The growth in cybercrime during the COVID era has been well documented, but the true scale of this growth was nicely encapsulated in a recent report by the technology analysis firm Canalys, which revealed that in 2020, there were over 100 billion data records breached.
To put that into perspective, that represents more data breaches than we have seen in the previous 15 years combined. What’s more, this is despite increases in cybersecurity expenditure of roughly 10% to over $53 billion during 2020.
Despite this increase in investment, Canalys believes that it is still insufficient to adequately tackle the threat we're facing. Indeed, they argue that the extraordinary levels of digital transformation seen during the pandemic resulted in budgets in other IT-related areas growing faster than for cybersecurity, even as the very same digital transformation also expanded the threat surface.
For instance, the 10% growth in cybersecurity spending pales in comparison to the 33% increase in spending on cloud infrastructure or the 17% growth in spending on notebook PCs.
This disparity is especially problematic when the transformations undertaken by companies so seldom had cybersecurity at their core, and so would so often proceed in ways that made organizations vulnerable to attack.
Apart from a lack of prioritization for cybersecurity across industries, there are also a number of key factors that have undermined the ability of organizations to keep their data and their systems safe, whether in terms of properly configuring security controls, better provision of security training for staff and other stakeholders, or ensuring that one’s security controls have the appropriate visibility.
A good place to start is an analysis of the cyber kill chain, which describes the steps taken by attackers all the way from their earliest reconnaissance to the ultimate exfiltration of your data. By documenting the kill chain it helps organizations understand, and therefore combat, cybercriminals.
It's an approach that was first proposed by defense giant Lockheed Martin to help identify, prepare, engage, and ultimately destroy a military target. It's become commonly used in cybersecurity to understand everything from insider threats to social engineering.
The cyber kill chain
The journey cybercriminals take often begins with the identification of a suitable target, with this target often a server workload that contains software with a vulnerability of some kind (usually an unsecured password or inadequately applied software patching). The workload in this instance describes any application running on the server and typically involves software of strategic importance to the organization. The exposed vulnerability provides an open door for attackers to target.
Cybercriminals will often look to utilize malware to allow them to gain a sufficient level of remote connectivity into the victim’s system. Through this, they will strive to gain execution control that will allow them to execute malicious code that is buried inside the payload. This, in turn, will allow more malware to be inserted into the server workload, which, once executed, will allow the cybercriminal to achieve their end goal.
One of the most effective ways to limit this risk is to ensure you have adequate security controls to provide robust runtime protection. This kind of protection almost instantaneously checks to see if any code being run is legitimate and from the host organization or whether it’s from a potential attacker.
Endpoint threat detection and response is often deployed to try and provide this real-time monitoring and response to cyber threats, with this often used alongside a host-based intrusion detection system, which monitors network traffic as well as the host computer system.
Unfortunately, these approaches provide limited defense against an attacker that is fully aware of where the vulnerabilities in a system are and can target an unpatched vulnerability specifically. These network-based security methods are also likely to struggle to detect when hackers are executing malicious code as they’re reasonably far removed from the execution pipeline operating in the server workload. As such, they usually lack sufficient contextual awareness to understand when the malicious code has been executed.
Cybercriminals are aware of these shortcomings, not least that so many security systems utilize approaches such as detecting threat feeds, static signatures, or behavioral anomalies via an AI-based detection system. An expert attacker doesn’t require much to bypass such systems. As such, they can only truly be deterred by true runtime protection that capitalizes on the knowledge base within the application itself and therefore restricts the attacker’s ability to bypass any security controls you have in place.
With cybercrime not only on the rise but also evolving at an ever-increasing pace, the ability to provide real-time protection is likely to be essential to stemming the tide and ensuring systems remain safe from attack.