Cyber Risk Governance Insights | July 1, 2024

WEEK IN HEADLINES

PHISHING - Nation-State Attackers Target Corporate Users

State-sponsored actors have launched novel credential-phishing campaigns, compromising over 40,000 corporate users, including top-level executives, within three months. These attacks infiltrate enterprise networks through browsers, demonstrating an evolution in evasive and adaptive tactics. Researchers urge security practitioners to address these sophisticated threats promptly.

APT - State-Sponsored Threat Actor Targets Multiple Sectors

OilRig (also known as APT34) is a likely state-sponsored Iranian adversary that has consistently targeted multiple sectors globally, including government, financial services, energy, manufacturing, and technology. Their attacks align with Iran’s national interests.

INFRASTRUCTURE - APT Group Targets Critical Infrastructure

ChamelGang, a suspected Chinese APT group, deployed the CatB ransomware against major Indian healthcare institutions AIIMS and the Brazilian Presidency in 2022. Their attacks also impacted an aviation organization in the Indian subcontinent and a government entity in East Asia. A separate cluster of intrusions involving off-the-shelf tools BestCrypt and BitLocker affected industries across North America, South America, and Europe.

WEBSITES - Supply Chain Attack Via Plugins

This supply chain attack compromised multiple WordPress plugins. Injected malicious code could create a new admin user and send credentials to attackers, while also injecting SEO spam throughout the website.

FINANCIAL SERVICES - Stability Threatened by Cyber Warfare Risks

The banking industry in Australia is facing relentless cyber-attacks, described as "asymmetrical warfare" by a National Australia Bank executive. These attacks target both banks and their customers, intending to steal information and money. The threats range from amateur hackers to sophisticated transnational crime groups and even nation-state actors. Banks are implementing defensive measures, but customers are urged to remain vigilant against scams that cost Australians billions annually.

SOFTWARE - Remote Access Giant Hacked in Sophisticated Cyber Attack

TeamViewer, a leading provider of remote desktop software, disclosed a breach of its corporate network by suspected state-sponsored hackers. The company detected the intrusion in early December 2023 and promptly isolated the affected systems. While customer data and systems remained uncompromised, the attack highlights the ongoing threat of advanced persistent threats (APTs) targeting tech companies.

FINANCIAL SERVICES - Fintech Partner Bank Hit by Ransomware Attack

Evolve Bank & Trust, a prominent fintech partner bank, confirms a ransomware attack on its systems. The breach, discovered on June 26, 2024, potentially exposed sensitive customer information. This incident adds to Evolve's existing challenges, including leadership changes and regulatory scrutiny. The attack underscores the increasing vulnerability of financial institutions to cyber threats.

INTERNET - Hidden Threats: Hijackable Hyperlinks and Phantom Domains

The web hosting and cybersecurity industry faces a significant challenge as researchers uncover a widespread vulnerability affecting millions of websites. Subdomain takeovers, where attackers can gain control of subdomains due to misconfigurations, pose a serious threat to online security. This issue affects organizations across various sectors, including government agencies, universities, and major corporations. The vulnerability can lead to phishing attacks, malware distribution, and reputational damage.

INSIGHTS & EXPERT PERSPECTIVES

MITIGATION - Awareness Gaps = Urgent Need for Continuous Vuln Assessment Management

The 2024 Vulnerability and Threats Trends Report provides an overview of the surge in cybersecurity vulnerabilities in 2023, with the National Vulnerability Database (NVD) recording over 30,000 new Common Vulnerabilities and Exposures (CVEs). This represents a 17% year-over-year increase, with half of all CVEs discovered in just the past five years.

The rapid pace of vulnerability discovery, averaging one new CVE every 17 minutes, highlights the growing complexity of modern software and systems, as well as the sophistication of threat actors. The report delves into the alarming trends in vulnerability exploitation, with the mean time from CVE publication to exploit standing at just 44 days, and 25% of CVEs being exploited on the same day they are published. This tight timeline exacerbates the challenges organizations face in detecting and remediating vulnerabilities, as the Mean Time to Detect (MTTD) and Mean Time to Remediate (MTTR) remain over 100 days on average.

There is a heightened impact of cyber threats on specific industries - financial services and manufacturing - which have experienced significant data breaches and operational disruptions.

Additionally, the report highlights the growing legal accountability of Chief Information Security Officers (CISOs), as exemplified by the SEC's actions against SolarWinds and its CISO, underscoring the need for more transparent and proactive cybersecurity governance. This highlights the growing need for executive leadership - C-Suite and Boards - to have legally defensible evidence of their cyber risk governance controls and strategies when the regulators and attorneys generals come calling.

The report emphasizes the importance of adopting a more dynamic and comprehensive approach to vulnerability management, including the use of advanced technologies like artificial intelligence and machine learning to enhance detection, response, and anticipation of cyber threats.

• Highlights: Exploitation Speed: The average time between CVE publication and exploit emergence is a mere 44 days. Shockingly, 25% of CVEs are exploited on the same day they’re published, and 75% within 19 days.
• Scanning Awareness Gap: Most security teams rely on periodic vulnerability scans, leaving significant intervals during which threats can remain undetected. (We worked with a US company that had never scanned their network for vulnerabilities, and found 11,000+ vulns [25% were Critical or High]).
• Compensating Controls: Organizations should augment patching strategies with additional security measures, i.e. implementing firewall rules, and segmenting networks to limit lateral movement. (We helped a Financial Services firm establish a secure environment and a pen test by a 3rd party had ZERO lateral movement where they would not have tripped an alarm.)

INSIGHTS: While some argue that traditional vulnerability scanning remains sufficient, the data clearly shows that modern approaches are necessary to keep pace with cyber threats.

The Financial Services and Manufacturing sectors are particularly vulnerable to cyber threats due to the nature of their operations, their position in supply chains, and the sensitivity of the data they handle.

We have helped organizations - on average - reduce their MTTD by ~90% and MTTR by ~80%. As the data in the report reflects, speed can save you headaches and potentially protect the existence of the organization.

Since 2017, Netswitch has promoted Continuous Vulnerability Assessment Management (CVAM) as a proactive measure, critical for effective cyber risk management.

Today, we advocate for organizations to adopt an adaptive strategy to maximize their cyber investments (understanding their cyber ROI) and ensure these investments align with business objectives and meet some level of compliance with relevant frameworks or regulatory requirements.

STRATEGY - Silent Threats: How a $100 Million Submarine Outwitted a $4.5 Billion Aircraft Carrier—And What It Teaches Us About Cybersecurity

In 2005, during a U.S. Navy exercise, the Swedish diesel-electric submarine HSMS Gotland penetrated the defenses of the USS Ronald Reagan carrier battlegroup, landing simulated torpedo hits multiple times.

Just as the HSMS Gotland, a relatively inexpensive submarine, outwitted the formidable USS Ronald Reagan aircraft carrier, cyber threats often exploit vulnerabilities in even the most sophisticated defenses.

Let's explore how the lessons from naval warfare can provide an analogy for an approach to safeguarding your critical digital assets.

From dynamic risk assessments to continuous monitoring, the strategies employed in both domains share common threads.

Let's dive into the depths of cybersecurity resilience...

The Scenario:

In 2005, during a U.S. Navy exercise, the Swedish diesel-electric submarine HSMS Gotland managed to penetrate the defenses of the $4.5 billion USS Ronald Reagan aircraft carrier battlegroup. The Gotland, costing just $100 million, proved almost silent to enemy sonars, highlighting the vulnerability of carriers to cheaper, stealthier submarines.

Similarly, in the cyber world, organizations face threats from both sophisticated and less expensive adversaries.

Just as the Gotland exploited vulnerabilities, cyber attackers can find weak points in an organization’s defenses.

The Analogy:

Imagine the aircraft carrier as your organization’s critical assets (data, systems, networks). The Gotland submarine represents cyber threats (malware, hackers, insider attacks). The carrier’s defenses (firewalls, encryption, access controls) are analogous to cybersecurity measures.

Just as the Gotland bypassed layers of protection, cyber threats can exploit vulnerabilities.

Effective cybersecurity risk governance tailors defenses to an organization’s resources, industry, processes, and culture, similar to how healthcare treatment plans are personalized.

By understanding your risk landscape and implementing customized security layers, your organization can better protect its “carrier” against cyber threats.

Remember, like an aircraft carrier, your cybersecurity software should never operate alone. It needs a comprehensive and layered approach (Defense-in-Depth), including risk assessment, incident response, and ongoing adaptation to emerging threats.

We promote an adaptive strategy that can significantly reduce the opportunity for cyber-attacks. How?

• Continuous Monitoring and Learning: a real-time monitoring of network traffic, system logs, and user behavior.
• Dynamic Risk Assessment: adjusts risk levels based on changing threat landscapes - factors like business context, asset criticality, and threat intelligence.
• Behavioral Analytics: employ AI to understand normal user behavior and know when deviations occur.
• Automated Responses: deploy automated incident response.
• User Training and Awareness: continuous Security Awareness and Education (SAE) helps employees recognize phishing attempts and avoid risky behavior.

An adaptive cyber risk approach evolves alongside threats, making it harder for attackers to find predictable vulnerabilities.

Netswitch Sharpen Your Cyber Edge with Netswitch

Master Compliance & Minimize Risks:

1. Independent Security Audit: Identify network risks with our automated Security And Risk Assessment (SARA). Get a clear picture, prioritize improvements, and optimize resource allocation. Contact Netswitch.
2. Free "Quick Start" Program: Gain a free cyber risk and governance health check. Enroll now and start building resilience.

Deepen Your Knowledge:

• Join Our LinkedIn Group: Collaborate with industry leaders in the CyberRisk Governance Group on LinkedIn. Share insights and stay ahead of the curve.
• Live Events: Participate in interactive LinkedIn Live sessions. Explore cyber risk topics with executives, technologists, and governance professionals.

Don't wait.

Contact Netswitch today to take control of your cyber risk.

Disclaimer: The information and links provided in this newsletter are for informational purposes only. Netswitch does not warrant the accuracy or completeness of such information and is not liable for any damages arising from its use.