VMware Carbon Black asked incident response experts about the biggest challenges they face when working with all remote teams.
Image: VMware Carbon Black

A survey of security professionals finds that hackers are getting more aggressive as IT and security teams continue their internal turf battles. The Global Incident Response Threat Report from VMware Carbon Black checked in with practice leaders at 49 security and consulting firms about the impact of the coronavirus, the current threat landscape, and how security teams are coping.

Tom Kellermann, head of cybersecurity strategy of VMware Carbon Black and former cyber commissioner for President Barack Obama, wrote the fifth installment of the semi-annual Global Incident Response Threat Report along with Rick McElroy, a security strategist at VMware.

SEE: Black Hat 2020: Cybersecurity trends, tools, and threats (free PDF) (TechRepublic)

The increase in counter-incident response (IR)—mostly destruction of logs (50%) and diversion (44%)—signal attackers’ increasingly punitive nature and the rise of destructive attacks. Kellermann said that this shows attacks have shifted from being burglaries to home invasions.

“Your brand will be commandeered, your digital transform will be hijacked and used to attack customers and shareholders, and that’s why boards and shareholders need to wake up now,” he said. “There’s more value in taking over the infrastructure than stealing from a brand,” he said.

SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic)

Survey respondents named remote access inefficiencies (52%), VPN vulnerabilities (45%) and shortage of available or skilled staff (36%) as the biggest endpoint security challenges related to the pandemic.

Here is a recap of the report’s findings as well as advice on which security tactics are the most important during this extended phase of working from home.

New entry points for more destructive attacks

Hackers are taking advantage of all the Internet of Things (IoT) devices in home offices to island hop, or move from one point in a network to another. Usually this takes the form of attacks on third-party partners or the supply chain.

“Last Christmas, the number one consumer purchase was smart devices,” Kellermann said in the report. “Now they’re in homes that have fast become office spaces. Cybercriminals can use those family environments as a launchpad to compromise and conduct criminal conspiracies in professional organizations.”

Respondents said that 27% of incidents during the 90 days prior to the survey took advantage of IoT-related vulnerabilities.

Another growing problem is counter-incident response (IR). This tactic is on the rise, up 10% from the previous survey and present in a third of incidents. The Kryptik trojan is one example of counter IR. It can be persistent and difficult to detect, as it often deletes its executable file after running. It also can use trusted protocols to hollow out existing processes and penetrate the corporate environment even further via island hopping or lateral movement—also known as “lay of the land attacks.” Lateral movement and island hopping also are difficult to detect, and these attacks take on an increasingly destructive nature. Twenty-five percent of survey respondents reported destructive attacks in half of all encountered incidents.

When considering future threats, 42% of respondents said that cloud jacking would very likely become more common in the next 12 months, while 34% said access mining will become a bigger problem. Mobile rootkits, virtual home invasions of well-known public figures, and Bluetooth low-energy attacks were among the other attack types respondents predict over the next year.

Improving collaboration between security and IT

Outside attacks aren’t the only risk to a company’s security. Almost 80% of respondents described the relationship between the IT department and the security team as negative. An overwhelming majority of respondents agreed that more collaboration would improve security and lessen cyber risk.

Survey respondents listed these initiatives as the three top actions that will drive the most collaboration between IT and security teams:

  1. Establishing a consolidated strategy with unified metrics and goals (61%)
  2. Modifying reporting structures to streamline communications upstream (47%)
  3. Integrating platforms and solutions for seamless sharing of information between teams (47%)

Kellermann said that another element of the problem is org charts that have CISOs reporting to CIOs when the two leaders should be equals.

“The current threat landscape provides plenty of justification for increased authority and budget for CISOs,” he said.

How to strengthen the defenses

The VMware report has five suggestions about how to improve network security. Enhancing collaboration between IT and security teams is an obvious one. Security teams should help IT team members become experts on how to manage the security of their own systems, which provides an easy way to encourage the two groups to work together.

The other suggestions address how to think about security in light of the current state of remote work. Just as humans are trying to stay six feet apart, devices should practice digital social distancing:

“People working from home should have two routers, segmenting traffic from work and home devices. They should have a room free of smart devices for holding potentially sensitive conversations. And they should restrict sensitive file sharing across insecure applications, like video conferencing tools.”

“Otherwise, someone can hack your TV and then get to your VPN and ride that back to the corporate network,” Kellermann said.

The last three pieces of advice are established best practices that are even more important as working from home starts to become the new normal:

  • Gain better visibility into your system’s endpoints
  • Enable real-time updates, policies, and configurations across the network
  • Remember to communicate