Video: 10 Minute IT Jams - BeyondTrust CTO discusses common attack vectors in 2021
The threat from malicious software is growing.
That is the stark warning in BeyondTrust's latest malware threat report, discussed this week by the company's Chief Technology Officer, Mark Mayfray. Speaking to IT Jam, Mayfray explained the growing complexity of attacks, including ransomware and phishing, and what organisations should be doing to protect themselves in a shifting landscape.
"A lot of the report was really to try to map out what's happening in the landscape of ransomware, phishing trends, things of that nature," Mayfray said. "Particularly on the end of ransomware - really trying to understand what are some of the underlying causes of how it's able to propagate, spread further within environments, and how that overlays with things like the MITRE ATT&CK framework."
Asked about the most common attack vectors highlighted in BeyondTrust's research, Mayfray said that privilege escalation remains at the very heart of most ransomware campaigns. "I think one of the things we consistently see is, as attackers are trying to gain a foothold within the company, what's required in almost every case for the spread of something like ransomware is the ability to gain increased privileges and move laterally through the environment through the increased privileges that are gained," he explained. "That eventually allows you to do the sort of ransomware techniques that we're all familiar with."
Mapping these techniques to frameworks that security professionals rely on, such as MITRE ATT&CK, is crucial for understanding and defending against threats, Mayfray said. "The MITRE framework itself covers a wide area of different techniques that are used by attackers - particularly on the end of ransomware," he stated. "When you look at the cross-section of lateral movement, for example, there's an emphasis around needing privileges to go from system to system, across SMB or whatever the protocols might be. In your traditional Windows Active Directory environment, you'll find things like SMB being a common way, and then there's really the variance on what are the different specific techniques that might be used - everything from piggybacking off of everyday administrative tools to more custom-tailored malware. It's really everything in between."
Mayfray stressed that, because attackers are adept at abusing legitimate tools and protocols, organisations must be able to detect not just malware, but also abuse of privileged access and suspicious lateral movement.
So what, practically, can organisations do to mitigate these risks? According to Mayfray, it starts with prevention. "A lot of it is, what are the upfront preventative measures that you can do to keep attackers out in the first place?" he said. "Looking at strong forms of authentication, looking at modern authentication mechanisms like FIDO2 and related, that really can help provide kind of phishing-proof forms of authentication."
However, Mayfray warned that a robust defence must assume attackers will, sooner or later, gain entry. "Having the understanding - the kind of assumed breach mentality - that somehow, some way, an attacker will get a foothold in your environment," he said. "What will allow them to spread further and move laterally really comes down to privileges. So good best practices that are tried and true in security, around making sure your users are not running as administrator, at least having some barrier to entry for an attacker to have to gain those increased privileges versus just being given them in the first place."
Mayfray also highlighted the importance of ongoing vigilance, stating, "What do you look at from a detection engineering perspective? Worst case scenario: you are compromised, there is a foothold, they are able to gain increased privileges in some way. What are you doing to try to monitor and detect the sort of abnormal behaviours, right? When you look across the different identities, machines within your environment, and how might they be behaving abnormally?"
That attention to detail, he said, is critical for identifying and responding to breaches before malware can spread.
BeyondTrust's report, which Mayfray encouraged viewers to read, draws on the company's in-house research and interaction with organisations tackling real-world cyber attacks. "There's obviously a lot that we do as a company with the products that we build, but what we do is very much informed by the research of where threats are going, how things are evolving. I think understanding not just simply what customers and companies might be worried about, but the sort of challenges that they're facing, is important," he said.
But it is not just about technology. Mayfray drew attention to what he called the "human toll" of ransomware and data breaches, especially on security professionals on the front line. "I think one of the things often not talked about from a ransomware perspective is the human toll - what it actually means to be an IT security engineer dealing and responding with something like ransomware. It's a stressful, kind of crazy ride," he reflected.
Mayfray believes that connecting with those dealing directly with cybersecurity incidents is just as vital as keeping ahead of the latest technical challenges. "I think, to us, being able to connect with people in that way is really important, and hopefully this research kind of furthers doing that," he said.