2020 review from the RIOT SOC

4 December 2020
Published by Rob Merkwitza

, Managing Director

2020 review from the RIOT SOC

Year in Review

2020 has been an unprecedented year from many vectors, the uprooting of what once was a fulltime office workforce to a total change in dynamic with work from home and the issues this introduced in a very rapid time relating to cyber risk, network architectures, network links has stretched internal IT teams to the breaking point, and from our observations, well past the breaking point.

Rapid architecture and policy changes were undertaken by many organisations and businesses which may have increased or decreased attack surfaces depending on the changes made. On the other hand, isolation gave security research from both sides of the fence (ethical and non-ethical) time to identify and disclose more zero days.

 

Our National Security Operations Manager – Jon Robertson made a prediction back in February based on his previous background in Offensive Security – stating that “there will be a noticeable uptick in zero days / CVE’s dropping in coming months with the beginning of mandatory isolation globally”.

A recent saying in our team is “without data, we are just another group with an opinion”, keeping true to this statement, the below graphic describes the allocated CVE’s over the 2020 period.

As we can see here, the hard work of the security researchers is paying off, taking into account responsible disclosure countdown timers and the like, the assigned CVE’s has spiked in March and June which correlate fairly well to global mandatory isolation times, resulting in a mad dash from vendors like Microsoft and VMware to provide mitigations to these vulnerabilities. The knock on effect is internal IT operation teams – who are already stretched cannot focus on patching resulting in a security posture drop across many businesses and organisations.

The below graphic shows the Microsoft patches that were released during 2020 with CVE’s that may have needed additional manual effort to implement the remediation steps to address the vulnerability.

To simplify, not all Windows patches will remediate risks auto-magically, and as shown below, the effort required by internal IT teams continues to grow. Interesting how this is fairly close to the previous graphic!

Reflection of Incidents in 2020

As all onboarded clients will be aware of, RIOT MSS provide Incident Response services. Throughout the year of 2020 we have responded to 9 incidents, all of which were profoundly serious in nature, the common theme for these incidents was crypto-malware / ransomware. Majority of these pieces of malware were introduced via phishing vectors, which then was able to find and exploit domain administrative permissions to assist with the propagation of the malware.

No clients who experience ransomware paid the ransom and most were able to restore from backups within the first 3 days of the incident. The average outage / business impact time for these incidents was 4 days, with remediation and clean-up activities progressing for weeks post the initial incident.