In an era of accelerating digital change, understanding the tactics employed by modern attackers is crucial for organisations doing everything in their power to protect their sensitive information. In this episode of the Security Strategist podcast, host Richard Stiennon and Chester Wisniewski, Director, Global Field CISO of Sophos, examine the findings of the Active Adversary Report, compiled by Wisniewski and his team, shedding light on how cyber threats are changing and what security leaders can do to adapt their strategies. 

Understanding the Active Adversary Report

 The Active Adversary Report, compiled by Wisniewski’s team at Sophos, provides invaluable insights into the common pitfalls organisations face when responding to cyber incidents. With Chester's extensive experience in cybersecurity and incident response, the report aims to analyse real-world data from hundreds of incident responses across 50 countries. The report categorises incidents into two main groups: those who seek immediate help during a crisis and those who utilise managed detection and response services. By examining these cases, the report identifies key indicators that contribute to security breaches, offering organisations a roadmap to enhance their security posture.

The Focus on Identity Theft

One of the most startling revelations from the report is that nearly 70 per cent of incidents last year were linked to identity-related issues such as stolen passwords, session tokens, or phishing attacks. Chester explains that attackers are increasingly leveraging identity theft because it is often easier to log in as an authorised user than to break into a system. This trend underscores the importance of security teams to prioritise identity management as part of their overall strategy.

Wisniewski also emphasises that the ease of access through stolen credentials presents fewer telltale signs of unauthorised activity, making it harder for organisations to detect breaches. In the past, cybercriminals often exploited vulnerabilities in software like Flash and Java, but as security measures have improved, they have shifted their tactics toward the more vulnerable area of user identity. This shift indicates a pressing need for organisations to bolster their identity security protocols.

Balancing Vulnerability Management with Identity Security

 As organisations work to strengthen their security measures, the challenge of balancing patch management with a focus on identity security. He points out that while patching vulnerabilities remains essential, many organisations face difficulties, particularly those with hybrid workforces. Unpatched VPN gateways and firewalls have become common entry points for attackers, making it critical for organisations to prioritise their patch management efforts based on exposure and the sensitivity of the data involved.

Wisniewski advocates for a more strategic approach to identity management, highlighting that the adoption of multifactor authentication (MFA) is still lacking across many organisations. He notes that many systems still rely on basic MFA methods, such as six-digit codes or push notifications, which do not provide adequate protection against sophisticated attacks. To truly enhance security, organisations must consider more robust identity verification methods and address the complexities introduced by non-human identities as well.

The Challenge of Non-Human Identities

In the current technological climate, non-human identities such as API keys present significant challenges for security teams. There have been recent incidents where API keys were exploited to gain unauthorised access to sensitive systems, pointing out that organisations must be vigilant in managing these non-human identities. As organisations adopt technologies like passkeys for human users, understanding and securing non-human identities is becoming increasingly important.

 With cyber risks becoming more complex, organisations must adapt their security strategies to address these challenges effectively. Here are a few things businesses can do to protect themselves:

  • Prioritise identity security by implementing robust protocols and strategies to combat identity theft.
  • Balance patch management with a focus on securing critical assets and data.
  • Enhance multifactor authentication practices to ensure stronger protection against unauthorised access.
  • Develop a comprehensive understanding of non-human identities and implement measures to secure them.

 By staying informed about the latest trends and insights in cybersecurity, organisations can better equip themselves to fend off the growing tide of cyber threats. For more information, visit https://www.sophos.com/

Takeaways

  • Nearly 70 per cent of incidents last year involved identity-related issues.
  • Attackers find it easier to log in as authorised users.
  • Patching and vulnerability management are challenging for organisations.
  • MFA adoption remains low despite its importance.
  • Most attacks occur outside of normal business hours.
  • Median incident response time is significantly reduced with MDR services.
  • Employees can act as early warning systems for security threats.
  • Focusing on basic cybersecurity practices is essential.
  • AI can help streamline data analysis in incident response.
  • AI is also being used to enhance phishing attacks.

Chapters

00:00 Introduction to Cybersecurity Challenges

02:57 Understanding the Active Adversary Report

05:55 The Shift Towards Identity-Based Attacks

08:48 Balancing Patching and Identity Management

12:04 Operational Challenges for CISOs

15:09 Leveraging Employee Awareness for Security

18:12 Practical Steps for CISOs to Strengthen Resilience

20:56 The Role of AI in Cybersecurity