Whilst it only feels like a few months ago I wrote the 2020 year in review, I am sure I am not the only one that feels like 2021 was a blur. Another unprecedented year of displaced workforces, pushing systems and teams to the limit – albeit slightly more prepared off the back of 2020.
From our side of the fence (Security Operations Centre) 2021 was the busiest year to date – for all the wrong reasons. We have responded to 16 separate P1 incidents requiring incident response protocols to be enacted. We also undertook our longest IR to date – 15 days continuous eyes on glass, 24×7 in 8-hour shift rotations. It was amazing to be part of the team in the shift rotations. And we are trained for these incidents, which made us question, what about those who don’t have an IR / MDR partner, those teams of 3 system administrators. How would they survive this?? It certainly pushed us to new levels of fatigue management awareness!
Many new clients joined us across the various Managed Security services we offer, new services have been architected, tested, and deployed based on the gaps we are seeing in security posture and market gaps.
More clients will mean more headcount in the SOC. For those clients that have been with us from the start, they will recall we started with a small team of four subject matter experts and as of February 2022, I can reveal that the RIOT Managed Services team now has a total of 23 team members, with many more seats to fill.
At the end of 2022, I expect us to be a team of near 30. We are now ingesting over 1.2 terabytes of security, logging information daily across our client bases. This is only from our production clients and doesn’t even include clients in the pilot phase.
Prediction into 2022
2 words: Ransom and Politics.
Ransom operations is going to reach a new level. It’s been the flavour for the last two years, and I personally believe it’s going to get worse. We are observing an evolution of the “drop and detonate” ransomware to more personalised ransom operations, data exfiltration and active communications from malicious operators. Rest assured we as an MDR partner are evolving as well, both internally with Security Operations but also in scale and reach with localised threat intelligence. However, consider the recent vulnerabilities dropping that affect Linux-based systems. I feel ransomware may evolve into Linux-based operating systems, which presents a problem. Depending on how you look at it, it could be worse than the standard ransomware techniques employed today where Linux systems are not usually targeted by enterprise security suites like AV / EDR solutions. Therefore, if ransomware targets these systems, the ability to contain the spread may be limited.
Onto the second word, Politics. Most of the nation has little control on which direction this will go, but with the Australian government throwing support behind Ukraine in the Russia v Ukraine theatre, there is a high likelihood Australia will be the target of many sophisticated attacks from Russian operatives. Russian-based attacks are also starting to trend against critical infrastructure. It will be near impossible to tell if these are state-sponsored guns for hire or vigilante groups until after the attacks have been executed. Regardless of whom is launching these attacks, I expect a new wave of attack methodologies to emerge using recently found vulnerabilities. Make no mistake, these groups are motivated, organised and agile, which puts increasing pressure on already struggling security teams to patch various systems.
Final Words & Recommendations
It’s going to be a big year for us here at RIOT. The strategic direction, training and general efforts of the SOC team being aligned to the above predictions but also what emerges over the coming year, and the challenges our clients face.
I tend to always be asked “What are the things I should focus on NOW coming from minimal security posture?” And I always say we need to go back to basics:
- Next Generation Firewalling – enable auto definition updates, turn on the security features and geo block
- Office 365 – MFA enforce everything, look at conditional access policies and enforce them, also investigate and enable email filtering
- MFA – on VPNs or anything externally facing, but also look into the server fleet – MFA remote desktop access
- Azure AD / Active Directory – clean up the admins and permissive groups and monitor closely
- Endpoint Security – have a reputable centrally managed endpoint security suite deployed and monitored for compliance
Do these things, and you are starting to get in a much better position from an active defence perspective.
All the best.
Jon Robertson – GM | Managed Security Services