Cybercrime is smart, innovative, and agile. Cybercriminals are well-rewarded for their innovative attack vectors and have no incentive to stop finding inventive ways of penetrating systems and moving past the most vulnerable defences.
According to Paul Grapendaal, Head of Managed Security Services at Nclose, there’s no standard playbook when it comes to penetrating a system successfully, but there are solid security steps that can mitigate risk and help the business manage the fallout. Steps that will help bolster your defences and ensure that one phish won’t cost your business millions.
“There are obvious routes of attack, such as spear phishing, that are designed to focus on a target with the sole mandate of releasing malicious software into the system,” he adds.
“Others are more subtle, using increasingly sophisticated methods to gain access. Either way, once the malicious software is in, the attackers will wait for the right moment – one where they can do the most damage by achieving the greatest levels of impact before they attack.”
Ultimately, the goal is to infect as many systems as possible. As far as the cybercriminal is concerned, it’s worth waiting until as much of the company has been compromised as a higher level of infection will guarantee a far better payout than one or two infected systems.
Some ransomware is left in the system for months until the hackers are sure that the malicious software has spread sufficiently, often becoming part of the company backups, or preventing an organisation from being able to restore from them. This prolonged dwell time allows attackers to understand your environment in more depth and to maximise their impact as this will ensure a hefty pay-out or unearth future avenues of compromise.
The same applies to user phishing. Often, if a user is phished and they don’t change their passwords or authentication protocols, the attackers can dwell for a while within the system, using this time to spy on email and communications and to gain a deeper understanding of the inner workings of the company, from both a system and process perspective.
Over time, they may even use this level of access to obtain other passwords to other systems – information that’s mailed to the compromised user and that can be anything from system access passwords to updated payment information. Often, the thefts undertaken by the hacker can be done completely under the digital radar as neither the user nor the company is aware of their presence.
“This is why it’s become increasingly important to put security at the forefront of every conversation, engagement and interaction,” says Grapendaal. “The malicious software will only work if it’s been downloaded, so people need to know that they shouldn’t click on links in emails they don’t trust or download files that are from people they don’t know. The same goes for credential theft. Make sure that employees know how easy it is for them to hand their credentials over to malicious actors and keep reinforcing the message. This is the first layer of defence.”
And if it breaks? The next step is overall organisational vulnerability. Many companies fall short when it comes to vulnerability management programmes and evolving endpoint security. They don’t have the right systems in place to prevent the malicious software from taking hold and rely on outdated and traditional anti-virus technologies. If someone clicks on a link or downloads a threat, there should be systems in place that immediately prevent that malicious software from replicating and leaving that machine.
“We recently dealt with an attack where the entire critical environment went down because of a ransomware download,” says Grapendaal.
“The hackers were subtle but effective, once they gained control of systems, they could then poke around at their leisure. This really does underscore the importance of having multiple security controls in place so that there is protection that stops the malicious software from proceeding beyond that point. Most of the really large compromises were because of multiple security control failures.”
The next step in the process is the simple stuff – patching and multi-factor authentication (MFA). Often companies are so focused on the new and emerging security solutions they forget to stay focused on the foundational elements of that security.
To protect the business comprehensively, ensure that patching is rigorous and routine and that every user has MFA. This is a layer of defence that can make all the difference in the event of a successful compromise or phish.
The final layer of defence speaks to technologies or services like MDR or SOC. These types of services ensure that any organisation has visibility of all elements of the business and increases the likelihood that a compromise will be quickly detected, reducing the chance of criminals being able to operate for longer periods within a company undetected.
“Looking ahead, build a defence that’s capable of withstanding breakage at any point along the way,” concludes Grapendaal.
“Leverage the value of your security investments by identifying the holes, patching the vulnerabilities, training your people, and digging into your overall security practices. With a comprehensive understanding of your technology security maturity, you will have the information you need to reduce your risks and manage your environment more effectively and ensure that there are no weak spots in your security substratum.”