Systems Security

In today’s rapidly evolving digital landscape, businesses face a myriad of threats, with financially motivated attacks posing a significant risk to corporate systems. Such malevolent acts, including the increasingly prevalent ransomware and the somewhat rarer instance of business email compromise (BEC), follow a series of steps. While some of these steps are common across various attack types, others are unique. Fortunately, every step is an opportunity to mitigate these invasions.

Target Selection and Initial Breach

The selection of targets is predominantly automated, with bots tirelessly scouring for accessible and vulnerable systems. This indiscriminate approach means that we all are potential victims, as attackers incur no cost in their digital sweeps.

On the other hand, advanced persistent threats (APT) involve substantial investment from attackers, both in terms of financial resources and skilled manpower, hence only a select few organizations are typically at risk.

Following target selection, initial system breach attempts are chiefly automated and include:

• Phishing: The dissemination of phishing emails, armed with malicious links or attachments, is the most widespread method, preying on unsuspecting employees.

• Vulnerabilities: A range of systemic and human susceptibilities, encompassing software bugs, design flaws, misconfigurations, outdated equipment, and weak passwords.

Phishing Protection

Phishing attempts are becoming increasingly sophisticated, making it challenging to distinguish them from legitimate correspondence, even for well-trained IT personnel. However, most phishing attempts can be mitigated through:

• Reputable Email Services: Solutions like Exchange Online offer fundamental spam and phishing filters, curbing the tide of common attacks.

• Advanced Security Services: Platforms such as Microsoft 365 Defender enhance protection with features like Safe Links and Safe Attachments, which help neutralize threats even if a phishing attempt bypasses initial defenses.

• DNS Filtering Services: Systems like Cisco Umbrella and Web Titan prevent users from accessing known phishing sites, redirecting traffic to a secure page.

Nonetheless, technology is no substitute for informed and vigilant employees. Security Awareness Training platforms like KnowBe4 are invaluable for educating staff on recognizing and handling cyber fraud and attack attempts. To effectively adapt and improve your cybersecurity posture, it is vital to implement a blend of sophisticated defense mechanisms and foster a culture of awareness and vigilance among your workforce. These measures will not only protect your business assets but also empower your employees to act as the first line of defense against cyber threats.

Vulnerability Identification

Vulnerabilities are a multifactorial issue that usually exceeds the capabilities of any analyst to check. Perhaps the biggest problem is to locate them. The best solution in this case is the regular analysis by a vulnerability scanning tool such as Fortra’s Frontline Vulnerability Manager, which looks for:

• Lack of software patches and system updates.
• Configuration errors such as excessive user rights and open ports.
• Weak or default passwords.
• Problematic or outdated communication protocols such as FTP and Telnet.
• Known vulnerabilities by comparing with databases such as CVE and NVD.
• Compliance with security standards such as PCI, HIPAA, etc.

Vulnerability Protection

Unfortunately, processes such as vulnerability scanning and penetration testing run on a quarterly or annual basis and their purpose is not the protection but the identification of problems. A series of other solutions come to take over the continuous protection of the systems:

• Upgrading & Updating: As annoying as it is, it is also a necessary process for system security. A good practice is the automation of the process and its monitoring by patch management software. Microsoft Endpoint Manager includes among many other functions, patch management.

• Secure Access: Who can enter, where they can enter, and what they can do is determined by an Identity & Access Management (IAM) system such as JumpCloud and Azure AD. In any case, access, however imposed, ends up concerning passwords:
  • Password Management: A good password is a really complex end uniquely used password. The use of such a scheme is impossible to impose on anyone without first having an appropriate enterprise password management tool like Keeper to facilitate its implementation.
  • Multi-Factor Authentication (MFA): If a password has been compromised then only a second can save the day. This can take the form of a (hardware) token such as YubiKey or more often a One-Time Password (OTP). MFA solutions exist both within the framework of an IAM as well as standalone such as Cisco Duo.

• Intrusion Prevention Systems (IPS): Implemented either in a next-generation firewall (network-based IPS) such as those of Huawei, Sophos, and Cisco, or in the anti-malware software of the systems (host-based IPS). The IPS continuously analyzes the traffic it receives for known vulnerabilities and attacks and stops them by rejecting the traffic.

Payload Transfer and Triggering

Once the breach has been executed, the delivery and execution of the malicious software follows. The software, beyond the main attack, often includes mechanisms for bypassing and disabling security systems and discovering other potential targets within our network.

The primary tool for handling an attack once it has entered the system is antivirus / anti-malware / endpoint protection (EPP) software. If the malicious software, e.g., ransomware, is “known,” even a classic signature-based antivirus can stop the attack. Unfortunately, this mode of operation cannot stop very recent attacks and variations.

Unknown threats, referred to as zero-day attacks, require a wide variety of techniques and collaboration with external platforms, even teams, for a system to recognize and address them. Such EPP solutions are known as Advanced Threat Protection Platforms and include functions such as:

• Security Operations Center (SOC): It consists of an entire team of specialized analysts who have at their disposal the best tools to analyze the vast amount of data and logs that systems such as XDR produce. Sophos’s Managed Detection and Response (MDR) includes a state-of-the-art SOC-as-a-Service combined with EDR, XDR and EPP products.

• Endpoint Detection and Response (EDR): EDR is a cloud service that communicates with the EPP and provides a collection of tools such as heuristics and behavior analysis using machine learning and artificial intelligence to promptly detect and address unknown threats within the systems.

• Extended Detection and Response (XDR): XDR extends the capabilities of EDR outside the system. It communicates and gathers data from multiple sources such as firewalls, email protection systems, servers, etc. Products such as Sophos Intercept-X with XDR and Microsoft Defender for Endpoint include EDR and XDR functionality.

There are many aspects of security and correspondingly many solutions that cannot be analyzed within the framework of a text. IP Partners is a certified partner of all the manufacturers mentioned above and can provide you with the solutions and support you need. Contact us to design an effective and most importantly sustainable security strategy for your business.

Unfortunately, the attack succeeded. Now what?

 
Now, isolate the systems that have been exposed and communicate with our Technical Support Department. There are several things that need to be done mainly to prevent the problem from spreading to other systems and to be legally and administratively covered (e.g., destruction of tax documents).

 
As far as the data that was destroyed is concerned, there is only one solution: a reliable backup process that produces up-to-date and recoverable copies of data.