Today, cybercriminals are constantly striving to find new ways to trap their potential victims. From posing as legitimate users of a network to using new and evolving techniques to evade detection mechanisms, the range of sophisticated tools available to threat actors continues to expand. grow.
And the timing of attacks is also crucial. A survey of nearly 1,000 security professionals found that 86% of businesses targeted by ransomware were attacked during a holiday or weekend, while three-quarters of ransomware victims suffered an attack during a major corporate event, such as a merger, acquisition or IPO. Clearly, ransomware groups are striking outside of normal business hours, looking to take advantage of business defenses that are likely to be either downgraded or offline entirely.
Threat actors exercise patience to increase their chances of success
With holidays and weekends being downtime for most of the workforce, this presents a significant challenge for most organizations. While most organizations operate a security operations center (SOC) 24/7/365, we know that many reduce SOC staffing during holidays and weekends, often up to 50%. A minority do not recruit their SOC at all during these periods, leaving the doors wide open to attackers. By leaving SOCs understaffed, companies increase the likelihood that bad actors will be able to carry out cyberattacks.
There are many examples available to analyze. For example, the disruptive ransomware attack on Transport for London took place on a Sunday. Meanwhile, in the United States, the 2021 Colonial Pipeline ransomware attack occurred over Mother’s Day weekend. Once they gain access to a company’s network, ransomware gangs are typically patient and methodical in their attack strategies, often lying low for weeks, consolidating their hold and escalating their privileges while searching for key data and professional applications to potentially encrypt as part of extortion. plot.
SOC staffing does not match attack patterns
Unfortunately, SOC staffing often does not match the attack patterns we see, for several reasons. Work-life balance is important in many organizations and companies do not feel that a full staff complement is necessary given that most employees work weekdays. There’s also a common misconception that hackers won’t target businesses of a certain size or type – and many organizations feel safe because they’ve never been targeted before. Additionally, staffing a SOC 24/7/365 is a significant challenge. Maintaining 24-hour coverage may require a minimum of 15 to 20 team members.
This creates a costly dilemma. What starts as a simple commitment to improving security can turn into a huge operational expense. To reduce these expenses, many organizations choose to reduce their workforce or limit coverage hours, believing that threats are less likely to occur outside of normal business hours. Unfortunately, this is not the case.
Just as burglars avoid well-monitored areas during the day, bad actors also seek to carry out their attacks when fewer eyes are watching them. Assuming you’re safe outside of business hours, bad actors have open doors for attacks. Instead, businesses should always assume that attacks are imminent, ensuring that their SOC does not run out of resources at any point. I call this having a presumed violation mindset. Never grow, never decline, hackers are persistent and never take time off.
Put more emphasis on identity security
It’s not just about having the right resources, but also about using those resources in the most logical and efficient way possible, focusing on the areas that are most vulnerable or have the greatest potential impact. . Here, identity management must be prioritized. Today, the identity system has become the new security perimeter for businesses, with 90% of ransomware attacks resulting in a compromise of the identity system.
Active Directory (AD), which forms the basis of identity and access management for the vast majority of organizations worldwide, is a particularly common vulnerability that malicious actors are constantly working to exploit. As a technology originally released in 1999, many organizations are now faced with managing outdated AD configurations and excessive user privileges that can be exploited relatively easily. Add to that the fact that AD often lacks sufficient security monitoring and auditing, and it can be difficult for organizations to detect unusual or malicious activity quickly enough.
Attackers know these problems better than anyone. They know that if they can compromise AD, they will gain control of the keys to an organization’s kingdom, giving them access to sensitive data and critical systems. Unfortunately, this is an area that generally seems underappreciated or overlooked. Many organizations either don’t have an identity recovery plan at all or have concerning gaps in their recovery plan. Failing to account for cyberattacks, failing to test for identity vulnerabilities, and testing recovery plans only quarterly or less frequently are common mistakes that can prove costly in the event of an attack.
What is the solution?
For businesses, it is critical to address these gaps, ensuring that key vulnerabilities such as AD are protected and that the security guard is not let loose outside of business hours when malicious actors are looking to make the most of understaffed SOCs. Businesses must consider security as a core part of their business resilience strategy. Much like security, financial and reputational risks, security can mean the difference between a business succeeding or collapsing in the face of a catastrophic, game-changing incident.
To achieve this, companies must follow several steps:
- Have a plan in place: Starting from scratch in the event of a disaster is not a good thing. By preparing for potential scenarios in advance and testing protocols regularly, businesses can respond more quickly and effectively if these situations become a reality.
- Use budgets wisely: It’s not necessarily about investing more money to solve the problem. It’s about using the budgets you have in the most efficient way possible, ensuring that existing resources are reviewed and optimized.
- Embrace ITDR: For organizations looking to use limited resources efficiently, Identity Threat Detection and Response (ITDR) can be an incredibly useful tool, providing key capabilities such as automated auditing and alerting, security detection, attack patterns and rolling back or suspending unusual changes in AD.
- Improve productivity with automation: This automated support can also help companies support the skilled security staff they have, freeing up engineers to spend time on more interesting, higher-value tasks.
By taking these steps to optimize security performance and leverage automation, organizations can simultaneously fill gaps that currently exist in both their SOC workforce and identity security capabilities, enabling them to better protect against, identify, respond to, and recover from attacks, whether they occur or not. they strike on a Tuesday or Sunday.
We’ve compiled a list of the best endpoint protection software.
This article was produced as part of TechRadarPro’s Expert Insights channel, where we feature the best and brightest minds in today’s technology industry. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you would like to contribute, find out more here:
