By: Brad MacKenzie, vCISO to Secured Managed Services at CISO Global
In our last installment, Brad MacKenzie described three proactive measures organizations can implement to protect their environment from cyberattacks: analyzing their systems for indicators of compromise and cataloging all the legitimate software on their network, providing security awareness training to all staff, and creating an incident response plan. This week, Brad focuses on three key areas that will help you prevent attacks: proactive threat hunting, managing internal users, and the importance of a solid, tested, and incident response planning.
8. Proactively run threat “hunts”
Proactive analysis of an environment can find issues before they become a fully-fledged emergency. Searching for known “Indicators of Compromise” (IoCs) can also allow tuning of security products to catch them in future, and to understand the possible gaps or limitations in the controls implemented.
Knowing the legitimate software in use in your environment is very valuable. Attackers now routinely leverage legitimate remote access software like teamviewer and gotomypc for Command and Control. They know it’s very unlikely that any anti-malware software will flag them as malicious since they are often used for legitimate business purposes, and it still gives them complete control over the compromised system. Proactively hunting for new installs of remote-control software can both alert to an external attacker’s presence as well as identify policy violations by internal users.
9. Users are now the most common cause of a successful malware attack
Statistically, a user performing an action like opening a poisoned attachment, clicking on a bad link, or getting phished is going to be the way an attacker enters your environment. The more you can educate, protect, and compartmentalize a user will dictate the resilience to attack:
- Educate users how to determine potentially bad emails, websites, attachments. This should be an annual exercise. I’ve seen compromises where a user literally opened and clicked every email they received regarding fake amazon gift cards, theatre tickets, everything. These emails are the easiest to detect; imagine if the user was sent a targeted attack that looked like an IT email asking to change their password on the new application portal. Use a security awareness training program to teach users to be diligent and question everything they receive in email or download.
- Protect users from receiving malicious emails or attachments. Implement and configure aggressive filters on email with explicit warnings inserted into inbound email originating outside the organization. Implement end-point protection and Anti-Virus as a last line of defense. Use a high-quality web filter that can use advanced methods to detect sites used to push phishing payloads.
- Restrict a user to infrastructure and systems that are needed for their job role. In case of a successful attack hopefully this will limit the damage that can be done.
10. Create an Incident Response Plan
Every organization should have an Incident Response Plan that details what constitutes an incident, who gets contacted internally from Executives to Legal Counsel, who handles any PR issues if needed, how an incident is initiated with vendors, etc. Too often there is confusion around who has what roles and how to engage external teams, causing unnecessary delay. The IR plan should be executed as a table-top exercise annually.
Hopefully these insights, gleaned from real Incident Response projects, will help you reflect on how your environment might cope with an attack. When you understand how hackers and malware operate, it will help you understand what refinements support quick recovery and better outcomes. It helps to use a mindset that a successful attack “will happen” and when it does, you will be prepared with a step-by-step plan that will help to minimize the damage. If the detonation of malware is a spark from a fire, will it burn your environment down by landing on kindling and starting a wildfire, or will it be like a spark that lands on a lake and is quenched in an instant?
Brad MacKenzie is a highly experienced cybersecurity practitioner who serves as vCISO to Secured Management Services at CISO Global, a rapidly growing, global cybersecurity and compliance provider.