The Essence of the Threat Landscape - It’s Not So Complicated

Posted on 2022-08-31 by Pedram Amini

The threat landscape is said to be changing all the time. But is it really? In some ways yes, in some ways no. Let’s peel this back a bit - as it is really easy to get lost in all the factoids packed into each year’s Verizon DBIR, let alone the cacophony of vendor messages bombarding your eyes and ears at major cybersecurity venues like RSA or BlackHat. Now before I start, let me say, we obviously realize cyberspace is inordinately complex - universal attack surface, human error, motivated and skilled adversaries - we all know the tropes. At the same time, however, the problem set is quite simple. The vast majority of breaches today can be traced back to tactics that have been employed for over a decade now. What continues to evolve is the sheer volume of attacks, the automation / sophistication of attacks, and the lucrativeness of attacks - given that virtually every organization - business, educational, government, etc. has blood to give. The popularity of ransomware targeted at even the smallest of businesses shows that no one is immune. No one can comfortably escape the crosshairs. Unless you are truly air gapped (and Stuxnet taught us not even that is a failsafe), you are connected. And, if you are connected, you are a target. To believe otherwise is to place your faith in an extraordinarily level of luck.

But back to our story, let’s simplify the problem set. At a high-level, attacks fall into one of two buckets. They are either targeting systems or they are targeting users. This simple distinction is important as here at InQuest we focus entirely on what we call the ‘end-user security gap’ - attacks that exploit human vulnerability (not system vulnerability) as the entry vector. 

So let’s explain this. System-level exploitations require no end-user participation. An example would be a misconfigured firewall rule that enables network entry for an adversary - where he/she can scan your network for servers running specific applications that are improperly patched. Using crafted malware that exploits an unpatched vulnerability, the attacker is in, able to do his/her bidding. No human intervention on the part of the targeted network is required. There are plenty of system-level exploitations available for attack - for all of the reasons we know. You can’t patch everything instantly. Even if you could, “there be 0day dragons…”.

That said, however, it is far more common, here in the last few years, that we find attackers highly focused on exploiting users - and more specifically, end-user interaction with your everyday garden-variety of spreadsheet, doc, image, video, and pdf files. Why? Because if you look at the numbers, it is ‘shooting-fish-in-a-barrel’ easy. There are roughly 333 million companies in the world. And, we know about 50% of the world’s population carries a smartphone. Insert that every company (ok not every, but certainly most) has one or more networks connected to the internet via email and web connections, and it is no marvel that malware, ransomware, phishing, scams and fraud enjoy nearly unlimited opportunity.

In a very significant percentage of those billions of daily email and web-browsing events lies - guess what - a file. A file that is probably benign - innocent, pure, and with the most wholesome of intentions. But, not all files are innocuous. And, it is for sure that not all humans are 24x7 aware of the risks associated with opening a seemingly benign file. So, we are left with the end-user security gap - responsible for file-borne breaches and incidents that happen daily.

Is there an answer? Of course. It is rooted in one easily stated principle - take the decision-making out of users’ hands everywhere possible. Here at InQuest, we achieve this through File Detection and Response (FDR). Our firm belief is that while traditional detection and response solutions - EDR, NDR and XDR - have the attention of the entire industry, they simply do not cover the end-user security gap. Something else is necessary. And that is exactly why we built InQuest FDR. 

There is more to this story. You can get a good overview here. But if you prefer a few simple takeaways, consider this:

  • End-users are just loved by adversaries
  • They touch files everyday - files that can contain extremely well-cloaked malware,  ransomware, phishing, scam and fraud tricks - continuing to fuel the end-user security gap
  • Traditional detection and response approaches are simply not covering this gap
  • InQuest FDR is the answer to closing the end-user security gap

Have coworkers or compatriots who might prefer a quick minute and a half video on the topic? Check out this video.

Thanks for your interest in InQuest!


Tags
file-detection-and-response threat-intel

Get The InQuest Insider

Find us on Twitter for frequent updates, follow our Blog for bi-weekly technical write-ups, or subscribe here to receive our monthly newsletter, The InQuest Insider. We curate and provide you with the latest news stories, field notes about innovative malware, novel research / analysis / threat hunting tools, security tips and more.