Are British businesses able to respond to a growing threat of cyberattacks?
Cyber-attacks against businesses have been on the rise for years and geo-political events can heavily influence and accelerate this trend. As this article from the BBC has highlighted, both state actors and criminals use cyber-attacks to disrupt and destabilize their targets and this includes businesses. Increasingly, business-critical systems are the target for these attacks.
So, knowing that the threat vector is increasing, what should you be doing to protect yourself and your business against the growing threat? It helps to think like the attacker, so you can better prepare your organization to respond…
Defend the perimeter
The first part of any attack pattern is discovery, the attacker must identify a target and identify weaknesses that can be exploited. This may be a technical vulnerability, such as we saw recently with the log4j exploit, or the attacker may choose to direct attacks against an organization’s people to distribute malware, commit fraud, exfiltrate data or gain access to systems.
Vulnerability management is key to defending against the first part of the problem. Many organizations still think vulnerability management is effectively patch management, making sure that anti-malware protections and endpoints are patched against known exploits. This is a great start but attention should be paid to multiple facets of this. First, do you know your estate – which endpoints or networks are most critical and which are most exposed? Is hardware and software up to date? Are you whitelisting appropriately? Do you manage access appropriately (including privileged access)? Are the users of key systems trained appropriately to defend the organization against an attack? Knowing yourself is the first part of the battle.
Once you know your estate, test your protection with dedicated penetration testing and vulnerability exploits for business-critical systems, or by testing the people and processes on those key systems. If you have them, make sure to involve your XDR and SIEM/SOAR capabilities and processes. This will provide both some assurance that the penetration is less likely and that your ability to detect attacks is where it should be. E.g. if your XDR and SIEM/SOAR teams spot your simulated attacks as suspicious, that is a very good sign as they’ll likely spot genuine ones too.
Combine this internal knowledge of your estate with an understanding of the techniques the attackers use, conduct threat intelligence to understand not only your weak-spot, but the people who are likely to target you and the mechanisms they employ to deploy their attacks
Enable your People as Defenders
In conjunction with managing the technical vulnerabilities, you must make sure your people are educated in the tools and techniques used to gain access to the organization. A strong security and awareness culture in the organization can reduce the most common method of exploitation and provide much greater protection for your critical systems.
Again, ensure you test this protection with internal simulations of phishing or attempts at fraud, and don’t ignore the social engineering factors at play. Your people must know how to protect themselves online. Don’t ignore your 3rd party suppliers – make sure they have similar protections in place and enroll them into your operational security.
Reduce the Attack Surface – protect yourself
Having identified a vulnerability, the next step for an attacker is to exploit it.
While network-level defences such as firewalling and whitelisting of key systems play an important part in protecting your critical business systems, privileged access is often overlooked. If a Super User account is compromised, you’ve handed over the keys to the safe. Make sure you understand who has privileged access to your systems and data, secure those privileged accounts and ensure that your users are authenticated and identified strongly.
Make sure you have MFA in place and have protections in place for suspicious behaviour. Limit what your users can do within your key systems, so credential misuse cannot be easily exploited and limit lateral movement around the networks to reduce the attack surface.
Detect and respond to the attack
Attacks will still occur and attackers use time within the penetrated networks and systems to see what the attack surface is. Detecting an attack may be as simple as seeing who’s bouncing off the network perimeter, or may be indicated by suspicious patterns of behaviour within applications themselves.
Ensure you have robust mechanisms in place to detect these attack patterns and, importantly, have the processes and technology in place to respond to them in a timely fashion. Use your incident management processes to ensure defenders can respond to attacks and enable them with SIEM/SOAR tooling to ensure they’re looking in the right place.
Ensure you can recover
Once they’re in, the attacker is looking to disrupt the business by several means, for example, committing ransomware attacks, convincing internal people to commit fraud, maybe they’re looking for your data, or trying to shut down key systems.
If the worst happens and the attacker does succeed in their objectives, you must have strong procedures in place to minimize the disruption this causes. Do you have DR plans in place and mitigation strategies to limit the damage which can be done?
This can feel like a very large problem to solve. There are many different tactics and techniques to balance into an effective defensive strategy, particularly when the urgency increases and the demand to demonstrate actions to the senior leadership.
Turnkey is very experienced in providing pragmatic yet robust responses to these types of challenges so please do get in touch and talk to us to understand how we might also be an extra option to improve your cyber defenses.
