employees to spot phishing emails when they hit their inboxes. Often, there are telltale signs—misspellings, requests for the recipient to do something out of the norm, etc.—but sometimes there are not. In targeted attacks, spear-phishing emails can be even more sneaky than most. It is common for advanced threat groups to perform extensive reconnaissance on their targets before launching an attack, allow- ing them to create convincing emails that take into account details such as the re- cipient’s job duties and what IT assets and data they have access to. With that kind of information at an attacker’s disposal, it is likely that someone in the organiza- tion will fall victim, making anti-phishing technologies like email filtering critical.
Phishing can often lead to credential theft. Once a phisher has a victim’s user- name, password or authentication infor- mation, they can abuse it to gain access to an account, service or network and take other actions—including data theft. In one incident noted in the report, a threat actor compromised a third-party orga- nization providing help desk services to its true target. After compromising the third-party environment, the threat actor accessed their actual target. Once inside, the adversary gained access to administra- tor accounts, used them to access Citrix servers, and stole credentials from those servers for other systems. Protecting user credentials and enforcing best practices in regards to passwords/passphrases is a crit- ical part of security. Another critical part is controlling user access and privileges. To prevent potential abuse by attackers or insider threats, user privileges should be limited to the lowest level necessary— a strategy that could cause culture clashes between the organization and users accus- tomed to not being limited, but also one that could impair an attack from spread- ing if a machine is compromised.
Strategic web compromises involve at- tackers infecting legitimate websites their targets are likely to visit in hopes of infect- ing their computers when they do. These types of drive-by download attacks are particularly sneaky because they take ad- vantage of the trust the visitor has in the site. Although they sometimes use zero- days, the vulnerabilities are likely known
issues the attacker is hoping the target has not yet patched. As a result, protecting against these types of attacks starts with an effective patch management strategy that identifies the vulnerabilities affecting your IT environment and rolls out the ap- propriate updates as promptly as possible.
Organizations should scan their net- works and develop an inventory of their software and devices, then prioritize their patching according to the risk of an attack and the damage it could do if successful. In addition, vulnerability management ex- tends to weaving security into the app de- velopment process and ensuring the safety of non-commodity code developed inter- nally or by a third-party partner.
Of course, corporate security teams are hardly the only ones doing vulnerability scans. In the case of the recent Wanna- Cry ransomware attacks for example, the threat actors scanned Internet IP address- es for machines vulnerable to a Microsoft Windows vulnerability. This type of high- volume scanning of Internet-facing sys- tems is a common way for threat actors to find systems they can exploit, and as noted above, was observed in nearly a quarter of the incidents examined in the report. One of the reasons the ransomware spread so quickly was that many organizations did not promptly apply Microsoft’s update de- spite it having been available since March. Buying the latest technology will not solve the problem posed by an unsecure Web server left accessible via the Internet.
Building a Solid Base
The bottom line is that organizations need to take a risk-based approach to security that goes beyond regulatory compliance. Our Threat Insights Report outlines a number of recommendations.
Understand the extended enterprise.
Take a data-centric approach. Define your key assets, know where they reside and who has access to them, including third parties.
Increase visibility. By collecting and monitoring security events, you will be able to reduce the time it takes to detect and respond to incidents as well as iden- tify trends within the infrastructure. At a minimum, maintain logs on the following systems for 13 months: firewall, IDS/IPS, DNS, VPN, Active Directory, Web Servic-
es and critical servers and systems.
Build a culture of security. Everyone within the organization must take respon- sibility for protecting information. This involves getting buy-in from C-level lead- ers as well as other parts of the business outside IT in order to sell the importance
of smart security behaviors.
Train your users. Employees unfortu-
nately remain the weakest link. Phishing and social engineering remain popular for attackers seeing to infect enterprises and SMBs alike. Training employees to spot sus- picious behavior can significantly improve your ability to block malicious activity.
Too often, the answer for these chal- lenges is to buy the latest technology. However, to truly improve their security, chief information security officers need to focus more on people and processes. One of the mistakes many CISOs make is to take a compliance-first approach to security. Taking that type of checkbox ap- proach does not best serve the organiza- tion. When it comes to cybersecurity, com- pliance should be thought of as a floor as opposed to a ceiling. For example, Secure- Works has talked to security teams at fi- nancial institutions who spent as much as 40 percent of their time on compliance ini- tiatives rather than security initiatives that matter to their organizations. Ironically, putting a strong emphasis on security will address most compliance requirements.
Cybersecurity is not a problem that can be solved with technology alone. Developing an effective security strategy means understanding your needs, where your critical data and assets are, and what the risk levels are to that informa- tion and those devices. It means training employees, building an effective patch management program, and operational- izing threat intelligence to harden your defenses. It means implementing strategies like strong passwords and multi-factor au- thentication to control access to critical systems. Whether sophisticated attackers are at your doorstep or not, it won’t take any sophistication to break in if the door is unlocked.
Jeffrey Carpenter is the senior director of threat intelligence and incident response consulting at SecureWorks.
WWW.SECURITYTODAY.COM NS11