The way you layer your company’s cybersecurity protections is just as important as the protections you put in place, a forensics specialist says.
If your company uses multi-factor authentication, endpoint protection and immutable backups, you have a good set of tools to protect your data from threat actors, Joseph Bruemmer, an attorney with BakerHostetler, said in a webcast.
But if they’re not thoughtfully configured and structured to work together, your company remains at risk of network intrusions and ransomware attacks.
“Threat actors have continued to encrypt data and to steal data, but they’re also trying other tactics to try to apply pressure on companies to pay their ransoms,” Bruemmer said. “They have resorted to distributed denial of service attacks, contacted company employees by email and phone call to threaten them if ransoms aren’t paid, and they’ve been looking for new targets in company networks, like Linux-based systems.”
With endpoint protection and response (EDR) systems, your IT security specialists are sent an alert when an account acts in a suspicious way, but if the tool isn’t configured to block the activity by default, threat actors can gain access to the network and encrypt ransomware before IT can act.
“EDR tools can be configured either to just detect the activity or to block it,” Bruemmer said. “If you don’t configure the tools to block the activity, then what you may find is that they fired an alert at some time in the wee hours of the morning, when the threat actors typically launch their attacks. No one was monitoring it. You wake up the next morning to find that your devices are encrypted.”
EDR tools also have an anti-tampering system, but it must be enabled to work.
“We have certainly seen instances where companies have not enabled that feature, and bad guys have [accessed] administrative level credentials, logged into the management console that the companies use to manage the EDR tools, and have simply disabled or uninstalled them from devices,” he said.
Bruemmer recommends companies take what’s known as a zero-trust approach to their network because it denies access to the system by default.
For employees, that means they must use their credentials to log into applications even after they’ve logged into the system. It slows access down, but it makes it difficult for threat actors who’ve gained access to the network to move into areas where data is stored or to access control consoles.
“What bad guys typically do once they get a foothold in the network on a particular device is they will conduct network reconnaissance to see what other devices are connected,” he said. “They will try to harvest credentials with the end goal of getting access to credentials that have elevated privileges that give them more rights on systems than the ones that they initially got may have. And then they will use that … privileged access to move to other devices in the network.”
If your company is using cloud applications, your security team faces another set of challenges. One of the biggest stems from the ease with which employees can subscribe to cloud applications on their own, and then upload company data, potentially leaving the data at risk in ways it wouldn’t be on an on-premises system.
“It used to be the case that some cloud storage containers were set by default to be publicly accessible,” Bruemmer said. “If employees don’t know what they’re doing when they’re creating these containers, they may inadvertently set the permissions to be publicly accessible and then put company trade secrets in those buckets.”
Even if employees only access company-authorized cloud applications, it’s easy for managers to lose track of them over time, which makes it hard to know where data is at risk.
“We’ve had matters where companies knew that these assets existed at one point in time, forgot about them, forgot to update the security controls in place in them, and then threat actors got access and stole data,” he said.
Based on tracking data, there appears to be a lull in cyber attacks that began earlier this year, possibly stemming from the war in Ukraine, Bruemmer said. That makes this a good time for executives to take a hard look at the protections their company has in place.
“I don’t think organizations would be well served by mistaking this lull for the demise of ransomware,” he said. “Instead, they should view this as a temporary factor and use it as an opportunity to strengthen their defenses so that if ransomware experiences a resurgence, which I think is going to happen, they’re in a better position to respond to and prevent it.”