This automatically-generated transcript is taken from the IT Pro Podcast episode ‘Surveying today’s threat landscape'. We apologise for any errors.
Rory Bathgate
Hi, I’m Rory Bathgate. And you’re listening to the IT Pro Podcast, where this week we’re assessing the current threat landscape. Cyber security is at the forefront of company strategy — if you go into a boardroom, you’re likely to find it ranks at the very top of C-suite concerns. In an ever-changing threat landscape, full of exploits, state-sponsored threat actors, and increasingly novel strains of malware, businesses must maintain oversight of endpoints and stay up to date with pressing risks. This week, we’re speaking to Bernard Montel, technical director EMEA at exposure management firm Tenable, to discuss how businesses can tackle their threat surface area, and the biggest risks. Bernard, thank you so much for being on the show.
Bernard Montel
Thank you very much for this invitation. I'm very proud to be part of your podcast today. We try to help our customers really to reduce the risk of the cyber attacks.
Rory
Well, I really appreciate you being here. I'd like to start with quite a broad question. But just as a kind of a roundup of 2022, what would you say are some of the key security takeaways from the past year in terms of the threat landscape?
Bernard
What I would say is that 2022, unfortunately, was in the train of 2021. We have a lot of new threats and, I mean that the pressure is there. It's, you know, it didn't really stop. We had much more context in 2022. But the top one is still you know, the cyber criminals, which are there and ransomware that we talked about for the past couple of years now is still, you know, very here and number one in the threat that organisations globally have today. That's one of the takeaways that, you know, there are still a lot of attacks every single day and still ransomware as is the top one.
Rory
Yeah, ransomware always comes up in these conversations. It seems to be something that has had a lot of focus recently. I saw a recent report that indicated that the UK government's National Emergency or Cobra meetings have centred around ransomware quite often recently. Would you say that this intense focus on ransomware is warranted, is it representative of the real scale of the threat?
Bernard
I mean, yeah, I mean, definitely, yes. But what we've seen as well, in 2022, is the emergence of, you know, attacks we had in the past, like, for example, the DDoS attack, which means denial of services. And also phishing attacks are also raising in 2022. So that's a kind of new way, because now we have also the three dimensions of the three kinds of attacks, we will also have seen some, you know, attacks using the three of them in the meantime. So we call it triple extortion, which means that not only a company or an organisation was hit by a ransomware attack, but in the meantime, they were hit by a denial of services attack, which means shutting down their their services. So we've seen that in 2022 DDoS attacks were quite old, but they are coming back in combination with ransomwares.
Rory
So it sounds like it's a lot of the same old threats, a lot of classics, you might call them, the classic threats, they're here to stay. But have there been any big surprises in the year as well, any I know that there's been some methodology change in ransomware, we've seen the programming languages and some strains change to languages like Rust, would you say that this is keeping threat management kind of on its toes?
Bernard
So one of the main changes we've seen two years ago was really the supply chain attacks, you know, for attackers, only targeting one software and then having that domino effect, or you're you're hitting one, but you are compromising many. That is something which is still very very new. For example, very recently, Python has been attacked and compromised. Now, if you are compromising that kind of technology, immediately a huge amount of developers are using Python and if you're using a compromised version of its, as you can imagine, you know, the drama around it worldwide because it has been spread everywhere. So that is really the supply chain attacks. We all remember SolarWinds, but we have many others coming out. And Log4Shell year ago, roughly, you know, I think it would be the anniversary of Log4Shell right now, a couple of couple of days, I think it came out roughly around the 2 December or 3 December. You will be surprised that a year after, we've done a study at Tenable, a lot of companies are still vulnerable to Log4Shell. It's not that they've been lazy. We've seen once one element, which is very important is called reinfection, they've fixed the vulnerabilities partially or completely, but they install new software, and new technology, and now suddenly, those new technologies unfortunately, were using a very old library of of Log4j. So those are the supply chain elements. But you asked me a question regarding what is new. And what really new in 2022, is the wipers. Now ransomware groups are really inspiring themselves by some nation states groups, which were deleting data, in some parts of the world, and some of the conflicts of the world. But now, you know, such kind of techniques has been reused by, you know, ransomware groups for not only just encrypting data, because it's quite long and difficult. They prefer breaching, putting the data out, and then completely deleting the data with what we call the wipers, which is wiping the data instead of encrypting it. And that is quite new. I mean, in 2022.
Rory
Yeah I mean, I mentioned it I think briefly in the intro, but this influx of state-sponsored groups, amidst or parallel to the rise of ransomware as a service groups and threat actors like that has seen a big increase in wiper activity. I mean, with Russia's invasion of Ukraine, obviously, we've seen a lot of attacks that aren't driven by profit, they're just driven with the intention of destroying systems, of causing chaos in systems, especially in critical national infrastructure. Would you say that this is kind of an accurate assessment that attacks on critical national infrastructure are increasing, are a growing threat, and these kinds of attacks that aren't so much driven by profit, that just are driven with chaos in mind, are maybe a growing concern?
Bernard
I would say that, you know, as I said, you know, those techniques are shared between those attackers groups, but the main motivation is still, you know, financial motivations. Top one is still very high on the fact that those attackers really want to get money. The fact that they are attacking critical infrastructures, and again, if you will linking the number of attacks against critical infrastructures using ransomware, this is very huge, which means that their main motivation is still financial motivations. So they are using techniques, which are very similar to what we've seen, as you said, in Ukraine. But I would say that the attacks against critical infrastructure are still very motivated by the money they can gain with that. But yes, I mean, we've seen anyway increases against critical infrastructures a lot. So, I leave you, you know, guessing if this is just, both together those nation state attacks and ransomware attacks together. But what is important for us is how they do operate, whatever the motivation, what is important if they, they do operate by using vulnerabilities, which are there sometimes for a while. You would be surprised if I would say to you that, some attacks, whatever their whatever their motivations are still using, for example, Log4Shell we discussed about it, but also ProxyShell, which is a very old one right now, you know, more than roughly a year and a half, even two years. So, the way they do operate, you know, it's more important to compare why they do that, because what is important for organisations is really to be able to identify any attack path that attack groups will use. But to go back to your question, yes, critical infrastructures are attacked dramatically today, and the government took that really seriously. We've seen for example, some governments shutting down some some attacker groups, we've seen government putting a lot of pressures against organisations. Like in Australia, one of the telcos has been attacked, not only have they lost a lot of customers, but they also have fines from the government, “hey guys, you know, we are there and we are forcing you to put some security policies”. And if you don't do that, and obviously you get fined by the government.
Rory
Yeah, I mean, Australia, there's been this terrible sequence of attacks in Australia, some links to SingTel, some not linked to SingTel whatsoever. But as you say, the government have stepped in, they've increased the, I think the fine increased from 2 million Australian dollars to 50 million Australian dollars for privacy breaches. And also, there's this open discussion around legislation banning companies from paying the demand, for paying threat actors in ransomware. Do you think this kind of action is effective? Is it warranted? Or does that need to be either more done by governments or more done really, in the private sector?
Bernard
I mean, this is the only way they have to force organisations to increase the level of security. If you go back, for example, to GDPR which came out from the EU. I mean, by applying GDPR everywhere, mechanically the level of security has increased. That doesn't mean that we have reduced the number of attacks, the number of attacks as well has increased, but if we all together try to upload the level or the greater level of security, then mechanically, you know, we are better prepared. But that's the only way they have; the government have two kinds of responsibility. Number one is really protecting the government agencies. So they have some security operation centres, they have national security agencies for looking after attacks that are targeting themselves directly. But for the private organisations, you know, they cannot control them. So they have to be able to force them by directives, regulations, local, or whatever they are EU or UK based, they are already looking after the set of rules they're putting together, and the fines in fact, is the only way for forcing them. You know, if you only put recommendations, soft recommendations, I wouldn't say that they will follow it. If you're already putting fines, okay they would take that seriously, because they will be between a rock and a hard place, because, in one hand they have the pressure from the attack groups, and in the other hand they have the pressure from the governments. So they do something. So there, that's for sure.
Rory
And on that point of companies doing something, just to circle back to what you were saying earlier about Log4Shell. I did see the Tenable research that was published, it's kind of a shocking statistic that 72% as of October of 2022, 72% of organisations remain vulnerable to Log4Shell. I know that you said earlier, this isn't necessarily negligence on the part of the companies and maybe to do with all the libraries that are difficult to strip out. But surely, there's got to be some sort of fire lit under the feet of these organisations to change this.
Bernard
Yeah, there is another study we've done last week, discovering external assets, which is, using very old protocols. This study has been done by Tenable against 22 major UK organisations, and we found that 100% of them were still using the old encryption protocols in some of the assets. But what is amazing with this very, very recent study is the number of assets, we found — external facing assets, which is huge. An organisation itself has more than 500,000 assets. How can you manage that? So, I would not blame them to not fix Log4Shell, that they didn't fix it in January or February. You know, we knew when Log4Shell came out how deep it was embedded into some of the technologies. So, a year after, yes, the number is quite high 72%. But that means that those organisations, they don't even know the asset they have. So that's the first takeaway. The second takeaway is, if they new such kind of assets, they are fixing it. But in the meantime, you know, the attacks surface is really growing and highly dynamic, that is the second takeaway. You cannot imagine if it was 15 years ago, when you had a set of assets, you knew what you needed to fix, you fixed it, and then for the next two years, you would be okay. Now, this is not the case anymore, developers are pushing codes or committing codes, once per week sometimes for making new features on some applications. So as you can imagine, it's super fast. So a lot of assets, they don't know a lot of assets, you know, that are moving and growing and changing roughly every week. So if you don't have a real time and continuous programme, then you are only doing screenshots, and then photographs, it doesn't give you any motion. So that's, I think, one of the takeaways, the third one if you want, which is if you don't do that all the time, or the continuous way then you are, you're late. And then that's what's happened after a year.
Rory
So as much as possible, you should really have real-time security response to these threats, really be plugged into not just vulnerabilities, but oversight over your own footprint.
Bernard
Yeah, and another element, which is quite important is, you know, the majority of the organisation's invested a lot in real time security event detection: “I want to be aware if there are any alerts or any incident right now”. But then they didn't really think about, hey, what about if you're aware, in real time, on any vulnerability? Because then in this case, it will put you in a much more preventive, predictive approach. Some CISO that I talked with a couple of years ago, they said, “I would dream to predict what will happen”. In this case, you have to change your mind, you know, spend more time in prevention, rather than only putting all your effort in detection, because if you do that it's like our health; if you don't do any sport, you are eating fat and sugar, and then you will get some stuff, that's for sure. But if you are making a lot of prevention, your life is… we used to use the term cyber hygiene. And I like this one, because it really reminds me of our daily hygiene, you know, as a human. So, if you really are looking to understand in real time what's happened in your attack surface, immediately, you can identify a door that was closed, and that certainly is open. And if you don't do that, believe me, you know, the hackers would do that, because they are trying to scan and identify those vulnerabilities every single day. I mentioned the attack paths, and we organisations, global organisations are working in silos, we have people in charge of it, we have people in charge of security, we have innovation within the security space, we have, you know, a specialist on the cloud, specialist on identity and so on. Attackers don't do that, they have a small group of people, they try to find a way, they find one way and they — I'm used to using the spaghetti, you know, they are putting it and they find, “oh, yeah, well, I've got a meat now, you know, I'm very hungry, but I have everything I want, because I just pulled back at and then I found a way to get much more”. So that's one stuff, we need to understand the way they are behaving is smart and agile, so we have to change our mind and not work in silos with different people that never communicated before and together. So that's one stuff, I think we need to change if we really want to help our organisations to be more proactive.
Rory
So would you say that that should prompt maybe more of a unification of companies? I know that this is a topic that we've discussed recently, as well, but this push for hybrid cloud, as well as, as you've pointed out, lead to this kind of silo structure, where you can you can expand and expand and expand and just tack on more silos, but that's not necessarily conducive to having a full understanding of your surface attack surface.
Bernard
Yeah, I mean if you look at what the SOC has done, the threat detection and response. They've done that journey already, you know, they collected a lot of data with logs, for example, rail, or EDR, or with what we call a SOAR, which is an orchestration for incidents. They have tried to have that view around those security events. If we do exactly the same on the prevention part, then we have the full picture. Then, we can ensure that aggregating the data, the prevention data, the static data or the state data that we can have. I just want to go back to the the analogy that I've done with doors open. Now that we have the attack surface, which is partially in the cloud, partially on-prem, IT, network identity, and some organisations have also industrial system OT, we don't have a cloud specialist to understand what's happening and address your system, we still will have those people in charge of their own domain, that's for sure. But what we need to have to aggregate the data together, we need to have a governance where we see in a nutshell, at a glance, all those indicators, I'm calling that the key risk indicators for companies. A company needs to understand if for their business critical applications, they have all the lights, you know, green, orange, yellow, red, they know immediately, whatever the technology behind it, a business critical application could be hosted in the cloud, and partially also having some on-prem data, on-prem identity. What is important is to have that risk-based governance, on the preventing part. Which is, every morning I open my dashboard, and I say, “I'm good today, I'm fine today, I know that my business critical application doesn't have any doors open today”. Tomorrow could be another day.
Rory
It's interesting, because that does seem to be a point of contention within the industry. I've definitely spoken to some people who say, “Yeah, prevention is good, but you can't prevent everything, so, you know, occasionally, you've just got to, you've got to respond. It's all about the response when anything does happen”. But it sounds like just to link it back to Log4Shell. Correct me if I'm wrong, but it sounds like what you're saying is, we really have to prevent the next big vulnerability from taking place, because I guess, otherwise, you know, that could be catastrophic for our business, if you're not focused on prevention,
Bernard
When you are leaving your house, do you close the door?
Rory
Well, that's right, exactly.
Bernard
That's, you know, we have closing and locking the door, okay, and putting an alarm system. If you leave the door open, and you put just the alarm system, believe me, it will ring, that's for sure. Because someone who's out will say “that door is open, what's going on here and what's wrong?” you know, and then suddenly, you will get a notification because your alarm system has detected a movement or whatever. So, I think we need to apply the same analogy. People need to identify if, before leaving your door, or your window is open. You know, I'm living in a second floor here. So I'm very sensitive, in my flat, that I'm not leaving the windows open, because people can climb and enter into my apartment. So before leaving, and looking after the windows, if those windows are closed, I'm safer. That doesn't mean 100% safe, it could be that someone will, you know, find another way, but I'm doing what I need to do. My duty is closing the windows, closing and locking the door, then having an alarm system, it’s not the other way back. People are looking at their detection, saying, as you said, you know, “I cannot prevent, so I will detect”. Okay, now, if you want to detect an encryption for a ransomware attack it’s just too late, you know, you have to be able to prevent any way. So focus on prevention, at least equally than the detection. Even in systems sometimes, if you are investing 80% on your prevention, then your detection complexity will reduce anyway, mechanically, it's easy to understand, I think,
Rory
On a strategic level that makes perfect sense. On a technical level, something I'm wondering is, you're talking about maintaining prevention hygiene, and bringing together teams that were siloed. So on a more specific technical level, what kind of systems can be implemented by businesses to achieve this, this increase in prevention.
Bernard
As I said, you know, a cloud security specialist won't be, will never be an OT security specialist. These are different worlds. We don't want that, we don't want to do everything, we want to do something. So they will still have their own tools and what we call sensors, they will need to collect the data. So for example, if you're collecting the data, regarding your cloud misconfiguration, you know, someone has just deployed an application in the cloud and they've left misconfiguration somewhere leaving then again, the door open. Now, we need to collect that data and attach that to a platform where we can see that data linked to the business application. And if we do that for identity data, if we do that for vulnerability, classical vulnerability on-prem data, if we do that for web application, OT, and cloud all together, then we have in one place, what I'm calling again, the key risk indicators coming from those tools, coming from those solutions. And even if we go further, we can even collect data from non Tenable technology. Nothing is stopping us, you know, we need to be able to have those sensors covering those scopes. The scopes are technical, the scopes and the technology is what it is. Okay, so cloud technology is one, which is very different than active directory, which is very different than network or devices or OT, we won't change that. We will apply sensors on those different places within the attack surface. But if we stay there, and stop only there, each and single team will have their tools, or no one will be able to understand globally what's happened in the attack surface. So that is the answer. The answer is aggregating all those data into one place. That's exactly what we've done at Tenable. We have created a platform, which is aggregating the data, correlating the data, the same correlation, we've seen in the you know, in the security event detection part we apply the same correlation of preventing data is something that never existed before. And we really wanted to be able to call that, you know, subject as well.
Rory
On this task of aggregating data, obviously, there's huge potential for automated systems. I know that there's a lot of, kind of naturally, a buzz around terms like artificial intelligence and machine learning. Obviously, it's not a silver bullet, you can't just plug in an AI and everything improves. But do you think that there's, there's scope for maybe more intelligent aggregation, and contact providing context to security teams for this?
Bernard
So in this platform, called Tenable One, we have a group of people called the data scientists and they have developed such a kind of algorithm, when you calculate the risk, you are collecting data, you are collecting the assets, and we need to understand the posture of the assets. By doing that, you know, for doing that, we need to calculate the risk. And so that's exactly what we've done. Again, within this platform, the value is the data. But if we stay there it’s just just the data, we need to be able to calculate some exposure score. And that we've done, for example, with some data scientists, and obviously some kind of artificial intelligence that they've developed to be able to understand the trends, understand the posture, understand the reason why, and the key risk indicators as has been put together.
Rory
While we’ve got you here, I would be remiss not to ask if you have any burning predictions for 2023, or beyond, for the threat landscape: what you think is likely to be a key concern going forward.
Bernard
So in the beginning of the year, we've seen attacks against remote workers, and critical infrastructures. And also cloud because the cloud and remote workers are, you know, very linked together, we need it, we need to work from home. So we need to have much more cloud applications. Very recently, as I said, you know, we've seen ransomware attacks are very there, plus nation state attacks. Now using the tools, we see combinations of both. So again, I want to go back to the wipers, I want to go back to the supply chain. So my prediction, unfortunately, would be that we will see more and more attacks, you know, using not only double extortion, but now triple extortions — if you really want to target an organisation, you know, those attackers are now using one, two, three kinds of attacks in the meantime. So that is a trend that we've seen, and I think we will see that in 2023. The second part that will never, I think, stop is attacks against critical infrastructures. We've seen a rise of that. We've seen a lot of attacks against critical infrastructures. And again, the main motivation is most of the time, financial motivation, but we know we tend to deny as well that there have been nation state attackers as well. If you combine both together, the number of attacks against critical infrastructure has been very important. And the last one is obviously very related to the cloud. You mentioned hybrid cloud, and cloud will never stop, you know, some organisations will be slower than others. But definitely the cloud is here, and you know, we will see clearly attacks against cloud more and more.
Rory
Well, on that note, thank you so much for your time. It's been a pleasure speaking to you, and I'd love to check back in with you at some point in the future to discuss the threats, what's come true and the state of the threat landscape going forward again.
Bernard
Thank you very much.
Rory
As always, You can find links to all of the topics we've spoken about today in the show notes and even more on our website at itpro.co.uk. You can also follow us on social media, as well as subscribe to our daily newsletter. Don't forget to subscribe to the IT Pro Podcast wherever you find podcasts. And if you're enjoying the show, leave us a rating and a review. We'll be back next week with a special festive edition of the podcast but until then, goodbye
