Don’t let your software lull you into a false sense of security
Having installed next-generation anti-virus (next-gen AV), endpoint protection (EPP), or endpoint protection & response(EDR), you may feel that your organisation is now safe against the current wave of ransomware attacks.
However, such a comfortable dream can be easily shattered – organisations affected by ransomware suffer a downtime of 16.2 days, according to some observers (https://www.zdnet.com/article/ransomware-attacks-are-causing-more-downtime-than-ever-before). It’s not just a question of having the latest software or security platform – many factors can contribute to a company’s vulnerability.
We’ve put together a list of common issues we see with next-gen AV, EPP and EDR platforms, and some things to consider when making your next security investment.
Can your platform detect advanced threats?
Many people think email is the initial entry point for ransomware attacks. Whilst email is a delivery method and emails loaded with ransomware are a risk, this is not the only way threat actors breach a system and a phishing attempt may only be one stage of the ransomware attack. Threats to network security and the wider infrastructure vary, to make it even more challenging for IT and security teams, threat actors are constantly adapting their techniques to evade detection and ensure their attacks are successful.
Networks could be breached due to a misconfigured or vulnerable Virtual Private Network (VPN) or Remote Desktop Protocol/Services (RDP/RDS), stolen credentials could be used or brute force attacks launched against RDP. Once inside the environment attackers then move through the system deleting backups, disabling antivirus, escalating privileges and moving laterally across the organisation. Many traditional security monitoring platforms fail to detect these stages in an attack.
Once the attacker has gained access to the environment they will then try to maintain persistency ensuring that they have readily available access, so they can further exploit, prior to executing the final malicious payload. It may not happen immediately after the account has been compromised – ransomware attacks often occur at the most inconvenient time – and this is no accident or coincidence.
A threat actor may lie in wait for a suitable opportunity, such as a public holiday, when system administrators are likely to be unavailable, or may even wait for an internal event, such as the final stages of a large project or a cloud migration, when backups may not be available, and administrators’ minds are on other things. This also allows them to inflict the maximum amount of damage and pressure.
How do they know this? The answer is simple – as an authenticated user, they read the emails circulated around the organisation.
The question is whether the platform put in place is capable of detecting and protecting against these types of threats to network security and the wider environment. Is it capable of detecting network or user anomalies? Can the solution detect the abuse of legitimate tools and processes?
Does your security platform have poor remediation capabilities?
Most older “traditional” security platforms go through a set of simple procedural steps, typically forcing a scan of the system or quarantining any affected files. Clearly, in the case of memory-based malware, otherwise known as fileless attacks, this is not going to be enough.
Autonomous breach protection platforms are now available on the market, which collect together a series of detection, protection and remediation tools into a single platform. They will then automate scans, investigations and remediation across the entire environment, without manual intervention.
Some Extended Detection and Response platforms will also ingest, correlate and analyse logs from sources other than endpoints (Workstations and Servers), such as firewalls, email security solutions, and other network appliances whilst conducting behavioural analysis on the telemetry. This enables remediation across the whole environment, rather than just the endpoint, which has traditionally been the focus for next-gen AV, EPP and EDR.
Rather than simply killing a process, a breach protection platform should automatically alert the IT or security team, and proactively take action such as isolating the devices or network segment where the infection occurs, or in the case of a user-based attack, disabling the user, so that the threat actor orchestrating the attack is unable to proceed further.
If the detection tools lack remediation capabilities, the work of the internal response team will be hampered. Clearly, there is no “one size fits all” solution in these cases, so the tools deployed should be capable of configuration to meet the needs of individual organisation. This could mean the customisation of response rules and orchestrating automated response across the wider environment, in order to increase the effectiveness of the remediation.
Is the platform easily managed (and does it provide the right information)?
A platform which is not easily configured to individual environments may end up being deployed in a half-finished state, with key capabilities left unimplemented, or with large parts of the IT environment being neglected, simply on the grounds that the system was too complex to be properly understood.
Furthermore, once the system has been configured, it should be capable of providing real-time information to the IT or security team. A minute is a long time in the life of a cyber incident, and it is necessary for the response team to have accurate information on the incident as it unfolds.
The information gathered by a system is useful, not only at the time of an attack, but in the post-incident analysis. Following a cyber incident, forensic analysis should be able to detect the source and vectors of the attack, and the way in which events unfolded. Following this, it is then possible to plug the holes which led to the incident, and help reduce further attacks.
Furthermore, the platform should be looking for vulnerabilities and assisting with management. Examples would include improperly configured administration systems, endpoints missing patches, or endpoints with risky software installed, as well as being provided with regular updates from the development team with indicators of compromise, indicators of attack and wider threat intelligence.
Is the support, from the platform vendor and others, adequate?
Given the complexity of these systems, and the relative unfamiliarity of many IT teams with such security measures, it is unsurprising that there is often a need for assistance with their deployment and operation.
Likewise unsurprisingly, perhaps, is the fact that the vendors of these systems are not always the most prolific source of practical advice. Many organisations are now turning to outsourced cybersecurity services company with practical experience not only in deploying the platforms, but keeping them up-to-date and effective.
Partnering with a managed cyber security service provider such as First Response can help to solve many problems associated with maintaining the platform and service.
For example, training staff and drawing up a cyber incident response plan may be beyond the capabilities of the in-house team. An external cybersecurity services company is in many cases better qualified to step back and take an overview of the organisation and to help identify and train key members of the response team, while helping to draw up a plan which will best serve the needs of the organisation.
In addition, a cybersecurity services company can take some of the routine manual work off the shoulders of staff. For example, keeping up to date with threat intelligence and the latest developments in cybersecurity can rapidly become a near-full time job, but an outside contractor can do this work, and summarise and digest the relevant information before passing it on. A security operation centre manned 24/7 is probably beyond the capacity of many companies and organisations, but an external specialist company is able to provide such a facility.