Defending Against Cyber-Threats – Think Like an Attacker

At the end of January, even before Russia had carried out its threat to invade Ukraine, UK businesses were warned to bolster their defenses against cyber-attacks.   

State actors and criminals can be perpetrators, as we are currently witnessing geopolitical tensions heighten this likelihood, and business-critical systems and potentially national infrastructure are key targets.

Lessening the threat to the enterprise requires thinking like an attacker. This helps an organization understand where it is vulnerable – and the measures it needs to take.

Find Technical Weak Spots – And Protect Them

Having identified the target organization, attackers will look for weaknesses that provide a way in. IT security teams should adopt the same holistic, external view, looking at their perimeter from an attacker’s perspective for insight into potential entry points. Threat intelligence also indicates who might attack and the methods they are likely to use.

A rigorous patching program is a good start to protecting critical systems, but it is only part of the vulnerability management equation. Security managers need to know their estate inside out to keep ahead of potential hackers. Required activities include: understanding the endpoints and networks that are most business-critical and those that are exposed to risk; keeping hardware and software up-to-date; managing system access proactively; and providing users of key systems with ‘defense training.’

In addition, penetration testing and vulnerability exploits on business-critical systems will gauge their resistance to attack.

Give Power to the People

Weaknesses are not limited to technology; attackers may gain system access, distribute malware, commit fraud, extract data, etc., via an organization’s employees.

Mitigating this risk is all about empowering people to take the actions that will protect the enterprise and its systems. This calls for a security-focused culture to be cultivated and maintained so that it’s second nature for employees to take evasive action whenever necessary.

Education plays a key role; everyone needs to understand the risks and their implications and know how to use the tools and techniques that will counteract an attack. They also need to be vigilant about social engineering to ensure they are not tricked into making security mistakes that open back doors for bad actors.

As with the technical aspects of protection, testing the strength of these measures is integral to the program. Phishing simulations show where more training might be needed – and also highlight that the sophisticated nature of today’s hackers makes it easy for anyone to be caught off guard, regardless of their experience.

Third-party suppliers should be included to ensure their security stance mirrors that of the organization.

Be Frugal With Privileges

If an attacker can get access to a systems superuser account, they have effectively hit the jackpot; privileged access management (PAM) helps the organization reduce the attack surface.

Systems administrators need up-to-date knowledge of who has privileged access to systems and data and why. Authenticating legitimate users is vital, with multi-factor authentication another layer of protection.

In addition, systems and networks usage allows patterns of suspicious behavior by users (whether standard or privileged) to be identified, providing key input for responding to those attacks.

Limiting what users can do within critical systems, so credential misuse cannot be exploited easily is vital; access governance should define privileges that are appropriate for the needs of users’ jobs only.

PAM controls also need to restrict lateral movement around the networks (by controlling elements such as password hashing or persistent logins) to reduce the attack surface; this ensures users only access the systems they require, thus limiting the reuse of credentials around the network.

Recognize, Respond and Recover

Preventing an attack in the first place is obviously a key objective. Yet, the connected world makes it impossible to ensure 100% protection; perimeters are always porous.

Once inside the network, an attacker will identify the attack surface to determine their next steps. Rapid detection of a system breach is therefore crucial to limit its extent.

Organizations require robust mechanisms to be in place to recognize attack patterns – failed network login attempts, for example, or whether there is suspicious behavior within particular applications. The faster anomalies are flagged and investigated, the less potential they have to inflict harm.

Enterprises have to acknowledge, however, that sometimes the attacker will succeed. Therefore, strong procedures need to be in place to minimize disruption. These include disaster recovery plans and mitigation strategies to limit the damage that can be done.

Take Action Now

Effective cyber-defense strategies need to be strong but measured, based on good groundwork undertaken in advance and with expertise brought in where needed. The threat of a cyber-attack will only continue its upward trajectory; wherever an organization is in its protection preparations, there is no time to lose in donning an attacker’s mindset and advancing them further.

What’s Hot on Infosecurity Magazine?