By Jonathan Lee, Senior Product Manager, Menlo Security
2022 has unfortunately failed to live up to hopes for calmer waters.
While it seems as though the worst effects of the COVID-19 pandemic are now behind us, the past year has been riddled with other difficulties. From the Russian invasion of Ukraine to the growing cost of living crisis, it’s been another incredibly tough year for all – and the situation hasn’t been eased by any softening of the threat landscape.
Indeed, threat actors have continued to expand and evolve their attack methods, leveraging new techniques and exploiting a series of emerging vulnerabilities.
Here, we look at four key emerging trends that we have observed this year and expect to grow throughout 2023.
- HEAT attacks
Moves from threat actors to understand common technologies across the security stack and tailor attacks to bypass these tools is a pressing problem for enterprises. Indeed, modern threats are becoming increasingly advanced and evasive as adversaries come up with ways of getting around defences that are all too often inadequate or outdated.
Throughout the last year, The Menlo Labs team has been tracking a distinct and notable rise in Highly Evasive Adaptive Threat (HEAT) techniques – a class of cyber threats that have been tailored to evade protective tools such as firewalls, secure web gateways, malware analysis including sandboxing, URL reputation and phishing detection technologies.
Indeed, Menlo Labs identified a 224% increase in 2021, and we’re expecting a similarly alarming increase this year as attackers have further evolved their attack methods. If firms continue to lean heavily on traditional detect and respond security techniques, attackers will find success in HEAT-based endeavours.
- Basic security failures
Unfortunately, basic security failures at even some of the most renowned organisations in the world continue to offer open doors for attackers to step through and begin to wreak havoc.
Take the attack on Uber in September 2022. Here, a lone threat actor was able to gain administrative control over the ride hailing giant’s IT systems and security tools owing to an exposed PowerShell script that contained admin credentials to the firm’s privileged access management (PAM) platform.
Indeed, it is a telling example. It doesn’t matter how extensive an organisation’s security investments might be, or how sophisticated their technologies are. Often, threat actors can use simple and proven methods such as social engineering techniques to find ways around them.
This example hasn’t just reiterated that there is simply no silver bullet or panacea to stopping attacks. Indeed, the Uber breach also showed multi-factor authentication (MFA) push notifications to be exploitable, causing widespread concern and a demand for the use of FIDO2 passkeys and hardware tokens in replace of passwords. This is something we might begin to see gather momentum in 2023. However, it will take a lot of work to implement it on a widespread basis, and even then, we foresee attackers simply finding the next weakest link in the chain.
- Browser-based attacks
The third trend we see accelerating through 2023 is browser-based attacks. Undoubtedly the biggest attack surface available for threat actors to exploit today, it is critical that the security sector takes greater steps to protect this space.
Indeed, several vendors are already looking at ways to add security controls directly inside the browser, moving away from traditional methods of improving protection with a separate endpoint agent or via the network edge where firewalls or secure web gateways are used.
It’s pleasing to see major names such as Google and Microsoft making headway in this domain. Both organisations are developing and implementing built-in controls inside their respective Chrome and Edge browsers to secure at the browser level, rather than the network edge.
However, threat actors seem to be determined to remain one step ahead. Browser attacks are increasing, with attackers exploiting new and old vulnerabilities, and developing new techniques such as HTTP Smuggling.
As a result, remote browser isolation (RBI) is becoming an increasingly core principle of Zero Trust security that stipulates that no device or user – not even the browser – can be trusted.
- One size doesn’t fit all
Fourthly, it is vital for organisations to remember that one size simply doesn’t fit all when it comes to security, and bespoke technology combinations and strategies are still the way to go.
Recent reports from Gartner have suggested that many organisations are pursuing strategies focused on security vendor consolidation, cutting the number of providers they are working with for their security needs. This has been particularly prevalent in more complicated arenas such as secure access service edge (SASE) and extended detection and response (XDR).
The motivation is less cost focused, and more about reducing complexity and improving risk management abilities. And while policies of continuous improvement are always going to be encouraged when it comes to security, it is important that organisations don’t discard best of breed solutions in the process.
About the Author
Jonathan Lee is a Senior Product Manager at Menlo Security. In this role, he serves as a trusted advisor to enterprise customers, and works closely with analysts and industry experts to identify market needs and requirements, and establish Menlo Security as a thought leader in the Secure Web Gateway (SWG) and Secure Access Service Edge (SASE) space. Experienced in leading the ideation, technical development, launch and adoption of innovative security products, including email security, data loss prevention and end point security, Jonathan previously worked for ProofPoint and Websense.