As cybercriminals become quicker moving and increasingly well hidden, organisations’ security defences will need to be capable of outrunning black hats. Organisations should ensure they have around-the-clock security monitoring to build resilience and invest in layered defences to protect Active Directory servers to mitigate the risks of entire databases being hacked.
The new whitepaper, Stopping Active Adversaries: Lessons From The Cyber Frontline, by security firm Sophos’ X-Ops, which leverages insights from incidents remediated by the security firm’s incident responders in 2022-23, identifies how adversaries are increasingly launching attacks on organisation networks out of hours, and their attacks are quickening in pace to infiltrate networks before they can be detected.
In light of this, the report highlights some key strategies that businesses can follow to help enhance their resilience against active adversaries. This will enable organisations to protect their financial futures and mitigate the risk of data breaches as technology, and the corresponding techniques of hackers, continue to evolve at a rapid pace.
Increasing friction for cybercriminals
Incident responders have identified increasing friction wherever possible as one of the most effective ways to deter attackers. If an organisation’s systems are well maintained with layered defences, active adversaries will need to work harder to subvert them, complicating their approach and increasing the window of time in which security teams can detect their activity.
The increasingly popular “bring your own vulnerable driver” (BYOVD) attack is among the top five approaches of most cybercriminals’ options for infiltration, following behind the primary approaches that multilayered defences prohibit. It involves the attacker implanting a known-vulnerable legitimate driver into a targeted system and exploiting the driver using malware to perform unauthorised, malicious actions.
Robust, layered defences force attackers to find other routes into a network, where automated, adaptive protection creates friction for active adversaries who then have to pivot and increase their own skill level to successfully infiltrate. Ideally, this will deter attackers from attempts and redirect them to easier approaches, where they are then more likely to be detected and blocked by the targeted organisation.
Airtight cyber protection across the business
Active adversaries are intelligent in their approach and will target any weak spot they can detect to penetrate an organisation’s network. Once they’re in, they will move laterally to escalate their attacks, with covert abilities to hide their tracks. Beyond encryption, active adversaries rely on technologies such as virtual private networks (VPNs) and proxy servers to disguise IP addresses and locations and call on various tactics such as overwriting data, onion routing (the technique of anonymous communication over a computer server) and program packing to hide their activity. The latter involves compressing or encrypting code so that it cannot be detected by security software, whereas overwriting data means that traces of malicious activity are erased. This makes it difficult for organisations to monitor attacks and what tactics or entry points were used, with no traceable steps to respond to.
Seal off the entry points
These exploited vulnerabilities, as well as compromised credentials, provide active adversaries an entry point through which to infiltrate organisation networks. To mitigate unauthorised access via these entry points, businesses are staunchly encouraged to implement protective processes such as multi-factor authentication to protect credentials and seal off unwarranted access to servers and databases. Organisations can only be as strong as their weakest link; all it takes is a hacker to find one tiny entry point to break into a system.
Sophos’ latest 2024 Threat Report: Cybercrime on Main Street, highlighted that stolen credentials are frequently being used as a form of currency, where they can be sold by “access brokers” to anyone who cares to exploit them. Sophos identified that nearly half of malware detected in 2023 targeted data of intended victims, where this malware is classified as “stealers”, intended to grab credentials, browser cookies, keystrokes and other data to be converted into cash as “sold access” or used for further exploitation. The report highlighted Redline and Raccoon Stealer as the top two stealer malware detections in 2023, drawn from customers’ telemetry.
Strong defences provide valuable telemetry, which helps to accelerate threat detection and response. Telemetry refers to the collection, transmission and measurement of data, using sensors to retrieve information from remote sources which helps to provide insights for organisations to effectively administer and manage their IT infrastructure. It also enables organisations to track the security of their IT infrastructure in real-time, to assess IT system performance and availability. Cybersecurity telemetry data helps to identify and respond to any indicators of compromise (IOCs) across the infrastructure.
The further along in the attack chain an attacker gets, the greater the effort that is needed from responders. Missing telemetry only adds time to remediation, which most organisations cannot afford, making complete and accurate logging of data and its movements essential. As of 2023, Microsoft has begun making logging free and available for basic licenses.
Maintain 24/7 vigilance
Sophos research identified that hackers typically work at night and on weekends to avoid the monitoring of IT teams on security threats. If an organisation only has security operations during working hours, they are likely to overlook important signs of adversary activity until it’s too late. With around-the-clock security, a business can investigate and respond to threats in real time or even prevent signs of attempted infiltration. Time is crucial, and quick response can be the difference between cleaning up a minor threat or rebuilding an entire environment from backups with considerable costs incurred.
Organisations should have effective and thorough response plans for cyber attacks that are most likely to impact their organisation and implement test runs with security practitioners and company stakeholders who hold roles of responsibility in the event of a crisis. Through this, additional cybersecurity and safety training should be administered across the board.
Building a culture of cybersecurity
It is a common misconception that only large organisations are targeted by active adversaries. However, organisations of any size are at risk of increasingly sophisticated attacks. According to the whitepaper by Sophos, 24% of IT leaders in organisations with 100-250 employees reported experiencing attacks involving an active adversary within the past year.
Active adversaries do not target specific organisations, but instead, seek out any network that may have vulnerabilities to exploit. Having around-the-clock security defences, multiple layers of protection and embedding a culture of cybersecurity awareness and practices throughout the entire organisation can place an organisation in a secure position to detect and prevent unauthorised cybercriminal activity, minimising damage and financial costs to their IT infrastructure and operations.
To learn more about Sophos visit their website.
