The State of Security in 2024: The Fortra Experts Take a Look

At Fortra, we like to encourage a collaborative environment. One of the ways we bring our community together is through our Transformer meetups which aim to provide a positive, energizing, and fun hub for all Fortra employees to learn how to be innovative, get inspired by others, and reach their creative potential.

Our most recent meetup was moderated by myself and our panelists were Tyler Reguly, John Wilson, Bob Erdman, and Nathan Ramaker. The conversation was so insightful, that we wanted to share some of the discussion with others in this blog.

Joe Pettit: October was National Cybersecurity Awareness Month. What is a tip that you would recommend to help people better protect themselves?

Tyler Reguly: Just remember that when you get a phone call and someone is trying to scare you, they’re introducing fear, trying to entice you to do something you shouldn’t do, such as giving them a credit card number, click a link, or open a remote desktop session on your computer.

Also, be very wary when people reach out to you and want you to follow their guidance. It’s not tech support from Microsoft. Microsoft does not reach out to customers to alert them about viruses. If you receive an unsolicited call like that, it is a scam.

Nathan Ramaker: Since we are all in the cybersecurity profession, if you have family members who are susceptible to these types of scams, let them know that you have time to help them and that you can take their phone call. Reach out to your people and let them know that you’re available to be their tech support for them.

Bob Erdman: If you receive an unsolicited tech support call, just hang up. Then go find the number of whoever it is that called you on their actual website and call them and find out if the call was legitimate. Another tip since we are all working from home, just like you check your smoke detectors, this is a great time to check your home Wi-Fi, your router, and all of your other equipment and make sure you are patched up with all the latest updates.

John Wilson: If you look at various scams in the past, the email would start with something like, dear customer; it would be very impersonal. Well, thanks to many, many years of breach data going out there and the fact that they’ve compiled these and linked them all together, now the scammers have your email connected to your name, connected to your home address, connected to your phone number.

We’ve seen lures that are far more personalized today. There was one recently that claimed they had taken over the person’s computer, demanding Bitcoins or they were going to give all the contacts a compromising video that they had taken of the victim. What made the attack convincing is that the attackers included a Google Street View picture of the victim’s house and implied that failure to pay would result in a visit by the criminals.

The thing to impress upon people is that if the message is very impersonalized and just says, dear customer, ignore it. But even if it addresses you directly, you should not be worried about it either. The criminals are not going to come knocking on your door. That’s just not part of their business model.

Joe: Thinking about this year, I see there have been lots of different attacks. I would love to hear your thoughts on what really stood out from the main threats this year. What sort of attacks have taken place that have really caught your eye? 

John: The big one was the personalization of the social engineering attack. That is definitely a new trend. I had not seen that prior to September of this year. That’s how new it is. Beyond that, the other thing to keep an eye out for, and the other trend that we very much see, is an attack on the supply chain. Rather than trying to compromise a thousand websites to find a few credit card numbers, the new attack method alters a website plugin with bad code that manages to steal credit card information.

By attacking that supply chain, the criminals suddenly had thousands of websites that effectively had a digital skimmer installed. I fully expect to see more of these coming in the future where they’re going to attack the supply chain, whether it’s the software supply chain or the physical supply chain, rather than go directly after their target.

Bob: There used to be some honor among thieves, where they stayed away from hospitals and healthcare sites. That’s no longer the case, as some of these larger groups have been broken up. Some people have been arrested, and they’ve splintered. They have reformed into lots of smaller groups, and everything’s fair game now, and we have these problems everywhere.

Nathan: The event that jumps to mind is the Crowdstrike incident. It wasn’t due to an attacker bringing down infrastructure, but it was more due to the software that’s supposed to prevent attacks bringing down that same infrastructure. It highlights the responsibility we have being on the critical path and customers allowing us to take over their infrastructure for them on their behalf, and it highlights the responsibility we have.

Tyler: There are a few that stand out to me. The Cups vulnerability was a great example of something that was over-hyped – which is another problem that we have in our industry – vulnerabilities get hyped so much. Also, the new Midnight Blizzard attack that Microsoft has been tracking, where attackers are sending signed RDP files, and people are clicking on them, establishing an RDP connection to a malicious server, and it’s mapping all of their network drives as part of it. Then the attackers just take all the files off of their network drives. It’s a really interesting and innovative attack, but it’s a pretty serious one that just popped up this past week.

Joe: We see how attackers are getting smarter all the time. One of the tools they have now that they didn’t have a few years ago is Artificial Intelligence. What do you all see as the pros and cons of it for cybersecurity professionals?

Nathan: From the perspective of a cybersecurity company, the biggest benefit to us would be to generate assistance that helps our Security Operations Center. Generative AI doesn’t present any unique threats to us. They’re mimicking the same entry points that a human actor would attack with, so we would fight it the same way.

We would secure the entries, detect intrusions where possible, and try to shut down the kill chain. It doesn’t really matter to us whether or not it’s a human or a generative AI mechanism performing that intrusion, but it is something to watch and consider in the future.

Tyler: I hate generative AI. It has led to a real deficit in basic knowledge, which is concerning. This is particularly troubling in the education of those coming into cybersecurity.

I worry about the next generation of cybersecurity practitioners more than I worry about the threats that Generative AI is producing right now. If you’re producing all of your answers and essays and everything in all your courses using generative AI, how much are you really learning?

John: I deal a lot with social engineering attacks, and one of the things that generative AI does is it eliminates that sort of clumsy language that a non-English speaker, for example, might use in a lure. Not only does it allow a person to smoothen their English and make it sound more naturally flowing, but it can also translate the attack into multiple languages. AI has effectively opened up countries that traditionally have not been the victims of social engineering to those very same actors.

Joe: Is there still value in honeypots or honeynets?

John: I absolutely believe so. Honeynets are a great example. If you can get the attacker to waste all their energy hacking into a fake mirror of your network, but you’re watching everything they do and then protecting against those when they come after your real network, there’s a huge value in that. However, doing it properly is costly, and you have to be really, really careful not to expose your infrastructure, tip off the attacker, and give them more intel through your actions.

Bob: Definitely, yes, there is a lot of information to be gained by just watching and seeing what the latest tactics and techniques the attackers use against the honeynet or honeypot

Tyler: There is huge value in honeypots and honeynets. When you start talking about cyber deception and the idea that if you can trick people with fake infrastructure, running honeypots that spool up dozens of different services and emulators across multiple domains and IP addresses is a great way to really distract from where your real infrastructure is.

Joe: When it comes to threat research, is there a skill shortage? And if there is, how are organizations overcoming those challenges?

Nathan: I can’t speak to threat research, but I can speak to the data science skill shortage. One thing that I favor when interviewing candidates is people that have started from a solid engineering background and they’ve changed their career or specialized in machine learning and data science.

There are a lot of new programs available for data science degrees as an undergraduate degree, and this is more of a late-stage career choice than something you can do right out of college. I would love to see the industry focus more on converting seasoned people into cybersecurity rather than having that be an entry-level position.

John: You fully are going to have to expect to do some on-the-job training. Even if you hire somebody who claims to have a great deal of experience, there’s going to be stuff they still don’t know that they’re going to have to learn that’s specific to your environment and specific to your products. We just have to accept that.

Joe: Often, there are new tools that come out, and people are marketing them saying that this is the silver bullet and various different things, but I would love to hear the insights in terms of what new technologies are CISOs or security analysts, whoever it may be looking at investing in right now. Can you shed some insight into what new technologies are being leveraged and being fostered in the industry?

Bob: One of the biggest ones that really took off with the work-from-home mandates that came out during the pandemic is agent-based technologies on the desktops. Prior to this, a lot of our infrastructure was on the network, so as long as you were connected to the network, we could see and protect things. Now, people are mostly not on the network.

Everyone is connecting through service channels, detached from the backend infrastructure. Without that capability of being actually on the physical device or the virtual device, depending on what they’re running, but being the device level, the office can’t see what’s going on. So, a lot of these things have moved to agents.

John: If you look at most successful breaches or ransomware events, the commonality is the human element. Social engineering is the main vector. One of the methods to combat this is anomaly detection for authenticated users. Even though a person is properly authenticated, are they behaving in a way that makes sense?

You might identify a malicious insider, or you might identify that compromised insider by looking at those anomalies. For example, we refer to “Impossible Travel.” It’s one thing if I book a trip to Singapore for a conference; it’s another entirely if I’m in Mountain View, California, and an hour later, I’m in Singapore. That’s a bit of a problem. I don’t own a rocket, so there’s no way for me to get there in an hour.

Tyler: If I was giving advice to a CISO, I would say, forget about the shiny. Get your core technology under control, get your vulnerability management in place, and get your security configuration management in place. Get your file integrity monitoring in place. Those are your keys and your base layer. And then build on top of that once you have that well-established.

This meetup was another lively discussion, with our panelists also offering some insights and recommendations about their favorite security conferences, as well as some specific product recommendations.

To learn more about Tripwire’s industry-leading cybersecurity and compliance tools built to defend your whole organization, take a look here.