Recently, NSFOCUS SOC team summarized the findings from attack and defense drills in the first half of 2023. In these smokeless battles, the attackers advanced with aggressive strategies, while the defenders relied on comprehensive defense systems, taking measures from protecting, monitoring to tracing, and resisting every attempt to breach their defenses.
Vulnerability and Asset Impact Analysis
During these exercises, NSFOCUS SOC team detected and confirmed hundreds of actively exploited vulnerabilities. Zero-day and one-day vulnerabilities increased compared to previous years, but N-day remained dominant.
The Office Automation software and boundary network products were primary targets for vulnerability discovery, accounting for 56%.
Many vulnerabilities exposed this year were already known, and vendors had released patches. However, customers who didn’t update were significantly affected.
Defense Strategy in Practice
Certain tactical characteristics were observed for both attackers and defenders, indicating areas of focus for both parties in the near future:
- Organizational knowledge and code repositories remain the main channels for password leaks.
- The rise of everything being “cloud-based” introduced new attack vectors.
- The software supply chain has increasingly become a weak link in organizational security.
“If you know your enemies and know yourself, you will not be imperiled in battles.” In light of the attack and defense confrontation situation, NSFOCUS provides the following security recommendations:
Optimizing Organizational Security Strategy
- Third-party Product Audit: Organizations should continuously manage and update third-party products, ensuring known security issues are addressed.
- Security Awareness Among Personnel: Regularly enhance security awareness and conduct periodic security training and evaluations.
- Password Security Optimization: Strengthen the management of weak and repeated passwords to prevent potential security issues.
- Manage External Attack Surface: While not impacting the business systems, maintain strict control over external resources to minimize potential attack surfaces.
Security Recommendations for Software Manufacturers
- Real-time Intelligence Sharing: Organizations need to use third-party products during digital construction. Security risks in these products can impact organizational security. Hence, manufacturers should notify customers to promptly patch when updating software security.
- Upgrade Management Strategy: Enhance software upgrade management, ensuring issues in older versions are promptly addressed.
- Shift-left Security Strategy: Manufacturers should identify vulnerabilities in their products, addressing high-risk issues early to reduce overall threats.
- Promotion of Interactive Application Security Testing (IAST): For deep vulnerability checks, IAST products outshine DAST and SAST products. It’s recommended that developers use IAST tools for in-depth vulnerability inspection, ensuring product security.
Recommendations for Remote Terminal Security Operations
- Regular Review and Update: Regularly verify and ensure deployed agents or tools come from trustworthy, official sources and are updated.
- Network Isolation: Try to isolate operational tools from the primary business systems or use dedicated, separate networks for communication to lower potential risks.
- Strong Identity Authentication: Ensure only administrators or operators with verified identities can access and use these tools, reducing the risk of malicious exploitation.
- Security for operational tools and systems is equally important. Comprehensive and in-depth security reviews and management of all components are vital for an effective organizational security strategy.
Building a secure operation is a critical and ongoing task for organizations. According to “Liebig’s law of the minimum,” the strength of an organization’s security defense depends on its weakest component. NSFOCUS offers the following recommendations from the perspective of identifying and addressing potential security risks:
1. Strengthen Access Control and Behavior Audits
Implement strict access control policies, ensuring only authorized personnel can access sensitive data and systems. Implement multi-factor authentication, the principle of least privilege, and access log auditing.
2. Risk Assessment and Audits
Regularly conduct comprehensive security risk assessments and launch a full security check for newly released systems to identify and strengthen potential weak spots.
3. Emergency Response Plan
Have a structured response plan to calmly address major security incidents.
4. Employee Training and Education
Continuously provide security training to raise employee awareness about the latest threats and attack techniques. Educate them on identifying and avoiding potential risks, like phishing emails and malicious software downloads.
5. Stay Updated on Security Intelligence
Build partnerships with security industry leaders to receive the latest security intelligence, techniques, and solutions.
6. Establish Hybrid Security (Cloud and On-Premises) Mechanisms
Focus on the security status and risk identification of cloud-based business operations. Develop a mechanism for collaboration between the cloud and the on-premises to have a more comprehensive grasp of the organization’s cybersecurity status.