No matter how strong your defenses may be, determined bad actors will likely find a way to break in. Beyond preventing infiltration, organizations must also employ methods that can identify the presence of bad actors in the network after a successful intrusion.
Modern Cyber Attacks Extend Far Beyond Initial Access
Traditional attacks were simple and straightforward. Threat actors would exploit a vulnerability like a weak password or unpatched software. Once inside, they would smash and grab whatever they could. In contrast, modern cyberattacks are far more complex and multi-staged. Once attackers achieve initial access using techniques like phishing and exploiting vulnerabilities, they employ a series of carefully orchestrated steps such as:
- Maintaining Persistence: Attackers create new user accounts, change passwords of existing ones, use remote access tools (like Teamviewer or AnyDesk), and create new scheduled tasks to ensure they do not lose access to the victim’s environment.
- Escalating Privileges: Adversaries search for things like unpatched systems, misconfigured permissions or user credentials (via phishing or keylogging) to gain higher privileges and to access more sensitive data and systems.
- Evading Defenses: To avoid detection, some malicious actors will disable endpoint protection tools. Some will leverage legitimate system tools (a.k.a. Living off the Land) like PowerShell, Windows Management Instrumentation, or PSExec, so that they can operate stealthily without raising alarms.
- Making Lateral Movements: Using privileged accounts they may have recently acquired, bad actors will attempt lateral movement across the network, trying to access more systems and data.
- Exfiltrating Data: One of the biggest objectives of bad actors is to exfiltrate sensitive data so it can be monetized later. Attackers normally use pre-existing tools that are already permitted by the organization to exfiltrate data, because using these tools makes their misdeeds harder to detect.
The Anatomy of a Multi-staged Attack
While threat actors go about executing their attacks, it’s important to note that every phase of the attack lifecycle is an opportunity to detect their actions, particularly through detection and response strategies.
During the persistence phase, employees can keep an eye out for any new accounts or unauthorized activity. They can also prompt the security team to investigate if they encounter any scheduled tasks or unusual system behavior. To detect privilege escalation, users periodically review access permissions so any unauthorized changes or abnormal access patterns can be detected proactively. Employees can also be taught to recognize signs of defense evasions such as endpoint security getting disabled or abnormal processes running on the endpoint. Unexpected logins or unusual activities on user accounts (such as users logging in from unusual locations or unfamiliar devices) can also help detect lateral movements. If an employee suddenly receives a multi-factor authentication prompt they did not initiate, then this might be an indication of a threat actor trying to make lateral movement. If users encounter unusual outbound network traffic or unexpected large data transfers to a cloud account, then this might also be a sign of data being exfiltrated or stolen.
How To Boost Detection and Response
There are a few tools and techniques that can be leveraged to boost detection and response including:
1.Human Risk Management (strategy and systems): HRM integrates with existing cybersecurity and IT infrastructure like Endpoint Detection and Response (EDR), Security Information and Event Management (SIEM), and others. These platforms can help detect, correlate, and respond to suspicious or anomalous user activities across thousands of security events.
2.Imparting Continuous Security Awareness Training: Most organizations underestimate the power of human intuition and observation. They may rely too heavily on cybersecurity tools and technologies, often neglecting the invaluable role employees can play in detecting cyberattacks. If employees are trained well and trained regularly, they can provide critical insights from the front lines which can serve as an effective layer of defense and detection, enabling organizations to improve incident response times.
3.Cultivating A Culture of Cybersecurity: A culture of cybersecurity fosters collaboration between employees and encourages them to share information about threats. It instills a sense of responsibility and accountability which helps detect threats early. The idea behind cybersecurity culture is to weave secure behaviors into the very fabric or the workplace. Best practices include embedding cybersecurity into product development and everyday decision making; leaders leading cybersecurity initiatives by example and encouraging open and transparent dialogue on cybersecurity issues.
At some point, most organizations will be attacked or compromised. Human risk management can play an important role in detecting and blocking attacks before they can cause further material damage. By deploying continuous security training and building a culture of cybersecurity, organizations can significantly boost their detection and response abilities, fostering cybersecurity resilience.
Ad