By: Brad MacKenzie, vCISO to Secured Managed Services at Cerberus Sentinel
In Part II of this series, Brad MacKenzie offers three more cybersecurity truths gained from his years of working with the Cerberus Incident Response team. MacKenzie advises organizations to follow these best practices so they can reduce the impact of a cyber attack and significantly improve their security and risk management programs.
4. Geofencing Actually Works
Geofencing access to a system to be controlled based on the user’s location. In this case, the IP address is mapped to country of origin through a database. This allows blocking communications to countries you don’t do business with, and can help thwart an attack. I used to think that geofencing was a lost cause because an attacker could bypass country-based restrictions using a VPN, thus appearing to be from the victim’s country or city. However, my thinking has changed; I’ve seen more and more instances of geofencing working as designed and blocking attackers successfully. It’s possible that this is due to attackers using international servers to automate initial ingress. A user will fall prey to a phishing attack that comprises credentials or session tokens, and the attacker has every piece of information they need to login as the victim. When the attacker tries to access the system the login fails and the logs will show a rejected login attempt from Russia, China, or another country blocked solely using the IP location of the attacking system. It’s not perfect but it’s another layer in defenses.
If you are a company that doesn’t do business internationally, limit access to your local country, or countries that you do business with. Ensure both inbound and outbound traffic is geo-fenced. If you have staff who travel internationally, allow them to access your systems by creating a rule that allows the specific user and the specific country they are visiting. Ideally, have them use a corporate VPN solution for remote access.
5. Send all Logs into a SIEM for Analysis
A Security Information Event Management System (SIEM) is a way to collect event information from a diverse range of sources across your IT infrastructure, analyze the data, and alert if an attack is found. If you haven not implemented a SIEM and aren’t sending logs to a central location for analysis, you will be missing important signals and lack visibility that attacks are happening. Many organizations believe that simply turning on logging at the device is “good enough” but this just collects events on the device, and they never really get analyzed as part of the “big picture.” Similarly, if that device is compromised, the logs can be tampered with or erased. If there is an incident, analysis is slowed as the IR engineer needs to go to every device individually to collect or analyze the log; this is time-consuming work and time is money. Isolated logs can’t be aggregated, or events analyzed as a whole.
Using a SIEM to collect and analyze events is key to knowing that something is awry in your network and is a proactive measure to detect malicious activity as well as assist in analysis if there is an incident.
6. Multi-Factor Authentication (MFA) is a Necessity
It is not an understatement to say that almost every organization has some type of cloud presence, whether email or Azure Active Directory. Moving any type of internal IT function to the cloud changes the security boundaries; what was previously protected by corporate security infrastructure is now accessible and attackable by every hacker in the world. This places extra onus on authentication security since it will be stressed and tested almost continually. A fundamental requirement in this new world is Multi-Factor Authentication (MFA), also referred to as Two-Factor Authentication (2FA).
Many companies resist a move to MFA because it’s seen as an inconvenience to users, but there is no doubt that delaying implementation is a risky proposition. We have seen companies that have had domain administrator accounts overtaken and, in one month, had an attacker consume tens of thousands of dollars of cloud compute resources to mine cryptocurrencies. Enabling MFA would have almost assuredly prevented this loss.
At minimum, every privileged role MUST have MFA enabled, and MFA should be enforced for every user on any cloud-based service like Microsoft 365 (or any locally hosted service) where authentication is exposed to the Internet. Given the ubiquitous nature of MFA, there is no real reason why every user should not be using MFA. While experts might pontificate about the best type of MFA mechanism,, the reality is, every single solution is 1,000 times better than having no MFA at all.
As these truths show, tools exist that organizations can use to block network traffic from specific geographical areas, monitor and detect potential threats by aggregating and analyzing logs, and control access to their systems. In Part III of this series, we examine network segmentation and isolation.
Brad MacKenzie is a highly experienced cybersecurity practitioner who serves as vCISO to Secured Management Services a Cerberus Sentinel, a rapidly growing, global cybersecurity and compliance provider.