Attackers are always refining the tools they use to improve the chances they can break through your defenses. Even small gaps can become a leverage point. And it doesn’t take much effort for the attackers to find the gaps — most of the attack tools these days are automatically scanning for changes, vulnerabilities, or other information the attackers may find useful.
Left undetected or unmanaged by your team, these gaps in your cyber defenses may allow attackers to gain a foothold. Once an attacker has a foothold, if they remain unseen even for an hour, they have gained time to scan your infrastructure, find opportunities to pivot, and compromise more valuable targets. According to The Ponemon Institute’s 2019 breach report, the average time to acknowledge a threat was 197 days; attackers can remain in their target networks undetected for months, not hours.
If your team is responsible for securing your company, it can seem overwhelming to know where to start first. Or even how to think about the problem when massive change happens: changes like the recent shift to remote working due to Covid-19. Have new gaps have opened in your defenses? How will we manage new risks? If something weird does happen, would you know it before it became a bigger problem?
The good news is that the very act of starting to look for these gaps and improve them is the best thing you can do. Assuming the mindset of continuous improvement, identifying gaps, and correcting them is a much better way to approach the problem than accepting the status quo.
With that in mind, here are 5 Things Attackers Love, and how you can begin to deny them the opportunity to gain that initial foothold:
- Attackers love: when teams don’t manage privileged accounts. If you don’t have an inventory of privileged accounts, coupled with strong access and authentication controls, chances are more than good that a privileged account will be compromised. To deny attackers any joy: inventory all privileged accounts and enforce controls around their access. These days, multi-factor authentication (MFA) is a minimum requirement. Privileged accounts should also not be permanently provisioned. All privileged accounts should be reviewed at least monthly; any privileged accounts that are not approved should expire by default.
- Attackers love: when network-based access controls allow movement through your network. Network-based controls can be basic (sometimes as basic as internal v. external segmentation) or complex (hundreds of VLANs adding complexity and administrative overhead); but, in all cases, they imply some level of trust in the network. Once a machine or account is compromised, attackers rely on this trust to find other vulnerable systems, and pivot within your network. Often undetected. If they are detected, there is usually a time lapse, so your team will be chasing a reflection of where the attacker has been v. capturing their actions in real time. To deny attackers any joy: begin by isolating administrative-level devices from the rest of your users. Collect data from any network devices that can provide telemetry; this is vital for detection. Better yet, supplement your network access controls with a micro-segmentation approach to limit an adversary’s ability to pivot across your network undetected.
- Attackers love: reactive security teams. The all-too-common mindset that the system is operating normally until there is an issue may help explain the long dwell times noted above. 197 days to move about the network, gather intelligence, compromise systems, exfiltrate data, and then plant malware/ransomware to generate revenue for the attacker. In this scenario, the security team reacts when systems stop performing or exhibit strange behavior. If your team is good at firefighting, it may also be reactive. To deny attackers any joy: adopt the mindset that the system is already compromised; you just can’t see it yet. Get a handle on outbound traffic by doing egress filtering and baseline your current traffic flows.
- Attackers love: open source intelligence. Maltego. Shodan. TheHarvester. Excellent tools which attackers (and defenders) can use to gather information about your company. And the amount of information available on many companies is staggering. These tools make that information easily accessible and actionable for an adversary. To deny attackers any joy; download these tools, see what information is visible about your company. Take pragmatic steps to reduce or minimize that information.
- Attackers love: when systems aren’t managed well. In December 2019, Facebook exposed 267M user records via an unsecured web page. An additional 419M records were exposed in September of 2019 when an attacker accessed another unsecured server. According to a study by IBM in 2018, over half the organizations surveyed said they were hit with one or more data breaches in the prior two years, and 34% said they knew their systems were vulnerable before the attack (2018). To deny attackers any joy: start with all externally-visible systems and maintain an accurate inventory along with their vulnerabilities. These are soft targets and potential pivot points for an attacker. Regularly patch vulnerabilities on these high-risk systems, scan inbound traffic for malicious indicators, and have tested plans in place to rapidly quarantine compromised systems.
Attackers are always trying to make their tools better, leveraging automation, machine learning, and artificial intelligence to give them an advantage. It used to be the case that if they ‘twisted the handle and found it locked,’ they might move on to other targets. These days, the tools automate complex scanning, assessment, and initial attacks, so that the attacker is presented with only those opportunities that have a higher likelihood of paying off.
To defend against these adversaries, security leaders should develop a more proactive approach. The suggestions in this list are meant to be a starting point. The main message is that building great security requires having the right mindset and the willingness to continuously improve. Adopt an Agile approach: start small; prioritize; implement changes quickly; measure the results; start again. After doing this for several months, your security program will show measurable improvements.
The practitioners at Arbala Security have performed hundreds of assessments like these, and helped our customers strengthen programs just like yours. Our mission is to help leaders build great security. If you’d like more information or a free high-level assessment of your current security program, please contact us: firstname.lastname@example.org.
Cost of a data breach study. (2018). Retrieved May 21, 2020, from https://www.ibm.com/security/data-breach