Attackers are always refining the tools they use to improve the chances they can break through your defenses.
Even small gaps can become a leverage point.
And it doesn’t take much effort for the attackers to find the gaps — most of the attack tools these days are automatically scanning for changes, vulnerabilities, or other information the attackers may find useful.
Left undetected or unmanaged by your team, these gaps in your cyber defenses may allow attackers to gain a foothold.
Once an attacker has a foothold, if they remain unseen even for an hour, they have gained time to scan your infrastructure, find opportunities to pivot, and compromise more valuable targets.
According to The Ponemon Institute’s 2019 breach report, the average time to acknowledge a threat was 197 days; attackers can remain in their target networks undetected for months, not hours.
If your team is responsible for securing your company, it can seem overwhelming to know where to start first.
Or even how to think about the problem when massive change happens: changes like the shift to remote working due to Covid-19.
- Have new gaps have opened in your defenses?
- How will we manage new risks?
- If something weird does happen, would you know it before it became a bigger problem?
The good news is that the very act of starting to look for these gaps and improve them is the best thing you can do.
Assuming the mindset of continuous improvement, identifying gaps, and correcting them is a much better way to approach the problem than accepting the status quo.
Here are 5 ways cyber-attacks happen and how you can avoid them.
1. When Teams Don’t Manage Privileged Accounts
If you don’t have an inventory of privileged accounts, coupled with strong access and authentication controls, chances are a privileged account will be compromised.
To Avoid This:
- Inventory all privileged accounts and enforce controls around their access.
- These days, multi-factor authentication (MFA) is a minimum requirement.
- Privileged accounts should also not be permanently provisioned.
- All privileged accounts should be reviewed at least monthly; any privileged accounts that are not approved should expire by default.
2. When Network-based Access Controls Allow Movement Through Your Network
Network-based controls can be basic (sometimes as basic as internal v. external segmentation) or complex (hundreds of VLANs adding complexity and administrative overhead).
But, in all cases, they imply some level of trust in the network.
Once a machine or account is compromised, attackers rely on this trust to find other vulnerable systems, and pivot within your network.
Often undetected.
If they are detected, there is usually a time-lapse, so your team will be chasing a reflection of where the attacker has been v. capturing their actions in real-time.
To Avoid This:
- Begin by isolating administrative-level devices from the rest of your users.
- Collect data from any network devices that can provide telemetry; this is vital for detection.
- Supplement your network access controls with a micro-segmentation approach to limit an adversary’s ability to pivot across your network undetected.
3. Reactive Security Teams
The all-too-common mindset that the system is operating normally until there is an issue may help explain the long dwell times noted above.
197 days to move about the network, gather intelligence, compromise systems, exfiltrate data, and then plant malware/ransomware to generate revenue for the attacker.
In this scenario, the security team reacts when systems stop performing or exhibit strange behavior. If your team is good at firefighting, it may also be reactive.
To Avoid This:
- Adopt the mindset that the system is already compromised; you just can’t see it yet.
- Get a handle on outbound traffic by doing egress filtering and baseline your current traffic flows.
4. Open-source Intelligence
Maltego. Shodan. TheHarvester.
Excellent tools which attackers (and defenders) can use to gather information about your company.
And the amount of information available on many companies is staggering.
These tools make that information easily accessible and actionable for an adversary.
To Avoid This:
- Download these tools, see what information is visible about your company.
- Take pragmatic steps to reduce or minimize that information.
5. When Systems Aren’t Managed Well
In December 2019, Facebook exposed 267M user records via an unsecured web page.
An additional 419M records were exposed in September of 2019 when an attacker accessed another unsecured server.
According to a study by IBM in 2018, over half the organizations surveyed said they were hit with one or more data breaches in the prior two years, and 34% said they knew their systems were vulnerable before the attack (2018).
To Avoid This:
- Start with all externally-visible systems and maintain an accurate inventory along with their vulnerabilities. These are soft targets and potential pivot points for an attacker.
- Regularly patch vulnerabilities on these high-risk systems
- Scan inbound traffic for malicious indicators
- Have tested plans in place to rapidly quarantine compromised systems.
Attackers are always trying to make their tools better, leveraging automation, machine learning, and artificial intelligence to give them an advantage.
It used to be the case that if they ‘twisted the handle and found it locked,’ they might move on to other targets.
These days, the tools automate complex scanning, assessment, and initial attacks, so that the attacker is presented with only those opportunities that have a higher likelihood of paying off.
To defend against these adversaries, security leaders should develop a more proactive approach.
The suggestions in this list are meant to be a starting point. The main message is that building great security requires having the right mindset and the willingness to continuously improve.
Adopt an Agile approach: start small; prioritize; implement changes quickly; measure the results; start again.
After doing this for several months, your security program will show measurable improvements.
We’ve performed hundreds of assessments like these, and helped our customers strengthen programs just like yours. Our mission is to help leaders build great security.
References:
Cost of a data breach study. (2018). Retrieved May 21, 2020.