Over the last eighteen months or so, a motley group of teenagers under the banner of Lapsus$ managed to hack into \u201cunbreachable\u201d fortresses at tech giants such as Okta, T-Mobile, Nvidia, Microsoft, and Globant using unsophisticated but creative and persistent techniques.\n\nWhile the group\u2019s goals were unclear and differing \u2013 fluctuating between amusement, monetary gain, and notoriety \u2013 at various times, it again brought to the fore the persistent gaps in security at even the biggest and most informed companies.\n\n\u201cOrganizations must act now to protect themselves, and the Board identified tangible ways to do so, with the help of the U.S. government and the companies that are best prepared to provide safe-by-default solutions to uplift the whole ecosystem,\u201d says a report published by the Homeland Security Department\u2019s Cyber Safety Review Board.\n\nThe lesson here for companies is that attackers don\u2019t need to discover new threats or sophisticated methods of penetrating your networks. Using the \u201csame old\u201d low-skill tactics, common tools, and a bit of social engineering, hackers can get around complex security policies such as multi-factor authentication (MFA) and identity and access management (IAM) systems.\n\nLet\u2019s revisit the most prevalent security threats and see how they\u2019re evolving in 2023.\n\nInitial access\n\nInitial access consists of various techniques attackers use to gain access to your network. The process starts with identifying compromised hardware, software, and human assets \u2013 both internal and external \u2013 by way of scanning and reconnaissance methods. The attacker then chooses the target and method of invasion and leverages the compromised assets to gain a foothold in the victim\u2019s servers or network.\n\nThe MITRE ATT&CK framework \u2013 a knowledgebase of cyberattack techniques \u2013 maintains an updated list of initial access techniques. In 2023, these include:\n\nDetection:\n\nPatterns and changes to them are key to detecting fraudulent access. Smart admins will constantly monitor the success and failure of logins, multi-factor notifications, input validations in code, file access, creation and deletion, as well as plugging and removal of media. Every out-of-place event needs to be investigated.\n\nPrevention:\n\nAs we\u2019ve seen, there are a multitude of paths attackers can take to enter into your network. User awareness training, strong login credentials with multifactor authentication, updated software that patches and reduces the likelihood of vulnerabilities, and regular testing will help companies prevent adversaries from getting that all-important initial access to their systems.\n\nWebsite spoofing\n\nSpoofing is a practice similar in principle to phishing but deserves special mention due to the scale on which it is carried out and its continued impact on individuals as well as organizations.\n\nIn website spoofing, the attacker imitates a legitimate website or domain name, targets its audience to visit it using different methods, and lies in wait until an unsuspecting user lands on it. Once the victim is on the site, the possibilities are endless.\n\nImitating popular websites \u2013 or domain spoofing, to be precise \u2013 is more common than similar attacks such as IP spoofing, email spoofing, MAC spoofing, DNS spoofing, and ARP spoofing because the user experiences visual similarity to a recognized entity.\n\n\u201cWebsite spoofing takes advantage of na\u00efvet\u00e9, fooling everyday users who think they are interacting with brands they know and trust. Because of this trust, users are less likely to take a second look at the website\u2019s URL,\u201d says Israel Mazin, CEO of Memcyco, a real-time website spoofing protection platform.\n\nThe most recent data available indicates that 62% of all identity attacks leveraged display name deception to impersonate a trusted organization, individual, or brand, typically a vendor or partner. Brands and businesses need to monitor and take proactive steps to prevent domain spoofing.\n\nDetection:\n\nOne of the first signs of a website spoofing attack is an unusual or too-good-to-be-true request \u2013 such as a special Amazon sale offering 25% discount on the latest model of the iPhone. You know very well it\u2019s not going to happen. However, scammers might add a sense of urgency saying the offer expires in 2 hours, for example. On closer look, you\u2019ll always find that it\u2019s a shortened URL or a URL with a spelling slightly different than the company\u2019s primary domain. A quick Google search should settle it.\n\nWebsite spoofing puts a bigger onus on the user or individual than the organization for detection.\n\nPrevention:\n\nNearly 75% of Forbes Global 2000 companies haven\u2019t implemented vital domain security measures, indicating continued widespread susceptibility to domain and website spoofing.\n\nIt\u2019s a common misconception that only enterprise domains are spoofed. SMBs and startups are equally at risk. You need to use a reputable registrar and hosting provider. Further, regularly monitor your domain and DNS settings, as well as your website logs for signs of abnormal traffic with unusual referrers or URL modifiers. Implement a Web Application Firewall (WAF) on your web server and Domain-based Message Authentication, Reporting & Conformance (DMARC) for emails.\n\nData exfiltration\n\nExfiltration is an umbrella term for the methods attackers use to steal data from the victim\u2019s systems. Once they\u2019ve identified and copied the data they want, adversaries use packaging, compression, encryption and hiding techniques to avoid detection at the time of stealing (transferring) it.\n\nOne of the most prevalent and damaging types of attacks \u2013 ransomware \u2013 relies on data exfiltration. The goal of the attacker is to identify file servers on which sensitive information is stored and then lock it or transfer it out of the network using email or by uploading to external servers. Some shocking ransomware stats:\n\nDetection:\n\nIntrusion Detection Systems (IDS) that actively monitor network for suspicious traffic are the first line of defense against data exfiltration techniques. Traffic to and from unseen IP address ranges, file access at unusual times, major spikes in outbound traffic and outbound connections to external servers via a generic or non-secure protocol are typical indications of exfiltration threats.\n\nPrevention:\n\nIn the age of Bring Your Own Device (BYOD) and remote work, preventing data exfiltration needs a comprehensive, well-rounded data security and governance strategy. Using a Security Information and Event Management (SIEM) system lets you collect and converge data from disparate IT environments and touchpoints for real-time monitoring and analysis.\n\nFurther, a next-generation firewall (NGFW) will provide an additional layer of defense against newer, advanced attacks by allowing you to monitor all network protocols at all times and blocking unauthorized channels. Finally, use Zero Trust Architecture (ZTA) policies to validate any and all data transfer, compression and encryption activities.\n\nProactive detection and prevention\n\nIn 2023, it is impossible for you to know of all the threats and vulnerabilities out there. It is impossible to know your adversaries. It is impossible to know their approaches. \u201cWith the increasing availability of sophisticated technological and social engineering tools, attackers have a higher chance of succeeding \u2013 and gaining big \u2013 with little risk,\u201d Mazin warns.\n\nA proactive threat detection and response program with user behavior analytics (UBA), regular threat hunting and penetration testing, and pre-emptive honeypot traps will soon be generic components of a typical security strategy, if not the norm.