The reality of cybersecurity today is everyone is getting constantly bombarded with automated attacks of various types that are each looking for network vulnerabilities. It seems just a matter of time until an organization is compromised. The challenge is no longer stopping the compromise but rather the speed and capabilities of an organization to notice the compromise and then respond effectively.
Threat actors or hackers are focusing on three primary methods of getting a foothold in an enterprise:
Of those three, the vast majority of the breach causes are human error. Once the threat actor gains a foothold in an organization, they have two goals: gain access to as much data as possible and to go unnoticed for as long as possible.
A repeatable model for assessing and addressing important areas of security risk. We have a security assessment scorecard that can be used with most common industry frameworks. Outputs include a security operations remediation roadmap (or plan) which includes breach prevention, detection, treatment and response.
The Anatomy of an Attack
To protect themselves, enterprises need to develop capabilities that detect when a system has been compromised and then respond accordingly with a treatment plan. In order to do this, a high-level understanding of the techniques that adversaries are using to gain and escalate access to your organization is needed.
A hacker’s first step is to gain initial access to the organization. This is commonly done through phishing social engineering techniques to trick users into allowing the hacker basic access to the system. The hacker will typically attempt to remain unnoticed by keeping the compromise in only the memory of the system so that Antivirus (AV) and Endpoint Detection and Response (EDR) systems will not notice. The hacker may use some other social engineering techniques to determine the specific AV and EDR systems that your organization is using, and then customize their payloads and techniques to avoid detection.
The next step for the hacker is to establish local persistence of the compromise, usually by escalating local privileges on the compromised system and deploying a Remote Access Trojan (RAT) on to the system. They now have a solid foothold in your organization to start to escalate access to the organization’s data. The threat actor will look to move latterly within the organization, looking for data and information to further escalate their access to systems and files. They’ll continue to use social engineering, take advantage of unpatched systems, and exploit trust-chain issues within systems. The chain of trust in systems is a secure way of ensuring that someone cannot modify systems easily. If the system contains a bug, hackers can exploit the bug and cause the execution of untrusted code or scripts.
Significant competitive advantages can be realized through the use of cloud services.
We have expertise in strategy and the deployment of software applications (SaaS) and infrastructure (IaaS) focused on AWS, Microsoft Azure, and Google.
While they are there.....
As the threat actor moves latterly within the organization and gains escalated privileges and access to data, they begin to exfiltrate data offsite for further analysis, keeping their backdoor open to go back for more data. Data is often encrypted and compressed (zipped) for sending offsite to avoid detection.
They will analyze the data looking to further escalate their privileges, often by finding passwords embedded in code, files, databases, and even offsite systems.
They will analyze the data looking to further escalate their privileges, often by finding passwords embedded in code, files, databases, and even offsite systems. Hackers will often find re-used usernames and passwords in test systems or cloud-based systems that will allow them to gain even more access. Onsite regular users are often admins for cloud-based systems.
Threat actors don’t necessarily have a plan or a specific target. They’re opportunistic and take advantage of the information that they glean from the “low-hanging fruit” available and use it to exploit an organization for profit.
Selection of applications that complement business operations can provide significant competitive advantages.
Our digital transformation methodology will help to articulate requirements and workflow, allowing applications to be selected that will enhance business operations.
How to Respond?
The challenge for organizations is to first notice that there is something unusual happening, discern if it’s a compromise, and then find a way to stop it as soon as possible. This requires a layered approach to security that is overlapping, holistic and uses both tools and processes.
There are no silver bullets!
However, there are some common capabilities that organizations can develop to enable detection and treatment, including:
Security awareness training of users can enable early identification that a mistake has been made.
Enable log monitoring on systems and software (especially cloud systems) and develop alerts and reports to identify atypical behavior. Have someone responsible for reviewing them regularly.
Reduce the attack surface of internal and external systems by patching systems and disabling unnecessary services. This makes the hacker’s job harder.
Enable multi-factor authentication on all externally facing and cloud systems to make escalating privileges and lateral movement more difficult.
Develop response and treatment plans for common security issues such as corporate workstation and laptop compromises.
Having a static defensive security posture is deficient – breach prevention by itself isn’t enough. Organizations of all sizes must have capabilities to detect compromises, react and treat effectively.
The ability to rapidly obtain insights which guide decision-making is critical to the future of an organization.
This can be enabled through the use of advanced Business Intelligence and Artificial Intelligence methods and tools.
Cybercriminals use your employees as the weak link to gain access to your systems. Well developed security awareness training can reduce an organization’s vulnerability to cybercrime by 75% in the short term with further improvement within the first year.
Information Security and Operations Scorecard
This security assessment is an in-depth review of 198 security controls. The assessment can be adapted to align with the most common security frameworks (ISO 27001/2, GDPR, NIST 800-53, NIST 800-171, PCI DSS, COBIT, PIPEDA, HIPAA, or the Canadian Baseline Cyber Security Controls).