As 2020 comes to a close, we look back on another year of increased attacks on small and medium business clients, and the ecosystem of tools used within the community. In the face of these events, the IT provider community showed the desire to tackle the underlying challenges with increased engagement, new peer forums, and attention in hardening their services. As we look forward to what 2021 might bring, now is a great time to develop or update your cyber risk security plan.

Understanding Threats

While we care about knowing about the possible actors we may face, for example, cybercriminal organizations and loss scenarios such as ransomware within internal systems, it’s how these unfold that is one of the most important pieces to analyze. In this piece, we’ll focus on applying a process to a handful of techniques used by threat actors, surface mitigations, and provide a few tips on prioritization.

Let’s start with three key techniques threat actors have successfully utilized over the last few years as the starting point for our 2021 planning. In stepping through this process you can apply the same thinking to any number of techniques that you uniquely identify.

Phishing

Through the use of various sub-techniques such as malicious attachments and links, these are highly effective for actors in meeting their objectives. The weakness to understand here is the end user and being able to create a situation where they take an action that leads to credential or host compromise.

Stolen Credentials

Often in conjunction with phishing or compromising of a third party, the actor utilizes valid credentials to access websites and services, or to escalate privileges internally. The weakness here is identity and access management.

External Remote Services

MITRE’s ATT&CK framework states, “Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations.” There are two potential weaknesses we will focus on for this exercise, user accounts, and vulnerabilities within the exposed services.

Defining Risk Mitigations

Now that we have a better understanding of the techniques used by bad actors and the underlying weaknesses, the next step is to populate a list of mitigations to help reduce the likelihood of these techniques being successful.

Phishing

  • Email Security Services – provides additional security capabilities on top of email services above what Exchange and Gmail provide as a part of their base service.
  • Security Awareness Training – provided in many forms of content, and phishing simulations.
  • Endpoint Controls – if a malicious attachment or link is successful, ensuring the device is patched, services and configuration hardened and has a quality AV/EDR/MDR solution adds layers of security (and resilience!).

Stolen Credentials

  • Multi-factor Authentication – ensuring all systems that support it have it enabled, even if you are on network.
  • Password Manager – a number of mature solutions exist with the goals of not reusing passwords and having a secure means of generating them for use.
  • Notifications – a fairly novel use of the built-in mechanism, and free, alert the user of new logins and device registrations. It’s understood that this is how FireEye detected the most recent breach.

External Remote Services

  • Multi-factor Authentication – ensuring all systems that support it have it enabled, worth repeating twice as it is still a major driver of successful attacks on External Remote Services.
  • Baseline configurations – expose the bare minimum number of services required, ensure they are vulnerability free, and that they are designed for external connectivity. It’s 2021 and we still have a large number of attacks attributed to Microsoft’s Remote Desktop Protocol being made externally available without a gateway.
  • Vulnerability scanning – Whether it is a new vulnerability or a tech mistakenly opening up a vulnerable web service, regular perimeter scans serve as a continuous monitoring source that helps reduce the window that vulnerabilities are exposed to the internet.

Prioritizing the Action Plan

Arguably the hardest part of this exercise is the prioritization of activities in an action plan and finding the time to work through them. While traditional risk management practices take into account financial loss in prioritization, below are a few less structured ways of approaching this problem.

  • Attack Frequency – How many times have the techniques on your list been successfully used against your tech stack and user base? The more times something has occurred in the past is a good signal of future likelihood.
  • Costs – Is the suggested mitigation a new tool, or is it using what you already have in new ways? Endpoint patching and configuration hardening, and enabling multi-factor authentication are still areas of improvement. Even creative use of notifications can lead to more resilient outcomes.

As we look at the steps we laid out above, you should walk away with the foundations to build a process that can be used and reused to harden your IT infrastructure. It’s best to set a goal of quarterly assessments at a minimum that review your program’s cyber risk in the face of trending attacks and focus on any new techniques being used.

Business continuity and disaster recovery (BCDR) solutions should serve as a foundational component in every partner’s technology stack. It’s imperative that in 2021, the trend of building in security practices continues. It’s through continuously assessing and improving cyber resiliency that the BCDR solutions will become the last card played rather than the only card.

Translate »

Technical Support Request

For existing managed services clients we have an option to submit a technical support ticket online. Please, describe the issue and our support team will get in touch with you shortly.


Skip to content