These external security threats and internal vulnerabilities are among the most insidious. Here’s how to effectively protect your network against both.
It is a permanent war. In this never-ending game between a cybernetic cat and mouse, accurate intelligence remains the best asset to beat attackers at their own game. Six main threats target the network today. Here are some tips for identifying and eliminating them.
1 – Ransomware
Ransomware is arguably the biggest threat to networks, as it offers attackers the best value for money, with a relatively low likelihood of getting caught. “In terms of skills, the entry ticket to get started in this kind of business is also low,” said Andy Rogers, senior assessor at Schellman, a firm specializing in cybersecurity and compliance. “There is no shortage of Ransomware-as-a-Service (RaaS) actors capable of providing all the tools needed for a ransomware campaign,” he added. These “service providers” run minimal risk, since they do not launch any attacks themselves. “It’s a rather interesting market for them,” he said. In addition, payment is made in the form of cryptocurrency, which makes them difficult to spot.
Because of this anonymity and potentially high payouts, ransomware has become one of the most profitable criminal activities in the world. “The majority of recent, high-profile attacks targeting supply chains, such as Colonial Pipeline in 2021, are ransomware attacks, where hackers demanded up to $4.4 million in cryptocurrency ransom after encrypted storage media, hard drives and SDDs,” said Rogers. Having strong security policies and procedures in place, including security awareness, is the best way to protect a business from falling victim to ransomware. Andy Rogers recommends monthly patching of systems and applications, as well as separation of vulnerable and hard-to-patch systems from other critical systems and data. “It is essential to make regular backups of your data, making sure that it cannot be encrypted by ransomware,” he added.
2 – Zombie botnets
Zombie botnets are tasked with performing specific malicious actions, for example, Distributed Denial of Service (DDoS) attacks, keylogging, and spamming. “These threats are potentially devastating because a single attack can steal identities or cripple an entire network,” said Eric McGee, senior network engineer at data center service provider TRG Datacenters. Each machine in a botnet is called a zombie because the computer – and its owner – are unaware that it is conscientiously and thoughtlessly performing malicious actions. Smart Internet of Things (IoT) devices are particularly tempting targets for zombie botnets. “It’s easy to overlook the security of IoT devices…but they often give attackers very easy access to the system,” McGee warned. To guard against zombie botnets on IoT networks, he suggests limiting each device’s ability to open incoming connections and requiring strong passwords on all connected accounts.
3 – Outdated processes and policies
Although widespread, outdated, siloed, manually enforced processes and policies pose another serious threat to network security. “The number of emerging vulnerabilities and potential exploits is growing exponentially,” said Robert Smallwood, vice president of technology at General Dynamics (GDIT). “A company’s processes and policies must provide agility and speed so that the company can pivot and respond quickly and automatically to emerging threats,” he said. Organizations that have fallen behind, or those that have completely neglected their modernization and refresh processes, risk being heavily penalized by technical debt that can expand a network’s attack surface.
“Many enterprises continue to struggle with rigid and outdated policies depriving themselves of the benefits that the automated hybrid hybrid environments of a modern network can bring,” notes Smallwood. “Furthermore, many organizations make exceptions to policies for legacy protocols or equipment without compensating for them with appropriate threat mitigations, thereby bypassing security measures like multi-factor authentication,” said he added. Critical processes need to be reviewed regularly as part of change management. “As changes impact the network, it is essential to re-evaluate related processes and policies,” said Smallwood. In some companies, this involves an assessment of all network-related processes. “In this case, it’s best to start by evaluating traditional IT service management practices… and any processes that rely heavily on manual activities,” he advised.
4 – Man-in-the-middle attacks
In a man-in-the-middle (MTM) attack, a third party intercepts the communication between two unsuspecting parties in order to eavesdrop or modify the data exchanged. There are several ways to accomplish this task, such as spoofing IP addresses, using a malicious proxy server, or eavesdropping on WiFi. An MTM attack is potentially simple, for example, by sniffing credentials in order to steal usernames and passwords. At a higher level, the MTM attack can be used in support of a more sophisticated action, for example, redirecting victims to a bogus, but very realistic website with a specific malicious objective. Whatever form it takes, an MTM attack can be devastating because once the attacker manages to get inside a network, they can move laterally, starting with part of the network and then discovering vulnerabilities that will allow it to migrate to other areas. “Because attackers log in with ‘valid’ credentials, it’s often difficult to detect the intrusion, giving them time to infiltrate deeper into the network,” says Benny Czarny, CEO of OPSWAT, a company specializing in the protection of critical infrastructure networks.
“MTM attacks are often overlooked and underestimated,” said Keatron Evans, principal security researcher for training company Infosec Institute. “People think the threat can be solved by encrypting the data in transit, but that only solves a small part of the problem,” he added. Another misconception is that network-based threats magically disappear once a business migrates to a cloud service. “That’s just plain wrong,” Mr. Evans warned. “You have to stay diligent, even when you’ve migrated to a cloud service.” To ward off MTM attacks, Keatron Evans recommends adding port-based security with DHCP snooping and stateful Address Resolution Protocol (DARP) inspection, and moving to IPv6 as soon as possible. He also suggests replacing ARP, one of the main tools of network-based man-in-the-middle attacks, with a newer protocol called Neighbor Discovery Protocol (NDP).
5 – Business Email Compromise
Businesses of all sizes and in all industries face business email compromise (BEC). It is a serious threat to the network. “As enterprises increasingly adopt conditional access policies, such as single sign-on, BEC fraud is growing in scope and financial impact,” said Jonathan Hencinski, director of detection and response to threats at Expel, a cybersecurity company specializing in managed detection and response. BEC attacks lead directly to credential compromise. The most difficult type of attack to detect is one where the attacker enters through the front door with valid credentials. BEC attackers use VPNs and hosting providers to circumvent conditional access policies. “These types of attacks often use legacy protocols to bypass multi-factor authentication (MFA) in Office 365,” Hencinski said. “Once an attacker has compromised credentials and is in the network, they can access critical controls and sensitive information across the enterprise,” he added.
BEC attacks can hit any network at any time. “Since 2019, the use of VPN services and hosting providers to access compromised accounts has increased by 50%,” said Jonathan Hencinski. “Using these services allows attackers to circumvent conditional access policies that deny connections from certain countries through geo-IP records,” he added. Three simple steps detect attempts to compromise business email. “The first is to inspect emails to prevent and detect phishing emails that attempt to steal employee credentials and spot if a threat actor is using an employee’s account to send phishing emails,” further explained. Mr. Hencinsky. The second is to monitor authentication to detect fraudulent use of stolen credentials. “Finally, the third is to monitor accounts for characteristic signs of a BEC account takeover,” he further notes.
6 – The proliferation of tools
IT managers and network managers rely on multiple tools to manage dozens of different network protection technologies. However, this multiplication can complicate the work of protecting the company. “The complexity created by the proliferation of tools and the difficulty of simply managing cybersecurity can expose IT and security teams to devastating cyberattacks,” warned Amit Bareket, CEO and co-founder of network security services provider Perimeter81. According to a recent study by his company, 71% of CIOs and relevant executives felt that the high number of cyber tools made it difficult to detect active attacks or defend against data breaches.
Keith Mularski, managing director of cybersecurity at EY Consulting, said following basic security practices remains the best way to protect against all types of network threats. “Critical systems and networks need to be isolated from the Internet and tightly controlled who or what has access to them,” he advised. “Zero trust and segmentation of all operational systems is required,” Mularski further recommended. “We must avoid ‘implicit trust’: everyone accessing the network must be authenticated, where they are, when they access it and who they are”. To improve preparation, Mularski also suggests performing programmed simulations. “Like an athlete, you have to train your team to execute the response procedures in order to react more quickly and more intuitively in the event of a violation or incident”.