A Midsummer Night’s Security Thought

Charles henderson

Charles Henderson

EVP, Cyber Security Services, Coalfire

July 2, 2024

Cybercriminals have been busy this year, but June was especially busy for many organizations. Of note, earlier in the year a financially motivated threat actor targeted Snowflake implementations to conduct data theft and extortion, which came to a head in June with notable victims including Advance Auto Parts, Ticketmaster, and Santander Bank. There is no evidence to suggest that Snowflake itself was compromised, but rather threat actors are compromising individual devices and re-using credentials to log in to Snowflake customer instances. Outside of the Snowflake campaign, Evolve Bank and Trust was the target of a cyberattack that affected financial companies across the country. 

Having run teams of hackers for over two decades, I can safely say that how these threats are operating really hasn’t changed. The fact of the matter is that financially motivated threat actors aren’t using novel techniques to get in – they’re either phishing, using valid credentials, or exploiting known vulnerabilities or misconfigurations. It’s been this way for years, and they will continue to target victims who do not employ the fundamentals of cybersecurity. 

So what can organizations do to prepare for and defend against these threats? First, you must assume an ‘assumed breach’ defensive posture. This means implementing technical controls like proactive threat hunting, holistic exposure management programs, multi-factor authentication, and validation of those controls with penetration testing and adversary emulation. 

It also means fixing the incentive structure within your organization to include security objectives. Boards and C-level executives must review the compensation plans for directors and higher in their organization to reward behaviors that drive security objectives forward – and punish behaviors that don’t. Finally, organizations should be proactively monitoring the Internet at large for signs that they’ve been compromised. In instances where credentials are compromised, IT teams should force a reset of those passwords as quickly as possible.

None of the previous guidance is going to be a surprise to those with any amount of time in the cybersecurity industry; however, there is a crisis looming on the horizon that CISOs need to be aware of, and that’s how attackers will be leveraging large language models (LLMs). As the already enormous mountain of data from previous breaches continues to get larger, global enterprises are unwittingly creating their next problem. As LLMs continue to grow in sophistication, we will see threats use these models to target their next wave of victims, by using the vast amount of unstructured data collected from previous breaches. To that point, in June we saw researchers at the University of Illinois demonstrate the feasibility of using LLMs to exploit vulnerabilities. Like everything else in our industry, it’s not a matter of “if,” but a matter of “when.” CISOs and security stakeholders need to prepare now. 

If you’re reading this and thinking there surely must be more that can be done, I agree. A few weeks ago, I wrote down some thoughts on the need for stronger security and privacy regulation in the US. As we move closer to Black Hat and DEFCON, my team and I will share more guidance on how to meaningfully drive security in an increasingly challenging threat landscape.

Statements in this blog reflect the author’s personal opinions and do not represent the views or policies of Coalfire Systems, Inc.