The SANS 2021 Top New Attacks and Threat Report is now available for download, covering the security trends and top threats to watch for as the world emerges from the pandemic. Presented at the SANS threat expert panel discussion held during the RSAConference 2021 Virtual Experience, the top attack category the report highlights is supply chain attacks – and with good reason.

Supply chain attacks that infect legitimate applications to distribute malware to users are on the rise. Although the first major example of this type of attack was the NotPetya campaign back in 2017, the SolarWinds breach, which made headline news in December 2020, elevated supply chain attacks to the top of the list for SANS experts. Since then, companies including Accellion, Codecov and Kesaya have all been victims of such attacks that went on to impact thousands of downstream businesses around the globe.  

SANS experts consider supply chain attacks a subset of a broader category they dub “Undermining Software Integrity”. Such attacks prey on the fact that most enterprises trust the software solutions they purchase from vendors. The report points out that the situation can arise because while updates to operating systems are often tested, updates to applications are rarely tested to see if they have been compromised or if hidden malicious capabilities have been inserted. The problem can be particularly hard to root out because commercial software packages are sometimes built using open-source tools that have been compromised. 

Other types of attacks the panelists warn against include: 

• Improper session handling – when applications or protocols do not properly secure the tokens used to verify user identity without having to re-enter credentials, or attackers compromise approaches that had been considered secure.
• Corrupting and reverse engineering machine learning (ML) – when ML capabilities intended to detect dangerous or unknown behavior are not properly implemented in a product, or when attackers target ML algorithms with data attacks to corrupt the algorithms and cause their attack techniques to be classified as safe.
• Evolving ransomware techniques and motivations – the shift from disrupting service to gaining access and control of data, is moving ransomware attacks into the category of breach or disclosure, subjecting organizations to tight regulatory requirements and steep penalties.

The report includes specific advice to mitigate each of these types of attacks, and also suggests some common security controls that can reduce the likelihood of damage from all the threats described. These include integrating intelligence information and adding threat hunting capabilities into your security operations. The ThreatQ Platform helps with both. Here’s how: 

Integrating intelligence information across tools, teams and workflows is a foundational capability of the ThreatQ Platform. The process begins by allowing you to ingest, normalize and correlate data to identify relationships and enrich the data with context. From there, you can automatically score and prioritize internal and external threat intelligence based on your parameters and translate data back into a usable format and language for consumption by the tools and teams that need to utilize it. Additionally, ThreatQ Data Exchange makes it simple to set up bidirectional sharing of any and all intelligence data within the ThreatQ Platform and scale sharing across multiple teams and organizations of all sizes.

Threat hunting must start with data. Because the ThreatQ Platform includes the ability to ingest and understand vast amounts of threat data from external and internal sources, analysts can automatically determine the highly important items to hunt for within the environment. ThreatQ Investigations allows analysts to conduct investigations collaboratively to search for and compare indicators across infrastructure and find matches between high-risk indicators of compromise (IoCs) and internal log data that indicate possible connections. Once a match is discovered, analysts can cast the net wider to identify second-tier indicators and attributes. With a deep understanding of the threat and their level of exposure, they can mitigate risk faster and proactively block similar attacks in the future to strengthen security posture.

To learn more about the most dangerous new attack techniques in use today and how to mitigate your risk, download your copy of the SANS 2021 Top New Attacks and Threat Report now.