Incident Response Teams Fight Back With Virtual Patching
Based solely on the dire cybersecurity headlines of the past few years, it’d be easy to assume that cybersecurity teams and incident responders were on their heels. But a just-released survey from VMware found that not only are incident response teams trying different ways to protect their systems, but they also feel confident in their ability to disrupt attacks. Notably, 87% of respondents said that they are sometimes able to disrupt cybercriminal activities, 50% said they can do so some of the time and 37% can do so very often. One of the most common ways they are doing so is through virtual patching, something 75% of respondents said they use as an emergency mechanism.
Virtual patching, or vulnerability shielding, is a safety measure against both known and zero-day threats, according to Trend Micro. The approach works by implementing layers of security policies and rules that prevent and intercept an exploit before it can travel the network to and from a vulnerability.
The survey also found cyberattackers increasingly targeting APIs. Currently, APIs are part of 23% of attacks, with respondents citing the top API attacks they’ve experienced in the past year: Almost half said data exposure (42%), SQL (37%), API injection attacks (34%) and distributed denial-of-service attacks (33%).
The survey also found ransomware attacks are far from over, with 57% of respondents encountering a ransomware attack within the past 12 months. Additionally, 66% encountered affiliate programs and partnerships between ransomware groups. This pointed to the continued use of double extortion attacks, selling data on the dark web and even blackmail.
Lateral movement remains a core component of attacks, with lateral movement within organizations occurring in 25% of all attacks. How are cybercriminals moving internally when they gain a foothold? They are turning to script hosts (49%) and file storage (46%) to PowerShell (45%), business communications platforms (41%) and .NET (39%) to move about as they look for sensitive systems and data to compromise or leverage as part of a ransomware attack.
The report also showed that attackers aren’t resting on their laurels. “Cybercriminals are now incorporating deepfakes into their attack methods to evade security controls,” said Rick McElroy, principal cybersecurity strategist at VMware, in an interview with Security Boulevard. “Two out of three respondents in our report saw malicious deepfakes used as part of an attack, a 13% increase from last year, with email as the top delivery method. Cybercriminals have evolved beyond using synthetic video and audio simply for influence operations or disinformation campaigns. Their new goal is to use deepfake technology to compromise organizations and gain access to their environment,” he added.
How should organizations respond to the threat? It won’t be successful with the same old security awareness training, advised McElroy. “Programs have to look at new innovation and incorporate behavioral science. They have to get outside of computer science and get into human psychology and behavioral science and figure out how to better educate humans to take a smarter step right,” he added.
McElroy likened enterprise technology security to car safety, explaining that despite many safety mechanisms, the car can’t protect the driver without the driver taking responsibility for their own safety.
“The automobile has turn signals, airbags and so many things to protect the driver. But they still have to check their mirrors. They still have to put their seatbelt on. We need to hit the same tipping point with enterprise security as we do with consumer products.”
VMware conducted the survey online in June 2022, with 125 cybersecurity and incident response professionals responding.
