Taking action in 10 key areas can prevent cyber security attacks and protect your organisation against the risk of breaches.
A classic example of this is that attackers are relying less on malware and using administrative tools built into operating systems such as Microsoft Windows instead.
Similarly, fewer attackers are using round the clock communications with their command and control servers to avoid detection by security tools that monitor for such communications.
Attackers are also developing anti-forensics techniques, by determining what artefacts such tools are using and then either avoiding using them or ensuring that they wipe then as part of the attack.
Increasingly common ways of getting into organisations, include carrying out phishing attacks through compromised email accounts of the friend, partners, clients and colleagues of their target person and through subscribed mailing lists that tend to be trusted by recipients.
We are also seeing the use of publicly available information from a variety of sources to be able to reset account passwords to take control or to create subdomains of legitimate organisations to trick people into sharing their usernames and passwords.
Cyber defenders should also be aware that attackers are increasingly breaching branch or overseas office networks so they can use various techniques to hop over to the main network and exploiting undisclosed vulnerabilities in publicly available portals, such as password reset portals.
We are seeing attackers using a webshell on web servers to issue commands, using tools such as Mimikatz and Mimikittenz to extract passwords from computer memory, using task scheduler to execute commands, using tunnelling tools such as Tunna Webshell on a compromised webserver to hop around networks, and using signed binaries to run malicious code in dynamic link libraries (DLLs).
Steps to improve your cyber security protection
1) There needs to be a mindset shift. Organisations need to understand that if they have any data of value, attackers will come after them. Having a protection plan of highest risk assets is one thing, but organisations need to ask if they can detect unauthorised access to the assets.
2) Know where there is a security risk. We often hear that organisations are unaware of the existence of a server or that it contained sensitive data.
3) Organisations need to understand that it is not enough to secure the data on servers because there is a lot of sensitive data on endpoints. Organisations often overlook data in emails, spreadsheets, browser password and session cookies.
4) Avoid single factor authentication, not just for the main VPN access, but whatever other public portals an organisation has, such as Outlook Web Access (OWA).
5) Consider advanced threat detection systems to get more context on threats. Remember, real attacks start when attackers get inside the environment and pose like insiders.
6) Avoid burn out for cyber security administrators. When you hire top talent for security innovations, don’t give them the day to day stuff that consumes most of their time as continuity in a security team is a good thing as it ensures defenders know as much or more than attackers about their IT environment, instead of the other way around.
7) Pay attention to systems that have propagation capabilities. This includes security tools like antivirus servers, Microsoft SCCM and file integrity management servers because attackers like to use a victim’s security tools against them.
8) Whitelisting security systems are not enough. Defenders need to understand what built-in Windows applications could cause them harm. Monitor logs like you mean it, not just for compliance. Network metadata should be retained for monitoring and investigations.
9)Invest in a threat hunting programme to scan proactively for attackers’ techniques, tactics and procedures. The goal should be to stop attackers before they complete the full attack.