Feb 10, 2022
52 Views
0 0

3 Tips for Facing the Harsh Truths of Cybersecurity in 2022, Part I

Written by

Newsletter
Join thousands of people who receive the latest breaking cybersecurity news every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
Share this article:
Sonya Duffin, ransomware and data-protection expert at Veritas Technologies, shares three steps organizations can take today to reduce cyberattack fallout.
Be forewarned—I’m about to lay down some harsh truths here.
First, ransomware is prevalent, and there is no way to completely eliminate the threat.
Second, at this point, you should operate under the assumption that hackers are already in your systems or could easily access them at any moment. It should come as no surprise when I tell you that the sophisticated cybercriminals behind today’s ransomware threats have been consistently getting past even the best frontline security — and for a while now.

Third, cybercriminals may know your systems and infrastructure better than you do. Once in, their strategy is to lay low and remain hidden while they learn as much as they can. Then they strike at the optimal time to inflict as much damage as possible to ensure a hefty payday.
So now what?
The good news is that there are practices and technologies that can help you detect threats before the bad actors can take action. There are also strategies that you can use to reduce your attack surface while preventing large-scale disruption and disablement once they are inside your environment.
With that in mind, this two-part series will outline the top six steps you should take right away to ensure resiliency in the face of this ever-present threat. Let’s begin with the first three.
Attackers are looking for your weakest links, and the dark corners where there may be limited security and oversight in your environment. So, it’s vital to implement tools that provide full infrastructure awareness by shining a light on all the dark data in your environment. According to the recently published Veritas Vulnerability Lag research (PDF here), 35 percent of data is still dark. That is alarmingly high. Get to work on knowing what data you have and where it is ASAP.
Important reminder: In addition to full visibility of everything in your environment, it is also vital to have clear hard-copy documentation on the details of your environment, like procedures and configurations—including IP addresses, passwords etc.—to help aid with recovery. Missing these details can keep you and your team from being able to quickly recover in the chaos of an attack. Store these in a safe that is checked and updated regularly.
Implement tools that can provide you with detection of anomalous behaviors or activities associated with both data and user activity across your entire environment. It’s important that the detection capabilities can run autonomously, without the need for manual steps.
Alerting your teams to anything anomalous or out of the ordinary will provide you with the upper hand, and a chance to act before the cybercriminals or a malicious code attack. This could be things like unusual file-write activity that could indicate an infiltration, but it could also be detecting known ransomware file extensions, file access patterns, traffic patterns, code downloads, access requests, storage capacity surges, external traffic paths or even an unusual jump in activity compared to individuals’ typical patterns.
For example, in the infamous SolarWinds hack, hackers used a regular software update to slip some elegant and innovative malicious code into a multitude of companies’ networks, using the SolarWinds software.
For more than nine months they roamed around high-profile and sensitive companies, hiding in plain sight while learning their systems and gathering intelligence. Their mistake came when they started roaming around the cybersecurity company FireEye.
The security team at FireEye noticed suspicious activity — someone trying to register a second phone onto the company network. Finding it odd that an employee would have two phones, they jumped into action and called the user. Surprise! That user did not register that phone and had no idea who did. Thanks to the vigilance of FireEye, which investigated out-of-the-ordinary activity, the broader intrusions came to light.
Important reminder: Conduct cyber-threat hunts regularly. Take it seriously and implement protocols for investigating anomalous behaviors. Hire a third-party agency to audit your strategy, check your work and find vulnerabilities.
After sneaking into your environment, cybercriminals often search for confidential information or login credentials that will allow them to move laterally across your environment. This means that they can also gain access to your backup systems and will attempt to eliminate recovery options.
There are a few things that you can do to help mitigate this practice:
By building a variety of barriers, bad actors will be contained and prevented from moving around your environments. They are essentially stopped in their tracks. So, get creative—meaning, set up a system unique to your needs and security requirements.
When the Metropolitan Transportation Authority of New York was hacked last April, attackers did not gain any access to systems that control train cars nor was any customer information compromised. Why? Because they have a multilayered, segmented network of more than 18 different systems, only three of which were compromised. Thanks to this great system, the threat actors were prevented from moving throughout the system, the event was isolated and systems were restored quickly.
Important reminder: Create a walled-off network that looks exactly like your production network, but with different management credentials. Share nothing with your production networks except access to immutable storage. You can use this space to recover your data and services and scrub your data of malware. It is also a great place to test recovery.
Stay tuned for part two in this series, where I’ll cover the remaining three of the top six steps you should take today to ensure ransomware resiliency in today’s rapidly evolving cybersecurity landscape.
Sonya Duffin is a ransomware and data protection expert at Veritas Technologies.
Enjoy additional insights from Threatpost’s Infosec Insiders community by visiting our microsite.
Share this article:
The living-off-the-land binary (LOLBin) is anchoring a rash of cyberattacks bent on evading security detection to drop Qbot and Lokibot.
Researchers from Proofpoint have spotted a new Middle East-targeted phishing campaign that delivers a novel malware dubbed NimbleMamba.
Crane Hassold, former FBI analyst turned director of threat intel at Abnormal Security, shares stories from his covert work with cyberattackers.



This site uses Akismet to reduce spam. Learn how your comment data is processed.
Join thousands of people who receive the latest breaking cybersecurity news every day.
Meet Crane Hassold, a former FBI threat hunter who now uses his law enforcement background to track down… https://t.co/MGMODezh0T
1 hour ago
Get the latest breaking news delivered daily to your inbox.
The First Stop For Security News
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.

source

Article Categories:
Cloud Security

Comments are closed.