Neil Wyler at RSA Security argues that organisations need to take a proactive approach to understand their attackers, assuming they have been breached and dedicating time to hunting for threats.
Remote working has turned IT landscapes into the wild west. As IT infrastructure is continuously being adjusted to meet changing requirements, every new VPN connection, cloud-based platform and virtual conferencing tool is widening the attack surface.
Just as in the old west, a battle for this unsecured ground is taking place. While organisations try to secure new infrastructure and manage risk in process changes, hackers are trying to take advantage, targeting organisations while employees and security teams are adjusting. Currently, attackers seem to have gained the upper hand. Interpol noted a dramatic rise in cyber-attacks since the pandemic, yet, more than 48 per cent of UK companies still do not have adequate cybersecurity to protect users working from home.
As the fight to secure the new remote working landscape continues, organisations need to take a more proactive approach to security. This means spending less time relying on alerts to highlight suspicious activity and more time actively hunting for threats to protect new infrastructure and gain the upper hand.
Tactics of the new battlefield
Cyber criminals have been using the same techniques as before, such as ransomware and phishing attacks, but have seen increased success from targeting employees who are adjusting to new processes. The attackers know new services are being implemented, and that Kevin can’t walk down the hall to ask if accounting really did send him that email. This means techniques like directing employees to spoofed sites and asked to enter their login details are more likely to succeed, giving hackers the perfect entry point to hijack their devices and lock them out of their files.
Arguably, some of the high-profile phishing attacks of this year succeeded due to this uncertainty, This includes the Twitter breach, where a targeted social engineering campaign managed to trick employees, and use their stolen credentials to gain access to internal systems. The real change is found in where the attacks are happening, as many employees are using personal phones and computers at home, connecting into the business via a VPN.
This has opened the floodgates for security teams, who face a huge number of new ingress and egress points to the network. These entry points are not owned by the company, have unknown software installed on them, and sit outside of the organisation’s perimeter, away from its firewalls and on-site protections. This creates all the security risks of a Bring Your Own Device (BYOD) setup – such as data leakage, malicious applications, and risky user behaviour – but on a scale that organisations have never dealt with before.
What’s more, breaches are harder to detect if they do happen. When everything is out of the ordinary, it makes it very difficult to realise when an attacker has been successful. In the past, a common sign of an attack could have been a user logging in from a new location, or attempting to access files remotely, but now this activity is simply business as usual.
The influx of unknown devices and the rising success rate of phishing scams has fundamentally disrupted the way security teams can detect threats. In the past, teams would often discover indicators of compromise by focusing on single pieces of high-fidelity data, such as a file hash, IP address or hostname. However, this information has lost a lot of its value, as solutions trained to flag suspicious activity are being lit up, overloading security teams with false alerts as every user is acting unusually. The baseline for “normal” behaviour used to spot anomalies is no longer relevant in a landscape where remote workers don’t follow these patterns, leaving security teams walking blind.
Become a bounty hunter
To take out the most dangerous bad guys in the chaotic wild west, you needed a specialist who understood them – a bounty hunter who would track them down by studying their known behaviours. Security teams should take note and shift their tactics, focusing on going out and actively hunting for threats. This means looking at the wider picture and analysing the Tactics, Techniques and Procedures (TTPs) used by attackers, as well as their motivations for targeting the organisation. You must assess what data is valuable, and to whom.
If you have a lot of financial data it is likely to be a target for cybercriminal groups, whereas IP may be more appealing for nation state attackers. You should also examine the tools these groups use, how they conduct a campaign, and their typical attack methods. This is where the real intelligence comes in, and you can take steps to defend directly against their efforts. It’s not about unusual behaviour anymore, it’s about seeking out behaviour that you have never seen before and framing this against what is known about your pursuers.
By identifying relevant red flags in the places you would expect attackers to target, instead of just reviewing countless alerts without context, you will be more likely to spot something small – such as a misconfiguration in an at-risk area. By taking this approach, organisations can find potential weak spots in their infrastructure more quickly and start to limit the attack surface, reducing the dwell time of attacks and the amount of data that attackers will be able to exfiltrate.
Attack is the best form of defence
In the wake of mass remote working, organisations have made drastic changes to their IT policies, procedures and products, creating a wild west that needs to be secured. The battle for territory is not over yet, as new devices will continue to be added, new processes will create uncertainty and the traditional enterprise perimeter won’t be able to give users the protection they need.
Instead of relying on alerts to point to potential attacks, organisations need to take a proactive approach to understand their attackers, assuming they have been breached and dedicating time to hunting for threats. By thinking about how you are likely to be targeted and looking there for signs of a breach, organisations stand a better chance of managing digital risk at a time where they will continue to turn the dials on their IT infrastructure for the rest of the year, and the “new normal” is nowhere to be found.
Main image courtesy of iStockPhoto.