General introduction to the threat landscape
In this section, we are going to dive into the threat landscape by looking at some notorious threat reports from cybersecurity vendors. Thus, we will understand what techniques are often leveraged to break into organizations. But, we will also try to develop a common understanding of what a threat is and why today's threat landscape forces us to tackle cyber risks with a 360° visibility approach.
Threat trends and reports
Each year, multiple organizations from different sectors are targeted by threat actors. Due to the diversity of the attackers' skills, published vulnerabilities, attack vectors, and inventiveness, it is vital to maintain awareness of these elements to better prepare our defense strategies. To help us with that, one of the most useful sources of information comes from worldwide cybersecurity firms that are continuously facing current threats in every region and industry sector. These firms also rely on their own products to collect telemetry information and extract insights from cyber threats.
Some firms' reports have proven to be valuable and demonstrated a good representation of the current threat landscape. Among those, we can mention the following (non-exhaustive) list of relevant reports:
- Microsoft Digital Defense Report
- CrowdStrike® 2021 Global Threat Report
- Mandiant M-Trends Insights into Today's Top Cyber Trends and Attacks
- Trellix Advanced Threat Research Report
- SANS 2021 Cyber Threat Intelligence Survey
- Palo Alto Networks 2021 Unit 42 Ransomware Threat Report
- Verizon 2021 Data Breach Investigations Report
If we try to extract some similarities between all these reports, we can rapidly identify common trends to help us understand the threat landscape. Surprisingly, we can observe that zero-day vulnerabilities are very rare, in contrast to what people commonly think.
A zero-day is a highly sensitive vulnerability unknown to the product developer and exploited before any available patch has been issued. It is very expensive to develop a zero-day exploit, and once used, the risk of public disclosure of the vulnerability and payload becomes high. Therefore, the return on investment for the attacker is not very attractive, except for in specific circumstances usually linked to nation-state-sponsored cyber operations. Furthermore, considerable skill is required to find the vulnerability, develop a working and stable exploit, and implement an actionable payload, and any failures in the attack could expose or give hints on the identity of the attacker, which could be leveraged by law enforcement agencies.
Without going into too much detail about its geopolitical context, we can mention one famous cyberattack that leveraged several zero-day exploits, and that was Stuxnet. This piece of malware required a highly skilled team of developers building and testing for five years, and it was jointly created by at least two nation-states to compromise and sabotage Iran's nuclear program.
Nowadays, the term zero-day is commonly used to refer to known vulnerabilities without publicly available exploit code. In reality, this kind of vulnerability would be better named a one-day vulnerability. Here are some of the recent main vulnerabilities of this kind that gained high visibility in the press:
- Microsoft Exchange Server Side Request Forgery (SSRF) and Remote Command Execution (RCE): Vulnerabilities
CVE-2021-26855
,CVE-2021-26857
,CVE-2021-26858
, andCVE-2021-27065
allow an attacker to take control of the mailboxes through the Messaging Application Programming Interface (MAPI) protocol and execute arbitrary code asSYSTEM
(high-privilege user). - Pulse Secure Connect VPN: Vulnerability
CVE-2021-22893
allows remote arbitrary code execution on the Pulse Secure gateway. - Fortigate SSL-VPN: Path traversal vulnerability
CVE-2018-13379
allows an unauthenticated attacker to leak currently connected users' credentials. - Citrix Netscaler Remote Command Execution (RCE): Vulnerability
CVE-2019-19781
allows an unauthenticated attacker to execute malicious code remotely.
These vulnerabilities were all related to internet-facing devices, some of them being security equipment, which all led to global attack campaigns. The obvious lesson learned from these exploited vulnerabilities is that patch management is key, especially for exposed services. In addition, organizations must keep watching and monitoring new vulnerabilities affecting their products.
This is a typical example of a complex process, because organizations usually lack an up-to-date inventory and resources to perform urgent patching, and have to maintain a heterogeneous information system composed of dozens if not hundreds of different products. The number of published vulnerabilities per day doesn't help in that process. In addition, common vulnerabilities and exposures (CVEs) usually lack context (the Common Vulnerability Scoring System (CVSS) score helps a bit, but it's not perfect). Therefore, actionable remediation plans are hard to define and realistically to follow. We will see later in the book how a purple teaming approach can dramatically reduce the exploitation opportunity window for the attacker.
We can see from the threat reports mentioned previously that zero-day vulnerabilities are rarely used to get initial access into an information system. However, vulnerable public-facing assets are a common "way in" for attackers. In particular, the adoption of cloud services and, recently, work-from-home architecture has dramatically increased our internet exposure, making it even harder for defenders.
Exploiting exposed vulnerable devices is not the only technique leveraged by threat actors to target organizations. Another very common way to get a foothold in a victim's machine is related to social engineering attacks, and more specifically, phishing attacks. Indeed, why would an attacker invest effort or money into potentially complex perimeter attacks when people are still one of the weakest links in an organization? In 2020, 36% of data breaches started with a phishing email, as stated by the Verizon 2021 Data Breach Investigations Report.
We can also mention another trendy technique in recent years, which is credential reuse. Leveraging public leaks from various websites and services could allow an attacker to collect and create a practical password dictionary. Humans make mistakes, we all do, and reusing a password is one of them. This classic vulnerability is exploited quite easily to gain access within an organization's system.
Another recent trend is the supply-chain attack. Although this attack technique could be quite expensive and time-consuming to prepare, it is as powerful as a zero-day attack. With this knowledge, we can safely make the assumption that, in most cases, this type of attack will be leveraged by nation-state attackers. We could also mention the SolarWinds hack. Indeed, this was a perfect example of a supply-chain attack, where the attackers were able to break into the SolarWinds network, one of the leaders in IT monitoring software. From there, they injected malicious code (Sunburst) into the official update pipeline of the software called Orion. This malicious update was then downloaded and installed by more than 18,000 customers.
To conclude this section, let's highlight the main strategies used by attackers for initial access: unpatched vulnerability exploitation, social engineering-based attacks, zero-day exploitation, and supply-chain attacks.
But really, what is a threat?
Threat is one of those words that is often used interchangeably with the word risk. Let's take a high-level view of the risk management concepts:
This is a hierarchical view of risk components to better understand how threats are situated in the overall risk picture. Risk is always represented with two dimensions – one is its likelihood (or probability) of occurrence, and the other is its impact on an asset. Therefore, we can read the given diagram at the third level of the figure: A risk is the likelihood (probability) of a threat exploiting a vulnerability in an asset.
Therefore, a threat is an agent or event that could exploit a weakness (vulnerability), where successful exploitation will result in an impact on the asset.
As our main focus is on threats, and, more specifically, adversarial threats (as opposed to environmental threats and accidental threats), in the above hierarchy, we redacted other types of threats, as well as the different components of vulnerabilities and assets.
In addition, we can divide a threat into three main components, which are its intent, opportunity, and capability. These three components must be met for a threat to exist and therefore, to be relevant to your threat profile. For example, if a child had the opportunity (by accessing their father's computer) and the capability (if they had learned how to hack) of exploiting a vulnerability, he would also need a trigger or a reason to perform that action. Only then can they become a threat relevant to your organization. On the other hand, many (if not all) organizations have people or groups of people with the intent and the opportunities to do harm but who are lacking capabilities.
This leads us to the observation that the capability component has been more and more accessible in recent years. The proliferation of free courses, hacking tools, and frameworks such as Metasploit, Powersploit, Empire, and others, has made offensive security skills easier to obtain for cyber threats. This is a recurring topic within the infosec community, as when a Proof of Concept (PoC) exploit code is made publicly available to anyone, does the benefit the community gets from this outweigh the benefit for threat actors?
Finally, the rise of cybercrime-as-a-service has removed barriers of entry to the cybercrime market, making advanced offensive capabilities available to threat actors who wouldn't be a fully formed threat if they only had the intent and opportunity components.
Knowing the composition of a threat – that is, its intent, opportunity, and capability – we will briefly look back at the history of cybersecurity and demonstrate why a new approach is needed to tackle today's threats.
What posture should be adopted regarding the current threat landscape?
Historically, the focus in cybersecurity has always been architecture and passive defense. An excellent paper from Robert M. Lee, The Sliding Scale of Cybersecurity, describes a model as follows:
It is true that if we look at past decades, people often tended to build large castles with big walls to combat cyber threats.
While it is mandatory to build resilient architecture and implement passive defense, history showed us that this is not sufficient to tackle evolving cyber threats. That is why an active defense approach is mandatory nowadays.
Another very important paper emphasizing the need for a broader approach is the NIST Framework for Improving Critical Infrastructure Cybersecurity. Without getting into too much detail, this paper highlights the need for prevention but also for detection and response capabilities. This key understanding changes our position to an assume-breach mindset.
In fact, this can be easily observed by describing the relationship between risk and controls. Several types of controls exist, but not all of them sit at the same place in the timeline of a risk event. As an example, an antivirus solution might help an organization to prevent, while a backup solution would help the same organization to respond to (or, more precisely, recover from) a risk event. Let's examine the bow-tie view of a risk event to understand this concept:
In Figure 1.2, we can read the graph from left to right – a threat exploits a vulnerability affecting an asset, therefore causing an impact on the organization. As you can see, three types of controls are in the way of the risk event occurring:
- Preventive controls, which would prevent a risk event from occurring
- Detective controls, which would help to detect the occurrence of a risk but not prevent it
- Reactive controls, which would help to mitigate the impact of a risk event but not prevent it
Again, this emphasizes the need for a proactive approach to cybersecurity. What is important to keep in mind is that when an adversary gets a foothold in our networks, it is not the end. They will need some more time to achieve their goal and that should allow us, the defenders, to detect and respond to the intrusion. Purple teaming will help us build and improve our security controls and, in particular, give us the 360° view necessary to survive in today's threat landscape.
Now that we have discussed the threat landscape in detail, let's get on to understanding the different types of threat actors.