Organizations Face a ‘Losing Battle’ Against Vulnerabilities

Companies must take more ‘innovative and proactive’ approaches to security in 2022 to combat threats that emerged last year, researchers said.

After a banner year for vulnerabilities and cyberattacks in 2021, organizations believe they are fighting a “losing battle” against security vulnerabilities and threats, “despite the billions of dollars spent collectively on cybersecurity technology,” according to an annual security report from Bugcrowd.

This perception comes after 2021 found organizations grappling with the complexities of hybrid environments—with many corporate workers still at home due to the pandemic– plus an explosion of ransomware, and the emergence of the supply chain as a major attack surface, according to the Priority One Report 2022.

Infosec Insiders Newsletter

The collective feeling of defeat among security professionals—as well as a continued cybersecurity skills gap, with 2.7 million cybersecurity roles still to be filled–will “fuel an interest in more innovative and proactive approaches to security in 2022,” predicted the report. This will include turning to the global research community and its programs for bug bounties and vulnerability disclosure for help in uncovering and combating threats, researchers said.

Bugcrowd provides a crowdsourced approach to manage organizations’ pen test, bug bounty, vulnerability disclosure and attack-surface management. The 2022 report—which compiles data from the company’s activity over the year–highlights some of the top trends in terms of vulnerabilities that organizations reported in 2021 as well as the types of attacks that occurred most prevalently.

Vulnerability Notes

Cross-site scripting (XSS), an exploit where the attacker injects code into a legitimate website that will execute when the victim loads the website, was the most commonly identified vulnerability type last year, according to the report.

Attackers often use XSS in attacks that steal people’s credentials, which could be a reason sensitive data exposure also had a higher profile last year. The threat moved up to No. 3 from No. 9 on the list of the Top 10 most commonly identified vulnerability types in 2021, according to the report. Indeed, stealing credentials is a key way that threat actors breach corporate networks and go on to steal data through ransomware or other attacks.

Among the industries most affected by vulnerabilities in 2021 was the financial-services sector, with these companies on Bugcrowd’s platform experiencing a sizeable 185 percent increase in the last 12 months for “priority 1,” or P1 submissions–which refer to the most critical vulnerabilities, according to the report. Valid bug submissions also were up 82 percent in this sector, as were payouts for identifying flaws, which rose 106 percent last year.

The government sector also saw a massive uptick in valid vulnerability submissions in 2021, according to the report. Bug submissions rose a staggering 1,000 percent in this space, which also made this sector “the main beneficiary of continuous engagement with the crowd,” according to the report.

“The vast majority of these submissions occurred in the third quarter, when government buyers turned on the taps for crowdsourced security in response to new federal civilian agency directives that, for example, make vulnerability disclosure a key requirement,” according to the report.

2021 Security Trends

Among the high-level security trends that were in the spotlight last year, ransomware “went mainstream” in 2021, overtaking personal data breaches and eliciting a broad government response to disruptive attacks like the one on Colonial Pipeline last May, according to the report.

Indeed, Russia’s Federal Security Service (FSB) just last week reported that it raided 25 locations to seize assets worth more than $5.6 million from the REvil ransomware gang, effectively liquidating the group.

The Biden administration also took a hard line against ransomware actors last year, widening the government’s cyber-defenses and strategies to combat attacks.

Though notable ransomware groups closed up shop last year, others have risen to take their place, and Bugcrowd noted the evolution of ransomware attacks that is currently occurring.

“We are now seeing ransomware gangs applying lean startup principles to their operations,” researchers wrote in the report. “They begin with skeleton teams making scattergun, speculative attacks and crudely requesting their rewards in crypto. Following one or two successful attacks, these teams treat the ransoms paid as seed capital, using it to grow their operations and invest in better software, talent, and exploits.”

The most elite ransomware groups now run processes that include detailed recon/research to identify targets, advanced communications, and media relations to stoke fear and increase the likelihood of a payout occurring, researchers noted. These processes also include tracking critical vulnerabilities to find gaps for exploitation that have remained undetected by organizations, heightening the need for a proactive security approach by organizations, they said.

The supply chain also emerged as a “primary attack surface” in 2021, which will have an impact on how organizations deal with vulnerabilities and security in 2022, according to the report.

Though this trend already has created “a thriving industry of scanners and automated tools,” organizations although will need to start thinking like threat actors and employ the help of ethical hackers and other crowd-sourced security solutions to protect the supply chain this year, researchers said.

“Only an approach that turns that weakness into a strength—by adopting the same tools, techniques and mindset as attackers to uncover vulnerabilities before they do—leads to success,” they wrote.

Password Reset: On-Demand Event: Fortify 2022 with a password-security strategy built for today’s threats. This Threatpost Security Roundtable, built for infosec professionals, centers on enterprise credential management, the new password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken. Register & stream this FREE session today – sponsored by Specops Software.

 

 

 

Suggested articles