Category: Respond

How many tools do you use to protect your network from cyberattacks? That’s a puzzling question to answer.

A typical enterprise Security Operations Center (SOC) employs a diverse array of security tools to safeguard against cyber threats. This includes Security Information and Event Management (SIEM) for log analysis, firewalls for network traffic control, and Intrusion Detection and Prevention Systems (IDS/IPS). Antivirus solutions, Endpoint Detection and Response (EDR), and Vulnerability Scanners address malware and system vulnerabilities. Identity and Access Management (IAM) controls user permissions, while tools like Security Orchestration, Automation, and Response (SOAR) streamline incident response. Encryption, deception technology, and threat intelligence platforms bolster defense.

If you were to just consider the enterprise vulnerability management program, it could have an asset discovery, vulnerability scanner, assessment tool, vulnerability prioritization software, patch management, configuration management, incidence response integration, collaboration tools for security and IT to work together, automation, reporting, integration with log management tools, and more.

Even with the increasing number of tools, the number of security risks your vulnerability scans detect is not reducing at all. But why?

What are the Culprits for Ineffective IT Security and the Rising Number of Security Risks?

Cyber attackers are continuously becoming more sophisticated, employing innovative and lethal methods to breach infrastructure. A broken counter would not work. It is crucial for us to respond with equally, if not more, innovative and bulletproof cybersecurity tools and measures. Most important is a continuous approach to cyber-attack prevention.

So, what are the biggest culprits limiting our IT security? Why are the number of security risks not reducing? Our security tools themselves!

  • Ineffective Disjoint Security Solutions:
    Vulnerability and Exposure Management play the most significant role in having a powerful base for effective IT security. But why are they split?
    A common occurrence in the industry is creating new and redundant tools that are micro-solutions to micro-problems instead of addressing the mother problem: cyberattacks! With most security solutions being just multiple tools wrapped together with janky integrations, their security effectiveness in detecting and remediating security risks is mediocre at best.
  • Lengthy Detection and Response Cycle:
    Did you know the average time taken to detect and remediate a vulnerability is 65 days! With detection and response cycles being this lengthy, the chance of a threat actor exploiting that security risk rises exponentially every passing day.
    Unfortunately, this is a byproduct of the lengthy duration of security scans and the time consumed by remediation tools to mitigate the risks.
  • Missing Integration & Automation Capabilities:
    As previously mentioned, security tools already take enough time to detect and mitigate risks. But with the rising number of vulnerabilities, the entire process increases in duration even more. With multiple tools developed by different vendors, integrating them and then automating the entire process becomes a Herculean task. The lack of proper integration and automation of the process reduces the effectiveness of your IT security.

So, how do we overcome these challenges and ensure a strong security posture for your organization?

The Weakness Angle to Overcome IT Security

A change in the way we perform vulnerability & exposure management, a change in the ineffective tools, and a change in the fundamental IT security framework can be a game-changer. The weakness angle is the change we need.

Every attack is the exploitation of a weakness. This is the fundamental fact we must keep in mind to prevent cyberattacks and protect your IT infrastructure effectively.

Weakness Perspective, simply put, is the study of your devices, your network, your data, your software, your users and their privileges, your security controls, your network, your attack surface, your threats, and potential attackers to find potential weaknesses. It encompasses all the devices, applications, users, data, and security controls of the network.

We must actively look for these weaknesses or security risks, the actual root cause for cyberattacks, and you’ll see a drastic change in your organization’s security posture.

But how do we do it?

Continuous Vulnerability and Exposure Management: A Necessity!

Continuous Vulnerability and Exposure Management (CVEM) is the new way of performing vulnerability management. By incorporating the weakness perspective and making incremental yet significant improvements to the vulnerability and exposure management process, CVEM is the shot in the arm all modern IT security teams need to improve their IT security.

With the weakness perspective at the crux, CVEM introduces a broader scope in the detection of security risks. Be it software vulnerabilities or CVEs, misconfigurations, posture anomalies, asset exposures, or missing configurations, all potential risks are looked at and mitigated.

Integration and automation play a critical role in CVEM. Integration of the different steps of the mitigation process, from detection and assessment to prioritization and remediation, leads to a streamlined and smooth security risk management process.

The concept of integration of the process allows for unified solutions to become effective. Further, automation becomes easier, and this, in turn, reduces the laborious task of detection and remediation.

This makes the entire process faster, leading to speedy response and reduced duration of the vulnerability mitigation cycle as well!

Conclusion

While it is difficult to digest, the ineffectiveness of modern vulnerability and exposure management solutions is the hard truth we must accept. Adding to the issue is the ever-expanding attack surface, making the life of IT security teams difficult. But there’s light at the end of the tunnel.

Better tools, automation, and integration are the key game changers that can take your IT security to the next level. Continuous Vulnerability and Exposure Management is the glue that ties it all together.

Read more about CVEM

The post Continuous Vulnerability and Exposure Management: Unifying Detection Assessment and Remediation for Elevated IT Security appeared first on Cybersecurity Insiders.

By Mike Wilkinson

Mike Tyson famously said, “Everyone has a plan until they get punched in the mouth.” That applies to the world of boxing—and to the world of cyberattacks. Many companies have an Incident Response (IR) plan in place. But those plans don’t always hold up when an actual cyberattack occurs.

At Avertium, we carry out hundreds of IR engagements a year, so I’m highly familiar with what makes IR plans useful—and what doesn’t. Strong IR plans can help eliminate headaches and wasted time and help your organization more effectively respond in what is typically a very stressful situation. Here are six things you need to do to craft an effective incident response plan.

  1. Establish your escalation points. One of the most useful parts of an IR plan is guidance on your escalation points. That is, “If we reach this point, these are the people we need to contact and these will be the next steps.” It provides the triggers that will cause the next level of action.
  2. Include contact information. It’s a common scenario: A company suffers a breach and needs outside help. Someone in IT places a phone call and gets asked whether the company has cyber insurance. They know it does … but the finance team purchased it, and the IT department knows nothing about it. That’s an avoidable situation. Your IR plan should contain the contact information for everyone who might be needed, from your service providers to key employees to outside counsel to, yes, the insurance provider.

    The list of contacts should appear in an appendix at the back of the plan, which makes it simple to consult in the heat of the moment, as well as easy to update. Elsewhere in the document, use generic titles rather than names so that you don’t have to refresh the entire document any time an employee or vendor changes.

  1. Define the communication parameters: One incident sticks in my mind. A client detected a ransomware outbreak on a Friday night and called us by Sunday afternoon. They had been working on the issue for 40 hours straight, or so I thought. It turned out that senior management’s understandable concern about the situation had caused them to hold hourly update calls, meaning the tech team was unable to focus and work on investigating and resolving the incident for more than about 30 minutes at a time.

    Define how information and updates will be shared, to whom, and how often. Set the cadence up front so that expectations can be managed: For instance, a daily update call unless something critical is uncovered that requires action on the part of a larger group.

  1. Word choice, and word count, matter: Avoid too much legalese or language that’s tough to parse. Keep it readable. Consider using bullet points. Look for the happy medium between an IR plan that’s overly brief and sparse and one that’s too lengthy, where you have to read through 10 pages of instructions before you can get anything done.

    Keep it as simple and precise as possible: for X type of incident, Y is the response group and their responsibilities, and Z are the steps they take. Consider having a one- to two-page high-level policy that sets out your organization’s principles—the things the business is most concerned with.

  1. Get broad input: When you’re writing the IR plan, get input from all the stakeholders. That sounds basic, but I’ve often seen plans where it’s obvious the legal or risk team put it together without consulting others. It needs to contain more than just the technical or legal response.
  2. Give it a test run: Practice makes perfect. Once you think you’ve got it, practice your plan. Pick some scenarios and work through them using the plan to figure out whether it works or not. You may run across systems that maybe haven’t been identified or people whose contact details you didn’t include.

These exercises can also be valuable ways of unearthing issues unrelated to the IR plan. For instance, in working through a ransomware scenario your IT team may realize there is sensitive information being stored on a system where it shouldn’t be, or that the data retention time isn’t adequate considering the amount of time that can pass between compromise and detection. It may highlight an opportunity to make a fix or fixes that will actually make you less vulnerable.

Being hit with a cyberattack can be a scary and confusing time; coming up with an IR plan shouldn’t be. If you let the above tips shape your process of creating or updating one, you’ll be in good shape.

Mike Wilkinson leads Avertium’s Cyber Response Unit, which is dedicated to helping clients investigate and recover from IT security incidents on a daily basis. He has been conducting digital investigations since joining Australia’s NSW Police Force, State Electronic Evidence Branch in 2003, where he led a team of civilians in one of the world’s largest digital forensic labs, and has led Incident Response teams in Asia, Europe, and the Americas.

The post 6 Ways to Create an Incident Response Plan That’s Actually Effective appeared first on Cybersecurity Insiders.

The education sector is increasingly vulnerable to simple and sophisticated cyber threats, and higher learning is especially vulnerable. No matter how airtight a university’s cybersecurity system is when operating in a vacuum, the best-laid plans begin to crumble as soon as third parties less concerned with maintaining that security get involved.

And, increasingly, students are either less concerned or less caring about their school’s security infrastructure and compliance and are direct causes of these breaches, according to a mid-year 2022 report from Check Point: “Students are not employees; they use their own devices, work from shared flats, and connect to free WiFi without necessarily thinking about the security risks. This combination of a lack of understanding and ignorance has contributed to the perfect storm, giving hackers a free run,” he said.

These attacks also tend to be more successful in access and payout in the event of ransom demands, with 74% of attacks ending successfully for hackers. Here are a few prime examples of cyber-attacks in the education sector.

Albuquerque, New Mexico hit with a one-two punch

From December 2021 through January the following year, Bernalillo County was slammed by a ransomware attack that targeted government services. Freshly on the heels of this cyber security nightmare, the Albuquerque school system was breached.

Specifically, the school attack targeted critical systems and “compromised the student information system used to take attendance, contact families in emergencies, and assure that students are picked up from school by authorized adults.” This type of personally identifiable information and verification processes are vital to student safety, and the school was closed as officials dealt with the issue.

Amongst other things, the Albuquerque attack illustrates the importance of dispersing critical services amongst multiple systems, providers, or software, even if doing so disparately is inconvenient. From banking to personal data collection, schools must ensure that their systems come with security features and that their employees comply with those security features.

Whitworth University compromised

In July, poor password hygiene led to another ransomware attack. In this, nearly a terabyte of student data was stolen, and systems were taken offline for over a month as frustrated staff and faculty were kept in the dark by the administration. Many found out what was happening from a third-party cybersecurity firm via Twitter.

The group known as LockBit is notorious for sending email attachments to trick gullible workers into providing access or passwords to access systems before capturing data and holding it hostage. 

From Microsoft’s report: “LockBit is typically deployed during human-operated ransomware campaigns. Attackers distribute this ransomware as an email attachment or try to exploit vulnerabilities in web browsers and other services exposed to the internet. Once in the network, attackers steal credentials, move laterally to other devices, and obtain privileged credentials before installing this ransomware on multiple target devices.”

This type of increasingly common attack shows that, no matter how secure a system, human error and lack of security protocol knowledge can still bring a firm or school to its knees.

The University of California at San Francisco pays over $1M to hackers

While researching COVID-19, hackers shut down UCSF’s epidemiology and biostatistics department demanding $3 million to get the system and data back. The cause, again, was poor protocol implementation by people as “the researchers hadn’t taken the time to duly back up their data.” 

This breach was of physically present servers, rather than a breach of third-party cloud security and also shows how typical security protocol is sometimes less effective than, say, blockchain-based systems.

Publishing portions of the data on the dark web as proof, the hackers’ representative, known as Operator, negotiated with university administrators through secure digital chat and demanded the payout: “You need to understand, for you as a big university, our price is shit. […] You can collect that money in a couple of hours. You need to take us seriously. If we’ll release on our blog student records/data, I’m 100% sure you will lose more than our price what we ask.”

After back-and-forth negotiations, the university was lucky enough to agree to a payout of 116 Bitcoin worth, at the time, $1.14M to get their data back. Again, this incident demonstrates the importance of maintaining backups of data (especially sensitive and critical data) and managing human behavior as they access the systems. It also shows how inexpensive even pricy frontloaded costs can be compared to the aftermath of not spending it, as paying at least $60 an hour is still less expensive than a multi-million dollar payoff to hackers.

Lessons Learned

While these are just a few high-profile examples, these types of attacks and demands happen to schools often and are sometimes under the radar as officials try to avoid embarrassment. One report from Sophos shows the full spectrum of what’s happening in the education sector’s cybersecurity systems. The report is comprehensive and comprises IT professionals from 320 lower-education and 410 higher-education systems across 31 countries, so it is particularly applicable to interested professionals:

Attacked by ransomware

  • 56% of lower education respondents were hit by ransomware in 2022
  • 64% of higher education

This is a sizable increase from a 2021 average of just 44% across education. And, compared to global norms, these statistics are higher than average, indicating that education is a ripe target: “the education sector is poorly prepared to defend against a ransomware attack, and likely lacks the layered defenses needed to prevent encryption if an adversary does succeed in penetrating the organization.” That layered approach to security is critical, as creating additional barriers can frustrate and repel lower-level hacking groups looking for easy money.

Cyber insurance

Often, educational institutions see cyber insurance as a needless expense. Until they need it. Unlike professional organizations and companies, education has a much lower cyber insurance policy protection rate. This predominantly appears to be a cost-based issue and is driven by a lack of understanding on the administrations’ parts:

  • 39% in lower education and 44% in higher education say fewer providers are offering cyber insurance
  • 50% in lower education and 49% in higher education say the level of cybersecurity they need to qualify for cyber insurance is now higher
  • 46% in lower education and 40% in higher education say policies are now more complex
  • 35% in lower education and 41% in higher education say the process takes longer
  • 34% in lower education and 31% in higher education say it is more expensive

All of this shows that, of course, schools need to take these policies seriously. But it is also a failure of cyber insurance providers to adequately message the threat level and importance of having a policy.

Conclusion

Overall, smaller and less well-known schools are more vulnerable. These schools often have less sophisticated security systems and are more likely to pay out. But no matter the size, a common trend is that employees and students not following simple cybersecurity protocols is a primary driver of hacker access to school data systems. This isn’t the final stop for security, though, and Sophos offers some additional tips based on their research trends:

  • Ensure high-quality defenses at all points in your environment. Review your security controls and make sure they continue to meet your needs.
  • Proactively hunt for threats so you can stop adversaries before they can execute their attack – if you don’t have the time or skills in-house, work with a specialist MDR (managed detection and response) cybersecurity service.
  • Harden your environment by searching for and closing down security gaps: unpatched devices, unprotected machines, open RDP ports, etc. Extended Detection and Response (XDR) is ideal for this purpose.
  • Prepare for the worst. Know what to do if a cyber incident occurs and who you need to contact.
  • Make backups, and practice restoring from them. Your goal is to get back up and running quickly, with minimal disruption.

The post Education Sector has Seen a 44% Rise in Cyber Attacks Since 2021 appeared first on Cybersecurity Insiders.

By Jason Dover, VP of Product Strategy at Progress

With the growing complexity and sophistication of modern security threats, organizations must make suitable investments and develop comprehensive strategies to keep their digital assets secure. This is not a new challenge, but the frequency of attacks is certainly on the rise.

The 2022 IBM Cost of a Data Breach Report showed that 83% of the groups studied have had more than one data breach. The report also estimates the average cost of data breaches to have risen to $4.35M. Interestingly, compromised credentials still are the most common factor, making up about 19% of all breaches based on the study.

With an increased remote workforce, BYOD has become the norm, and the ever-growing use of cloud-based services has increased the attack surface that SecOps must guard. The aforementioned report also noted that remote work-sourced breaches cost more than $600K, with an average of around ~$5MM per occurrence.

Considering this, most businesses do have a level investment allocated into security mechanisms for their ecosystem. This may range from the use of VPNs, firewalls, endpoint protection and other similar technologies. However, an often-underused tool is the network itself.

Anatomy of an Attack

For threat actors to successfully pull off a breach, they must carry out reconnaissance to identify exploitable vectors. They must gain persistent access to the environment where target assets and data exist, followed by some sort of privilege escalation to enable malicious behavior to be executed along with lateral movement from the initial entry point.

Sophisticated attacks may also have a level of defense evasion built in that allows true intent to be obfuscated. If all goes well (from the attackers’ perspective), the payload or program that they’ve brought into the environment can be executed to destroy information, achieve command and control of systems or hold critical data hostage.

For security operations teams responsible for protecting their organization’s environments, staying ahead of threat actors comes down to early detection. Successful breaches are built upon a series of small wins over days, weeks or sometimes months. While investment is required to instrument a framework that can identify these leading indicators, organizations that automate preemptive protective action can save millions in losses in the long run.

A Multi-Layered Security Approach

One specific technology that is gaining traction in the fight against cyber-attacks is network detection and response (NDR). NDR solutions extract data, metadata and insights from the network using methods such as flow analysis and packet capture. The solution then analyzes the network traffic using a number of mechanisms including machine learning, baseline comparison, signatures and variety of other methods to detect suspicious activity.

While in the past, these solutions were predominantly deployed by the most mature security operations teams, several vendors in the industry have made NDR more accessible for organizations of all sizes. They’ve done this by focusing on ease of use and using innovative methods to drive down total cost of ownership.

The concept behind NDR is that it closes off the last battleground of threat detection for operations teams. Security solutions such as firewalls and IPS are powerful tools in addressing threats that can be detected in vertical traffic (i.e., north-south) that traverses the perimeter. Endpoint protection provides another layer of protection by protecting devices in the environment, identifying compromise and automating quarantine. NDR completes the security stack by adding in analysis of network communications.

The reason why this approach is such an important part of a well-architected security model is that the network is the ultimate source of truth. NDR can detect the anomalous behavior that takes place when attackers carry out reconnaissance and scan a network to find and identify its weak points. Additionally, even if methods are used to hide the intent of an attack, such as scrubbing logs on a compromised endpoint before they can be shipped to a log analysis system, there is no way to hide actual communications over the network.

Key Security Principles

In addition to the right tools and technologies, organizations should establish a consistent set of principles that guide the architecture and security posture. Broadly speaking, these can be summarized in four key areas:

  1. Focus on what matters – Data

Threat actors are typically trying to gain access to information that exists in the environment in order to cause damage. While this requires compromising systems, stealing credentials and many other mechanisms, they’re often a means to an end, as opposed to the prize. When architecting a security model, security teams should do this from the vantage point of the data that these vehicles can eventually compromise. Since every operations budget has limitations, security posture improvement initiatives should start with areas of the environment that can be a springboard to the organization’s most critical data.

  1. Ensure resilience

There is no single security technology or solution that is infallible. Because of this, organizations should adopt a multi-layer security model that allows for failure of one component without compromising the entire environment. As an example, the use of VPN doesn’t negate the need for having additional pre-authentication methods for key applications, just as having a next-gen firewall at the network perimeter doesn’t make it any less important to also apply firewalls within the data center to prevent unauthorized lateral movement.

  1. Assume Threat Actor Access

Approaching network security from the perspective that threat actors WILL gain access gives security operators an edge by focusing them on ensuring any mechanism used can be detected, contained and remediated. The number of external entities that employees engage with and external services that are logically co-located with internal infrastructure means that there is a very high likelihood that at some point, an exploit (even if minor) will occur. Incorporating this thinking into the operations of the security team puts them onto the offensive against adversaries as opposed to strictly playing defense.

  1. Prevent, Detect, Respond

Most organizations get a passing grade for having standard security threat prevention mechanisms in place in their environment. Both detection and response capabilities often show room for improvement. By going beyond capture and analysis of logs from network devices to analyzing network traffic with the addition of enriched metadata, organizations that extrapolate anomalies can identify many security threats earlier in their lifecycle. Investing in integration across the security stack – so that detection is directly linked to automated remediation – will further enable organizations to shorten their average time to resolution for security incidents and reduce their risk profile.

Early Detection – The Key to Winning Against Threat Actors

Early detection is critical in the battle against threat actors, and the network should not be underestimated in its ability to provide early indicators that can help security operators stay one step ahead. To do this, organizations need the right tools, and NDR and NDR should be considered for anyone looking to improve their approach to security.

Remember that, as a cyber threat progresses through its journey and takes the various steps it needs to successfully carry out an exploit, it only takes a win at one of those steps to set attackers back to zero. Security teams equipped with the right tools will go a long way in making sure their success in the ongoing efforts required to protect critical data and assets.

The post Early detection is the key to tackling security breaches appeared first on Cybersecurity Insiders.

A foundational approach to cybersecurity empowers CISOs to see abnormalities and block threats before they do damage.

by David Ratner, CEO, HYAS (www.hyas.com)

Constantly playing catch-up seems to have become the unfortunate norm in the cybersecurity industry. In the aftermath of a new emerging threat, CISOs rush to protect their assets from whatever vulnerability is being exploited and hope that they won’t be one of the first targets when a fresh exploit is discovered and the next inevitable round of attacks occur.

This reactive approach simply isn’t sufficient. New major exploits are being revealed with almost clockwork regularity. In 2020, the SolarWinds supply chain attack opened backdoors into thousands of organizations (including government agencies) that used its services, while late last year, the far-reaching Log4J exploit exploded onto the scene. However, even with these sophisticated new methods available to bad actors, sometimes the simplest approaches remain the most fruitful. Not long ago, it was revealed that T-Mobile had been breached by bad actors who convinced employees to switch their SIM cards to let them bypass two-factor identification — reminding us how effective social engineering can still be.

Add to this the mounting international tensions following the invasion of Ukraine, and you have a cybersecurity perfect storm. You know things are dire when the President of the United States uses his bully pulpit to warn American organizations they are likely to be the target of increased cyber threat activity and therefore have a responsibility to protect their infrastructure.

But what are your options for proactive protection when the notion of a walled-in network has been shattered by the proliferation of new IoT devices, growth of cloud services, and new hybrid work from home models? These developments have made the perimeter so porous that the old approach of simply hiding behind a firewall and keeping the rest of the world at bay is no longer feasible. So where do we go from here? As networks become less centralized and include more devices, we need to take a step back and start approaching security from a more foundational approach if we’re going to be able to actively adapt to new threats.

Bad actors are well aware of how to cover their tracks, but ultimately, they need to communicate back to the outside world once they are inside. By increasing visibility into DNS traffic, CISOs can detect, block, and respond to incidents more quickly as well as use this data to institute new controls and increase overall resiliency. This also meshes well with zero-trust policies by extending the concept of “who do I trust” to domains and infrastructure, both outside the enterprise as well as within. Abnormal communication patterns can indicate a breach while it is still in its reconnaissance phase — before it has done any damage. When malware first breaches a network, it doesn’t make its presence known right away. Instead, it gathers information about the network and attempts to infect key specific locations — current malware can even target backup data to hamper recovery after the attack. In fact, according to Microsoft, 99 days is the median amount of time between when a breach occurs and when it is detected.

However, this reconnaissance or dwell period also presents an opportunity to stop the malware before it has activated. In order to execute any commands or extract any data, malware needs to be able to communicate with its command & control (C2) architecture, which almost always involves DNS transactions at some point. Once this communication is blocked, the malicious software essentially becomes inert. It’s important to keep in mind, however, that average dwell time for ransomware is actually decreasing, making it even more imperative for organizations to notice and neutralize threats as early as possible.

So why aren’t more organizations taking advantage of protective DNS? After all, the common seven-layer model for cybersecurity places the endpoint protection (layer three) offered by protective DNS  much higher than perimeter protection (layer six) and network security (layer five). The issue likely comes down to awareness. DNS is often thought of as an internet utility, something that just works, rather than an opportunity to enhance security posture. There is also sometimes confusion about the difference between protective DNS and IP filtering, with customers assuming they fulfill interchangeable roles. Security vendors haven’t helped the situation either, offering complicated, esoteric solutions (often focusing on specific processes) that promise to be a security panacea, while distracting them from foundational security and the value of visibility.

However, given the current threat landscape, protective DNS is getting vastly more attention, especially with the United States government being so vocal about the need to enhance our cybersecurity posture. In fact, the NSA and CISA have released a joint statement on the value of protective DNS solutions in fighting modern cybercrime.

CISOs will be glad to hear that these solutions layer into a company’s existing security infrastructure quickly, enhancing the value of previous security investments. But more importantly, they present visibility into network traffic like never before, giving you the ability to notice abnormalities and address them — providing enhanced risk management and ensuring you can keep business moving forward at full speed.

The post A Reactive Cybersecurity Strategy Is No Strategy at All appeared first on Cybersecurity Insiders.

By Steve Moore, Chief Security Strategist, Exabeam

When you take a step back and consider these statistics, you will quickly realize the gravity of what is at stake for organizations when it comes to effectively securing their confidential information – and that there is still a lot more to be done to combat this growing trend.

According to cybercrime prosecution statistics, 2022 is expected to see a worldwide annual spend of nearly $134 billion to both prevent and also deal with the aftermath effects of cybercrime – and that figure is estimated to rise even higher.

Nearly 70% of business leaders feel their cybersecurity risks are increasing, and a recent CISA alert has validated these concerns. The alert from the U.S., U.K. and Australian governments is a detailed and well thought out technical and architectural advice document for cybersecurity teams in the face of high-impact ransomware incidents trending upward.

As noted in the alert, “Cybersecurity authorities in the United States, Australia, and the United Kingdom assess that if the ransomware criminal business model continues to yield financial returns for ransomware actors, ransomware incidents will become more frequent. Every time a ransom is paid, it confirms the viability and financial attractiveness of the ransomware criminal business model. Additionally, cybersecurity authorities in the United States, Australia, and the United Kingdom note that the criminal business model often complicates attribution because there are complex networks of developers, affiliates, and freelancers; it is often difficult to identify conclusively which actors are behind a ransomware incident.”

Now more than ever it is critical for cybersecurity managers and their teams to drill the top causes of these incidents into their brains – phishing attacks, stolen credentials, brute force attacks and exploiting existing vulnerabilities.

You may be thinking, ‘these tactics are nothing new,’ but what’s different today is the sophistication of the cybercriminals’ services and networks. On what seems to be a disturbingly regular basis, there are underground criminal networks emerging, dedicated to helping one another with payments, data restoration and technical support – mirroring even the best IT support organizations. Sophisticated criminal groups are even exchanging stolen credentials from breaches and sharing code with one another – putting organizations in multiple groups’ lines of fire.

When building out their security stacks and security operations center (SOC) teams, the tactics of the adversaries and these advanced cybercriminal networks should always be at the forefront of leaders’ minds. The CISA’s alert is an excellent starting point for determining the correct tools needed to combat attack methods. They truly get it. In particular, the importance of limiting adversaries’ ability to move laterally across a network is a strong point they raise.

To minimize the impact when they do strike, security teams need the ability to detect this type of behavior in real time. The CISA ransomware alert also advises readers to ‘Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a network-monitoring tool.’ In this section, the agency emphasizes endpoint detection and response as the solution, but this is just one piece of the puzzle.

There is room for improvement here. Many organizations do not understand what user behavior is considered normal within their environment – and do not have the proper capabilities to illustrate it. Spotting abnormal activity is essential in the ransomware fight, and legacy tools that have been available for decades need to be supplemented. We would put the emphasis on credential-based security, leveraging data science to build baselines and attack timelines of user behavior as the goal.

The CISA alert reinforces just how critical it is to make cybersecurity prevention, awareness and best practices an integral component of all organizations. Education, preparedness and action will enable your organization to effectively respond to and prevent data loss that can compromise your relationship with your clients and further strain your current operations.

Further, while the CISA alert serves as a valuable checklist, the defender’s capabilities must grow beyond this advice. It’s not a matter of if, but when these preventative suggestions will fail.  If teams are not properly prepared to manage intrusions, they will not be able to fully absolve themselves of risk.

We recommend a follow up ‘playbook’ for security alerts like this from the issuing agency that will actually help SOCs determine how to ingest data properly, make decisions and strategically create analytic capabilities. The technical aspects are important, but the people and the investigation strategy are what will make the most significant impact.

The concept is simple – just like fire drills in schools.  The differentiating key factor is repetitive action.  This cannot be a one and done deal.  For example, you cannot write the ‘playbook’ but then never revisit it or execute on it. Taking the right, practiced action is truly the fundamental and consistent step that will protect your organization from the majority of data breaches.

The post Technology Will Fail: Why Managing Intrusions is Critical in the Fight Against Ransomware appeared first on Cybersecurity Insiders.