The Home Threat Vector

The prediction of security threats is an incredibly broad topic and can range from statements covering a single enterprise in a short time frame to those covering the global threat landscape for the year ahead. This is of course not to say that the different levels of fidelity at play here are wholly unconnected. On the contrary, global trends can be seen as the larger context within which individual incidents playoff, with occurrences in each informing analytics in the other.

Looking at the year ahead and considering recent high-profile hacks and the large number of people working from home, McAfee’s annual threat prediction report contains few surprises. Their top six threats for 2021 are as follows:

  1. Increased supply chain backdoor attacks
  2. Home office attacks for accessing corporate networks
  3. Cloud infrastructure attacks of varying sophistication to proliferate
  4. New mobile payment scams
  5. New QR code scams
  6. Social networks used to launch attacks against companies

The core thread running through all these threats, other than the first one, is that the proliferation of work from home setups has opened up a new and more readily exploitable avenue of attack against corporate targets. Since employees are working from home and more often than not, also using their personal computers for work, there is a significant new weakness in corporate defences with a variety of less secure devices located off-site now connecting into corporate networks in a number of different ways.

This attack vector might not be entirely new, but its level of prominence due to lockdowns and work from home rules, definitely is. However, once an attacker moves past a home network (or possibly even earlier depending on setup) their actions become detectable and monitorable to security teams. Patterns will form and analysis will be possible.  

Security Analysts and information overload

In the hyperconnected information society, everybody is busy, everybody is linked in, and everybody is overloaded with information of every type imaginable. This effect is increased for those working directly with data in a data-driven economy and when that data concerns the actions and interactions of computing systems and networks, the effect is yet more pronounced. Consequently, it is no surprise that some of the top discussion topics on forums and blog posts concerning security analysis, concern the topics of information overload and fatigue.

Terms such as “alert fatigue”, burnout, and “threat overload” are the labels often attached to these issues, but are, on closer inspection, all manifestations of the inevitable exponential increase in the data analysts are expected to attend to. The all too predictable outcomes of this situation include low morale and high staff turnover. On this count, a study from 2019 found that SOC personnel turnover ranged from 10% to as high as 50%. Clearly, such a situation is not only untenable but will inevitably have a negative impact on the skills retained within the company. This study also found that not only are the number of daily alerts increasing at an exponential rate, but that false positives remain a persistent problem. At the same time, on the job training remained low with about half of respondents on presenting 20 or fewer hours of training per year.

CyberHelper can help in addressing the root cause of these issues, namely the need for correctly identifying known patterns in an ever-increasing pool of data. In other words, CyberHelper can directly aid in reducing analyst workload by streamlining the process of threat identification and focusing analyst attention where it is needed, armed with additional knowledge of how such an attack might progress. Further leveraging this advantage is the opportunity to use CyberHelper in on-the-job training using real-world test cases, even ones directly captured by the company itself.

More SolarWinds fallout

The repercussions of the SolarWinds hack will be with us for a long time to come, hopefully with significant lessons learnt. At the moment though, we are still verry much at the stage of trying to map out the true scope of the hack. With these efforts ongoing, both the Wall Street Journal and the New York Times published stories stating that JetBrains, a Czech software developer, is under investigation in connection to the hack.

This is significant since JetBrains produces a number of popular IDEs and other development products. Compromising these would give an attacker unbelievably broad access to targets the world over. In particular though, the allegation is that the JetBrains product TeamCity was compromised. TeamCity is a CI and build management server which has been on the market for more than a decade and is used by, amongst others, SolarWinds.

However, JetBrains has issued a statement denying any knowledge of a breach and stating that it has not been contacted by investigators. However, this does not mean that there isn’t a link since JetBrains itself raised the possibility of otherwise secure, but incorrectly configured, instances of TeamCity being targeted.

We are live!

It is our great pleasure to announce that CyberHelper.net is live. Over the coming months, we will be sharing our progress and some pertinent issues in cybersecurity right here on our site. For now though, let’s start with what CyberHelper is and will do.

CyberHelper represents a new approach to analysing, contextualising, and understanding, the cybersecurity threats faced by organisations both large and small. This is accomplished by using advanced analytical techniques to assess client network traffic in order to locate and describe intrusions and other actions taken by threat actors. CyberHelper is, however, not a replacement for the human analyst, but rather a capability multiplier which aids the human analyst.

Such aid is needed since the network traffic containing the tell tail signs of intrusion, both attempted and achieved, is growing at an exponential rate due to the continued increase in connectivity across the board. This challenge is exasperated by both the low barrier to entry for some attacks, leading to proliferation, and at the other extreme, the increased sophistication of so-called advanced persistent threats (APT). In other words, increased network traffic is accompanied by an upsurge in general attacks and increased sophistication for the highest threat levels. Consequently, a tool which can spot and correctly interpret the hidden ripples in an ocean of data, offers the opportunity to not only locate and identify a significant threat, but do so much earlier than might otherwise be the case.

This is the value proposition of CyberHelper, and the goal towards which we are working. Over the coming months we will share more on how we make this a reality, so please check back for more, or use our contact form if you want to reach out to us.

-The CyberHelper Team-