As with all things, cybersecurity threats, actors, and methods continue to evolve. Emerging threats such as supply chain vulnerabilities and our increasing dependency on interconnected systems and data-sharing applications have made security an ever-pressing concern for enterprises. Ensuring the protection of critical data and other resources must remain a top priority and needs to be done in a structured manner—and in doing so, you can create a robust framework to reduce the chances of overlooking important details.
Below, we’ll explore the most common security threats and some of the initial steps you can take to safeguard your organization in the future.
Potential Threats to Enterprise Security
Email is often the first way attackers enter a network. Its widespread use and the implicit trust we place in those with whom we communicate makes it an ideal place for threat actors to approach those with access to protected data.
Security plans must account for this eventuality, with both training for users and the appropriate detective and preventive controls for your email systems. As a good way to familiarize your employees with the possibility of email breaches and enhance their ability to spot them, hold in-depth trainings on the hallmarks of phishing attempts and develop a program to send fake, yet realistic ‘phishing test’ emails to users from the organization.
Vulnerable Application or Device Exploitation
Once a network has been breached, the attacker will seek an application or device to exploit. Most systems have vulnerabilities, and there is a constant arms race to both enumerate and identify them as well as to develop exploits that take advantage of them. Vulnerability management is often overlooked or underdeveloped as a core competency of a security team, but doing so puts the entire organization at risk. If you’re not searching for vulnerabilities, your adversaries are.
Start with detailing all the areas where your systems interact with others and enumerate the vulnerabilities. Then, implement a program to prioritize and find solutions for those weaknesses. While you won’t be able to solve every problem, you should at least have a plan to manage any risk that you’re aware of.
Installation of Command & Control
The next stop for an attacker is the building of a beachhead within your network. Vulnerabilities are often used to establish that foundation on a server or workstation. Endpoint protection solutions, combined with an appropriately-sized logging and alerting program, will be key in defending against this part of the threat chain.
When developing logging infrastructure, use the LACMAR acronym to ensure completeness of vision:
- Logging – Make sure you’re logging as much of your environment as you can. A more complete picture aids your efforts in mounting a defense.
- Aggregate – Consolidate your logs to allow for easier analysis.
- Correlate – Perform analysis to gain a better overall picture of the actions.
- Monitor – Determine your environmental and cybersecurity baselines and monitor for deviation from those norms.
- Alert – Automate your alerting capabilities as much as possible based on those activity baselines.
- Retain – Retain logs no longer than needed. This helps to limit both operational and regulatory exposure.
Lateral Movement in the Environment
Like any infection, malware thrives by moving between and infecting more hosts. Most networks are much more robust on the edge than they are on the inside. The concept of ‘Zero Trust’ helps to alleviate this issue by erecting reasonably high walls—both to identity and network communication—inside the network.
The first logical step is to understand which machines and applications should (and shouldn’t) talk to each other. Implementing these types of controls must be done with care, but will go a long way towards preventing the proliferation of threats within your network.
Access & Authentication to Data
The final goal of any threat actor is gaining access to protected data or the systems that host it. At this point, they’ve gathered credentials and know which machines should be accessed. And, because threat actors can sit on the network for months before being detected, they likely have an idea of the data that needs to be extracted or encrypted.
Corporations prepare for this stage in several ways. First, they should understand what protected data is present. This allows them to understand what’s at risk and build appropriate protections along with response and recovery procedures. Controls that either detect or deter movement of data are also in scope, and when properly deployed, can significantly limit the blast radius of a ransomware attack.
Security programs depend on the time-honored triad of ‘People, Process and Technology.’ While all of these provide some benefit on their own, they work better as part of a complete program that establishes risk appetites and updates the security team based on risk exposure. Building this program takes planning to avoid unnecessary solution overlap or gaps in your protection scheme, but can be the difference between a breach being manageable or catastrophic for your organization.
To speak with an expert about building or assessing your program, get in touch with us today.