Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.
Proactive Cybersecurity: 6 Critical Tasks to Mitigate Risk
Widespread exploitation of uncommon vulnerabilities is on the rise. Here are six critical tasks to help mitigate the impact of their next cybersecurity event.
COMMENTARY
Many in the cybersecurity community took to calling the summer of 2023 as “hot zero-day summer” based on the sheer number of vulnerabilities discovered and exploited in widely used applications during those months.
Zero-day vulnerabilities used to be the domain of nation-state actors, but the growing availability of these vulnerabilities and exploit tools on the cybercriminal underground means more cybercriminals are beginning to use them. To defend against these vulnerabilities and others on the rise, here are six critical tasks to help mitigate the impact of these attacks.
Understand Your Attack Surface
Create an inventory of all public-facing assets to understand the organization’s external attack surface. There are automated solutions for external attack surface management which can help discover and evaluate internet-facing assets and cloud resources.
Use the inventory to perform daily vulnerability scans to identify and address vulnerabilities that are likely to be exploited. Regularly review how assets are configured to find and fix and misconfigurations. The same tools used for discovery can also help identify the vulnerabilities and misconfigurations.
Ensure Near-Full Coverage for Endpoints
Endpoint security tools monitor systems for suspicious activity, malware families, backdoors, and commodity-based threats. The tools also have the ability to isolate a system from its environment to allow for live response forensics once a threat is detected.
Mandiant recommends documenting specific aspects of endpoint security tool deployment, including:
Deployment scope: Identify which devices the tools are deployed to and ensure there are no visibility gaps based on the operating system type (e.g., ChromeOS, Linux, Unix, etc.).
Software version: Know what version of the software is installed.
Deployment mechanism: Understand how the tools were deployed and if any of the systems require manual intervention.
Signature/Indicators of Compromise (IOCs) update frequency: Be aware how often the tools are updated with new signatures and indicators of compromise.
Administrative access and configuration: Document who has access to the tools and how each tool is configured.
Configuration and alerting mechanisms for identified malware infections and detections: Understand how the tool detects malware infections and how the alerts are configured.
Detection settings: Be aware of the tools configured for detection and the types of alerts generated by the tool to your SIEM/SOAR.
Visibility and notification channels for high-fidelity alerts: Know which visibility and notification channels exist for high-fidelity alerts.
Restrict Network-Based Protocols and Services
For external-facing systems, limit the number of ports and protocols to only those essential for that system or application to work. Special attention should be given to blocking common ports (e.g., RDP, SSH, SMB, WMI, etc.) and services that attackers could use to laterally move from the external system to the corporate network.
Isolate and segment external facing systems from the main corporate network. A deny-list approach can help block unnecessary east-west communication originating from these systems.
To protect against web-based threats and distributed denial of service attacks, organizations should also place the system or application behind a Layer-7 firewall or a Web Application Firewall (WAF).
Implement Strong MFA Across All External-Facing Systems
Multi-factor authentication has long been considered the strongest way to protect identities online, and it still is. However, attacker techniques have adapted as organizations strengthened their defenses.
There have been a number of incidents where the threat actor compromised a weak MFA mechanism, such as one-time passcodes sent over SMS text messages and voice calls, or push notifications sent via an authenticator application. Both SMS and voice calls are unencrypted, putting them at high risk for being intercepted. There have also been an increase in SIM-swapping, where the attacker transfers the victim’s phone number to a SIM card under the attacker’s control in order to receive the authentication requests.
When maintaining MFA push notifications, the authentication platform should provide additional context about the request to help the user make an informed decision on whether to approve or deny the transaction.
Some examples:
Show the application name requesting the MFA.
Feature the geographical location where the request originated from.
Require number matching on the authentication app to validate the request.
Privileged accounts should enforce an even stronger form of MFA authentication, such as hardware tokens or FIDO2 security keys. Additionally, privileged accounts can require the authorized user to provide MFA verification for each session, even if the request originates from a trusted location or over the corporate VPN. This makes it harder for attackers who gained access to the network through other means to gain access to those privileged accounts.
Enhance Logging, Monitoring, and Detections
Wherever transaction-level or object-level logging is available, these enhanced capabilities should be activated on critical and public resources.
Centralizing all logs should be a priority. For organizations with hybrid environments, all logs should be centrally managed and correlated to track user activity across the environment.
Enhance Incident Response Strategy and Processes
Have a well-defined cybersecurity strategy that follows industry best practices and empowers the security team to effectively identify, evaluate, and remediate security threats. The strategy should include channels to report to relevant executive and business stakeholders all cyber risk metrics and measurements transparently and effectively, including those that may have financial, operational, or reputational repercussions.
Align the most important systems and data (e.g., crown jewels) with incident response plans, playbooks, and governance documentation.
In an ever-changing world where cybersecurity threats continue to grow, staying proactive remains crucial. Organizations should prioritize security initiatives based on the type of risk, level of effort required, and capabilities of their security team.
A version of this article and additional trending content can be found in Mandiant’s latest Cyber Snapshot Report, Issue 5.
About the Author
You May Also Like
Applying the Principle of Least Privilege to the Cloud
Nov 18, 2024The Right Way to Use Artificial Intelligence and Machine Learning in Incident Response
Nov 20, 2024Safeguarding GitHub Data to Fuel Web Innovation
Nov 21, 2024The Unreasonable Effectiveness of Inside Out Attack Surface Management
Dec 4, 2024