Navigating the Complex Threat Landscape — Key Takeaways for CISOs

Well, it looks like we cybersecurity defenders won’t be getting a break any time soon. Unit 42 consultants and intelligence analysts have been busy, and a few trends have jumped out at us in the last few months. So, we decided to write them up. In our latest executive advisory, Navigating the Evolving Threat Landscape: Resilient Cybersecurity Tactics for CISOs, we highlight a couple attacker trends, what they mean, and what you can do about them.

The bottom line: attackers are becoming more tenacious and resilient to defense. Defenders can take a few steps to match those changes and improve their own organization’s resilience.

Criminals Are Committing Crime More Efficiently

One trend is improved efficiency. More attackers now use automation, organization, playbooks and repeatable operations. Certain actors have developed key expertise in modern IT infrastructure. And, they use it to move efficiently through the target environment – faster and more quietly than before.

Muddled Libra is a threat group that’s exhibited these skills. The Unit 42 Threat Assessment on Muddled Libra has an in-depth written analysis, and you can also listen to the Unit 42 Threat Vector podcast for expert insights and strategies to counter this threat actor group.

States Are Sponsoring Attacks on Non-State Targets

Nation-state attackers don’t just conduct espionage. Lately, they have also been acting to destabilize other components of the states they target. One example is Trident Ursa, an APT group with a history of creating access to its targets and gathering information from them. Their targets include most business sectors: financial institutions and government entities, communications, manufacturing, information technology, education and more.

If you run operational technology (OT), you might also be interested in some of the insights in this OT Security Insights white paper from our OT colleagues. It looks at the IT-OT interface and how attackers are crossing it.

What Unit 42 Recommends

A comprehensive defense strategy helps you frustrate attackers. And, they deserve to be. The advisory goes into more detail. Here are some quick takes to consider.

1. Change How You Measure Success: Define success as how effectively you respond to active threats, not how you prevented everything bad – nobody does that.
2. Constrain the Attacker: Deny them time and space, and give it to your defenders instead.
3. Lather, Rinse, Repeat: Run your response playbooks efficiently and repeatedly.
4. Increase the Pressure: Everyone makes more mistakes when they’re rushed.
5. Measure and Reduce Your External Attack Surface: Almost half the organizations we surveyed had a Microsoft Remote Desktop server open to the internet.
6. Work Toward Being a Zero Trust Enterprise: Asset inventories and user identity are some of the first questions incident responders ask.

Being Thoughtful About Defense

These changes in attacker behavior aren’t all bad news. On the contrary, it means a comprehensive defense strategy is more valuable against more threat actors. Attackers are innovating, accelerating and becoming more tenacious. Your team should be, too.

Unit 42 and other Palo Alto Networks products and services can help. We provide Cyber Risk Management and Incident Response consulting services – from attack surface assessment to full-scope reactive incident response. We’re familiar and experienced with responding to threat actors – from APT to ransomware – in environments that include the largest Global 2000 firms.

This is just the beginning of what you need to know. Read the executive advisory, Navigating the Evolving Threat Landscape: Resilient Cybersecurity Tactics for CISOs to learn more about key attacker trends and tactical steps you can take to improve your security defense.