“Another day, another vulnerability” is a common refrain among security groups around the world. One of the most interesting findings from our latest Fortinet Global Threat Landscape report is that attackers are exploiting vulnerabilities faster than ever. This average exploitation time, 4.76 days, is 43% faster than what our FortiGuard Labs team saw in the first half of the year.
Response time has always played an important role in cybersecurity operations. But with adversaries deploying their tactics so quickly, it’s easy to see why security teams—especially those that are under-resourced—concern staying one step ahead. While there’s no one-size-fits-all solution to outsmarting today’s cybercriminals, there are a few steps you should take now to ensure your team is prepared to monitor the evolving methods of attackers.
Use ‘red zone’ information to prioritize responses to predictable patterns
Prioritizing remediation risk is more important than ever as the rate of discovery and disclosure continues to accelerate. As of the writing of this piece, there are over 240,000 defects on the Common Hazards and Exposures (CVE) list. We saw a new record in 2023, with almost 30,000 new disabilities published, representing a 17% increase from 2022.
With so many historical threats, defenders must focus on what’s attacking them in the wild. A few years ago, we introduced the concept of the “red zone,” which helps us all better understand how likely (or unlikely) it is for threat actors to exploit certain vulnerabilities. Using this red zone information, your team can focus on the vulnerabilities that present the most significant risks to your organization, prioritizing responses to predictable attacker patterns.
Revisit your patch management strategy
Failure to amend continues to impact access. In 86% of cases FortiGuard incident (IR) and detection and response (MDR) teams managed, where unauthorized access occurred through vulnerability exploitation, the vulnerability was known at the time and a patch was readily available.
Yes, security leaders are well aware of the importance of regular patching. In our experience, when organizations fail to respond to specific, targeted intelligence, it is often due to a support problem. However, the data underscores the importance of reassessing your security investments and making the necessary changes, given how important regular patching is to protect against breaches.
It’s also a good reminder to all security personnel to act quickly with a consistent patching and updating program when new exploitable vulnerabilities emerge. And don’t discount the “old” weakness, as it is still popular among enemies. In the second half of the year 2023, 98% of organizations reported that they have acquired actions that have been in existence for at least five years.
Speaking of which, this reinforces the importance of staying vigilant about overall security hygiene, as attackers will continue to embrace both old and new networks.
Clean up all your cyber hygiene
Improving your organization’s cyber hygiene can take many forms, from updating your systems to implementing appropriate security controls. However, based on the events our IR and MDR team covered in the second half of the year, there are a few special cyber hygiene considerations that should be on every security team’s radar.
First, make sure your team has accurate, workable IR plans. Despite this, teams often act hastily, resulting in investigations and corrective actions being left incomplete. Our teams have seen many cases where poor maintenance has added more fuel to an attacker’s fire, and our adversaries have responded by using ransomware to cause massive and unnecessary damage.
Additionally, consider the state of your backups and how easy (or difficult) it is for attackers to gain access. We’ve seen cases where organizations use backup solutions that authenticate to their core business environment. In these cases, threat actors are able to access, manipulate, and encrypt backup solutions during intrusions, rendering them useless. Backup solutions must be sufficiently isolated from the primary environment to be effective.
Finally, make sure your team is monitoring suspicious use of valid accounts in your environment. We have noticed that malicious actors operating on the dark web often advertise access to organizations via VPN, Remote Desktop Protocol, and compromised accounts. Active accounts continue to provide a fast track to online killing sprees and are increasingly accessible to bad actors.
Public and private organizations must work together to disrupt cybercrime
Improving your organization’s risk management strategy is an important step in guarding against attackers taking their stride. However, even the most skilled security teams cannot disrupt global cybercrime on their own.
Getting choke points on the attackers’ chessboard requires a concerted effort. That’s what makes collaboration and knowledge sharing so important. And as cybercriminals become more sophisticated, now is the time to work across the public and private sectors to improve cyber security around the world.
Source link