Not If, But When: Maintaining Resilience as Threat Actors Adapt

Talos recently published its inaugural 2022 Year-in-Review report. We gathered insight from dozens of subject matter experts all throughout Cisco to tell a data-driven story about the major security events Cisco responded to, trends in the threat landscape, and what it all means for 2023.

As we reviewed the major events from this year, one throughline seemed particularly clear: adversaries are adapting to shifts in the geopolitical landscape, actions from law enforcement, and the efforts of defenders. Organizations, IT leaders, and security professionals will need to track and address these shifts in behavior to maintain resilience.

Where adversaries once forced change in the threat landscape, whether through updating tooling or infrastructure, creating new levers to pressure enterprises into complying with their demands, or developing new exploits, we now see this complex geopolitical environment forcing change in the threat actors themselves. For example:

• The fallout from the war in Ukraine has not only resulted in Russia-based advanced persistent threats (APTs) being deployed to attack Ukrainian targets but has led to chaos in the Eastern European ransomware economy as groups splinter and take sides.
• The former ransomware landscape, which saw monopolies composed of dominant groups, has transformed into a diverse group of threat actors, responding to increased attention from law enforcement as well as infighting and internal leaks.
• Law enforcement actions have prohibitively affected former mainstay commodity malware leaders such as Emotet and Trickbot. But other families, like Qakbot, have expanded their operations, always staying on top of security researchers’ detection methods and updating their tactics, techniques, and procedures (TTPs) as needed.
• As the security community refines their detection and tracking for Cobalt Strike to a greater degree, 2022 saw an explosion in new offensive frameworks, which may present more challenges for defenders.
• Highly sophisticated and well-resourced, state-sponsored groups continue to launch attacks that support the shifting geopolitical goals of their affiliated governments.

What does this shift mean for IT and security leaders? First, the flexibility and adaptability of threat actors means that context matters more than ever. Defenders must grasp the trends driving threat activity and have thorough actor tracking methodologies and threat intelligence processes in place to document the evolving behavior of these mercurial adversaries. Furthermore, with the number of threats facing enterprises, security alerts must be designed to provide essential context, including severity assessments and recommendations for remediation to avoid alert fatigue.

Second, as adversaries adapt their behavior and tooling in response to detections, defenders need to think about building a robust security ecosystem that implements “defense in depth,” or having multiple layers of security, rather than relying on a single point of defense. Furthermore, based on other observations, organizations should ensure security products are difficult to uninstall and fully deployed.

Finally, as threat actors become more sophisticated, organizations should focus on resilience and adopt a “not if, but when” mindset with regards to compromise, focusing on ways to make it more difficult for the adversary once they are inside a victim network. This can include segmenting, implementing multi-factor authentication, locking down powerful native tools like PowerShell, improving logging, as well as developing incident response plans and gaming out different threat scenarios.

Although the story of 2022 reveals many significant challenges, it also shows the resolve and capability of defenders. For instance, the work Talos has done in Ukraine demonstrates how defenders can use adaptation and innovation of their own to thwart the aims of sophisticated threat actors. Although threat actors will continue to find new and innovative ways to access victim networks, by increasing resilience, we can ensure that their ultimate objectives may yet end in failure.  

For more information, please download Cisco Talos’ full Year in Review report.