero-day exploits and widespread attacks chart a meteoric rise that's put enormous pressure on already strained security teams.
While 2022 saw a modest decline in zero-day and widespread exploitation from the year prior, the multi-year trend of rising attack speed and scale remains strikingly consistent overall. Attackers are developing and deploying exploits faster than ever before. More than half of the vulnerabilities were exploited within seven days of public disclosure, which is a 12% increase from 2021 and an 87% increase over 2020.
Further, to illustrate the complexity of the threat landscape, we discovered that vulnerabilities mapped definitively to ransomware operations dropped by one-third year over year, which is a concerning trend that speaks more to evolving attacker behaviour and lower industry visibility than to any actual reprieve for security practitioners.
Strategies to protect your IT environment
With many more organisations making cybersecurity a priority, it is no longer acceptable for security teams to be forced into reactive positions, as doing so lowers security program efficacy and sustainability.
To manage risk from critical vulnerabilities, and considering today's threat landscape, security teams must have strong foundational security program components, including vulnerability and asset management processes. These are essential to building resilience in a persistently elevated threat climate.
The following strategies will help security teams protect their environments:
- Have emergency patching procedures and incident response playbooks in place so that in the event of a widespread threat or breach, you have a well-understood mechanism to drive immediate action.
- Maintain a defined, regular patch cycle that includes prioritisation of actively exploited CVEs, as well as network edge technologies like VPNs and firewalls, which continue to be popular attack vectors and should adhere to a zero-day patch cycle wherever possible. This means updates and/or downtime can be scheduled as soon as new critical advisories are released.
- Keep up with operating-system-level and cumulative updates. Falling behind on these regular updates can make it difficult to install out-of-band security patches at critical moments.
- Limit and monitor internet exposure of critical infrastructure and services, including domain controllers and management or administrative interfaces. The exploitation of many of the CVEs in our report could be slowed down or prevented by taking management interfaces off the public internet.
By adopting these strategies, security teams will be much better placed to address the attack surface of their IT environments as new threats emerge.
Advice for the C-Suite and Board
Boards and executives can benefit from gaining visibility into the challenges security programs face and the potential impact of their deterioration.
Whilst challenging macroeconomic conditions continue to put pressure on risk management teams, it's important that the integrity of sensitive data or business operations isn't sacrificed in the name of efficiency. In a volatile macroeconomic climate, ongoing resource constraints can lead to hidden risk accumulation and loss of the technical expertise required for effective security operations, including emergency incident response capabilities.
Business leaders should also recognise the increasingly widespread nature of security threats and the ubiquity of both sophisticated and commodity attacks on corporate networks. Security metrics and organisational risk models should be informed by business context and incorporated into broader strategic planning activities. Optimally, security should be considered a company-wide responsibility that is not owned solely by isolated functional areas.
It's also important for Boards and the C-Suite to have a full and communicable understanding of how security program resource constraints and the realities of the threat climate affect the continuity of business operations, including confidentiality of intellectual property and the integrity of sensitive data and supply chains. Whilst it is fundamentally reasonable to accept risk as part of business decision-making, it's necessary that risk is contextualised and explicit.
We've all witnessed that the flourishing cybercrime ecosystem is complex, diverse, and reliably profitable at the expense of corporate victims. That's why it's essential to resource foundational security activities now so that security teams can implement robust security program basics, like proactive asset and vulnerability management practices, so they can respond effectively to a crisis.