This breach, in which attackers were living in the system undetected for months, shows the critical importance of lateral movement detection and unnecessary credential remediation. These threat actors were using standard living off the land techniques – leveraging legitimate credentials and connectivity. This is some of the hardest movement to identify, as it appears natural. A more active approach is needed. It has to be assumed that attackers are getting in, and it’s what we do once they’ve breached that will make the most difference. Once companies understand and appreciate the importance of placing focus on paralyzing attackers inside the network, the greater the chance they have of assembling the necessary technology and tools to robustly secure that network. CISA is mandating that affected, or potentially affected systems be forensically imaged immediately. The importance of obtaining a full forensic picture, which is then delivered to security teams for remediation and further action, can’t be understated. Ideally security teams will see this as a learning opportunity to make sure their preferred active defense tools have this deterministic capability. Only then can they prepare more thoroughly for future attacks, which is paramount in the fight against cybercrime.  Read Less

The “spray and pay” method of scattering ransomware all over the internet and hoping to hit paydirt through the numbers game has given way to highly targeted strains pointed at specific victims. Despite all the myriad solutions deployed by organizations to defend against cyberthreats, ransomware is increasing at a rapid rate. The fundamental weakness underpinning the rise of ransomware as attackers’ chosen tactic in the aftermath of the remote work explosion is cybersecurity’s overreliance on behavioral-based threat detection. With the continued reliance on remote and hybrid work situations, the “old normal” isn’t likely to return. All the baselines created with years of user activity patterns factored in to detect and flag anomalies went haywire in the first few months of 2020. Without a baseline to compare anomalies with, threat detection based on activity monitoring will continue to generate even more false positives than usual, leading to more wasted investigation time.  Boundaries will continue to be pushed. For example, the recent news of the election security issue with Iran, while it's a big deal, it didn’t shake the country. I think it didn’t really shake the country because, because we saw similar things in 2016. The essence here is just human psychology – the boundaries keep getting pushed. And then the next time something occurs that seems unheard of, a country is going to accept it and then when it occurs again, it's not that it's overlooked, but that it doesn't seem all that awful. I think we're going to see the stakes dramatically continue to grow. There is a lot that nation-state attackers can do, but they're not doing today. And somebody at some point is going to make that first motion. I think we're going to see a shift in what is perceived as acceptable or reasonable. Security savvy board members. From a company governance perspective, I do think we're going to start to see a trend of more security and technology savvy board members being added to the board of directors. It will be crucial, as security continues to be a huge risk for all companies, to have someone on the board who can grasp this, understand it and work with the management team to resolve any issues and help manage the risk. Active Defense will be top of mind. Our customers are proactively bringing up MITRE’s Shield framework with us, which is phenomenal as it was only released in August. We've just scratched the surface now, but I think that this framework is going to play a significant role. It's going to transition customers’ thinking to the perspective Illusive Networks has long been focused on: the understanding that proactive versus reactive defense is key. How do you add an active layer to your defense? I believe that's going to play a significant role in security strategies in 2021.  Read Less

As we saw in the last election, spear phishing and other attacks on individuals affiliated with political campaigns can have broad ramifications beyond the specific breach. Well-funded nation-state attackers are getting past perimeter defenses, and defenders often struggle to gain visibility into their slow-and-low tactics as they lurk in the network. However, attackers rarely land on the machine with the valuable data they hope to steal as soon as they get in. If you can block their lateral movement towards that valuable data, you can limit the fallout that occurs from a breach. Many successful breaches are enabled by extraneous connectivity and credentials on machines throughout the network that allow attackers to gain a foothold without needing to leverage unpatched vulnerabilities or zero-day exploits. Some examples of this include remote desktop sessions left open, or cached admin credentials left on a browser. These pathways allow attackers to move laterally from their beachhead after they get past the perimeter and need to be found and removed. Simply closing off these pathways to critical assets makes successful breaches much less likely. Of course, there are steps the targeted individuals should take regarding password hygiene, but we are talking about sophisticated nation-state attackers here, and even users who know they are a target are only human and prone to mistakes. Campaigns should use security techniques that shift the onus away from the defenders’ actions and towards making attackers doubt each move they make. For example, if the campaigns can blanket a network with deceptive data that is indistinguishable from real data, telling the difference becomes impossible for an attacker. The deceptive data serves as a beacon highlighting an attacker’s presence upon engagement, and it is now the attacker who has to carefully consider each click. Again, the focus is on active defense, so that even if an attacker manages to get past static defenses, their access can’t bring them near critical assets.  Read Less