Tipping the Scales in Our Favor

Cybercriminals are becoming increasingly strategic in their cyberattacks, as noted by René Agüero, Director, Security Specialization, Splunk. They invest in understanding their targets, test their strategies, and continuously innovate, rendering them increasingly formidable adversaries.

This strategic effort is underscored by the ransomware market, estimated at a staggering US$25 billion annually, according to statistics provided by Splunk. These funds are reinvested in developing new attack methods or enhancing their effectiveness, often in conjunction with other malicious activities. The primary incentive driving these attacks is valuable data, which can be sold on the dark web for as little as US$1 for credit card information or as much as US$363 for medical data.

“What attackers aim for is to seize a user with machine access and establish a foothold, moving laterally until they find something of value, at which point they deploy ransomware, systematically testing rules with the goal of circumvention,” said Agüero, noting that the ransomware industry generates approximately US$25 billion annually.

The proliferation of espionage, internal threats, and sophisticated attacks such as Supply Chain Compromise (SPTs) pose formidable challenges, often surpassing the capabilities of Security Operations Centers (SOCs) or proactive monitoring systems, both in terms of budget and capacity, according to Agüero. “With approximately one new vulnerability introduced for every 1000 lines of code, the scale of potential exploitation is staggering, especially considering the disparity in size between malicious software and the vast infrastructure it aims to infiltrate.”

These statistics and trends highlight a shift in cybersecurity threats from static to dynamic, human-directed, and goal-oriented attacks. Cybercriminals employ multiple tools and activities, often accompanied by new evasion techniques, making them increasingly challenging to combat.

These attacks, known as Advanced Persistent Threats (APTs), aim to remain hidden and overwhelm the capabilities of Security Operations Centers (SOCs) and proactive monitoring systems. This underscores the urgent need for more robust defense strategies. In response to this challenge, the implementation of a comprehensive security approach is proposed, which combines preventive measures, early detection, and rapid response capabilities.

A critical imperative emerges for a paradigm shift in security operations, with risk-based authentication (RBA) positioned as the linchpin of this transformation. RBA, leveraging real-time risk scores, serves as a potent tool to discern the legitimacy of user actions promptly. Through this mechanism, nefarious actors can be swiftly thwarted while legitimate users navigate unhindered.

Yet, the integration of risk-based authentication presents challenges, needing not only the adoption of sophisticated risk management software but also the seamless integration of end-to-end solutions. “Attackers can anticipate the alerts they will trigger when launching their attacks. Therefore, we require a shift in perspective away from focusing solely on alerts, and instead adopt a risk-oriented approach,” noted Agüero.

Equally vital is the cultivation of cybersecurity awareness among personnel, since the role of staff training in ensuring the efficacy of this strategy is key. It is imperative to anticipate and proactively address the hurdles inherent in implementation.

In response, security operations must embrace a holistic approach, synthesizing human expertise, streamlined processes, and cutting-edge technology into a unified strategy. Emphasizing contextual and behavioral analysis, this strategy facilitates agile learning and response mechanisms.

“Not only do we need to focus on technology, but also on providing training to users to communicate the new methods necessary to prevent alert fatigue,” said Agüero.