By: Brad MacKenzie, vCISO to Secured Managed Services at Cerberus Sentinel
As we look back on Cybersecurity Awareness messaging over the last year, many of us who are seasoned practitioners are excited to see security becoming more top of mind for end users. That said, it seems that many best practices that are highlighted during these campaigns – while true and valuable – miss the heart of what experts see on a daily basis when mitigating real world attacks. There are some practical life lessons that will make a major impact on how organizations approach their security programs – ten, to be exact. Cerberus is in the fortunate position of having insight into the security practices of many diverse organizations. Many, including internal IT teams and leaders, don’t realize how quickly an attacker can gain access to their networks, or how fast they can navigate quietly into more sensitive systems. IT Security has always been seen as a game of cat-and-mouse between attackers and defenders – an electronic arms race. Attackers have the same tools at their disposal as the defenders do, meaning attacks can be refined until they bypass defenses. For example, if an attacker wants to bypass antivirus, they can simply install all the common anti-virus software and test their code against them to see which code variations are not detected.
Working on the front lines with the Cerberus Incident Response (IR) Team, I have the benefit of having gained a great deal of insight into how attackers operate. Here is some real-world advice that can help reduce the impact of an attack.
First let’s address the biggest elephant in the room:
1. The Hacked Company on the News Could Have Been you.
A company that gets hacked isn’t necessarily doing anything worse than other typical companies. In this day and age do you think it was because the hacked company was doing something like not running Anti-Virus? Of course not, they are probably doing much the same things you are. Companies need to defend against all security vulnerabilities, while attackers only need to find one to get initial access. The larger an organization, the more complex the IT environment, the larger the attack surface, the harder it is for an organization to manage and control it.
It’s time to adopt the mindset of:
2. It’s a question of “when”, not “if” an attacker gets initial access.
Though it does happen, the majority cyberattacks today don’t begin with attackers hacking into an external firewall. The most common attacks today are users being targeted through phishing emails. There are many great anti-phishing technologies and end user training, but no solution is 100%. Sooner or later, an attacker is going to craft an email that will get successfully delivered to an unsuspecting user’s mailbox. Eventually a user will fall for the lure and take an action that gives the intruder initial access, whether by disclosing their account credentials or running the attacker’s malware. There is a misconception that endpoint anti-malware solutions are impossible to bypass. Sophisticated cybercriminals can often sidestep protections and their success certainly varies from vendor to vendor, but again, no product is a silver bullet that will catch all threats and malware all the time.
Companies need to prepare for a successful cybersecurity attack by implementing layered defenses that limits and mitigates threats. The old comparison is that of a submarine being not just one big hollow tube but rather many compartments that can be sealed off in a breach or failure.
3. File Encryption and Ransom Demands are the LAST steps in an attack, not the First.
Many people believe that malware payload detonation immediately triggers file encryption. In fact, what happens is the attacker uses the initial malware payload to get an initial toehold in the environment, then expands into the environment and attempts to elevate privilege. The attackers then exfiltrate as much of your data as they can. Their goal is to stay in the environment until it serves no further purpose. If they are caught, or have no further use, they will detonate the ransomware and leave. This means that it’s unlikely that a ransomware attack will be isolated to a single system. By the time you get files encrypted and a ransom note, it’s the final phase of the attack, not the initial. The attacker could have been in your environment for 3-6 months.
Diligence must be paid to logging, auditing, active alerting, dubious network connections, DNS name resolutions, and anomalous user activity.
In short, it helps to not just take prescribed actions, but to understand why you are taking them, how attacks work, and what the combination of all mitigating techniques is doing to protect your environment. It’s easy to focus on the day-to-day and forget that small decisions can have significant consequences. For our next installment in this series, we will look more closely at the practices of Geo-Fencing, Log Management, and MFA.
Brad MacKenzie is a highly experienced cybersecurity practitioner who serves as vCISO to Secured Managed Services at Cerberus Sentinel, a rapidly growing, global cybersecurity and compliance provider.