“One of the best things companies can do is education and security awareness,” says Aamir Lakhani, Global Security Strategist and Researcher at FortiGuard Labs, Fortinet, speaking on a cybersecurity panel at CDW’s BTEX 2021 virtual event. “When you start understanding the threats against your organization, you can really start protecting against them. You can have the best technology and it could still be easily defeated when someone’s letting you inside the door.”
One of the keys to cybersecurity education is to make it more dynamic and fun, using gamification. “We find organizations can get a quick win without spending a lot of money,” says Ivo Wiens, Manager, Security Solutions Architecture at CDW, the host of the panel.
Lessons learned from cyberattacks
“Industry has had little significance on the attacks being launched,” says Matthew Gayford, Director, Unit 42 by Palo Alto Networks. “Last year, we saw some spikes in healthcare and manufacturing, but across the board, nobody’s really immune to these attacks.”
“We’ve seen attacks waged against non-profits, against the education sector, even agricultural organizations. It’s not just your large businesses or worldwide enterprises that are at stake. Sole proprietorships, small mom-and-pop shops, everybody’s at risk.”
Gayford also notes that the primary method of ingress has not changed much. “We’re still seeing roughly 50 percent of attacks occurring on a remote desktop. That hasn’t really changed much over the years as far as a target for these attackers.” However, with the pandemic causing more employees to work from home, the number of remote desktops within most organizations has greatly increased over the past year.
“Smaller organizations can really suffer when they get hit,” says CDW’s Ivo Wiens. “They don’t have a lot of money or controls in place.”
Are we winning the arms race against ransomware?
“The vast majority of ransomware attacks don’t start with ransomware,” says Jeremy Smolik, Manager, Solution Architecture, Americas Channels, Crowdstrike. “Most organizations are targeted, and those adversaries will conduct some discovery, and possibly even some data theft, before they ever drop a piece of ransomware. That ransomware becomes the icing on the cake.”
“By the time that ransomware shows up, we need to be able to answer questions like ‘Who got in, how did they get in and are they coming back?’ So focusing on just the tool alone doesn’t answer those questions. We need to focus on how those adversaries are getting access to begin with, and cut them off before the ransomware has a chance to do damage.”
“We’ve had this natural growth from our signature-based anti-virus, which are now less prevalent, and we’re moving more toward that detection piece,” says Ivo Wiens. So, does this have any impact on how threat actors are attacking endpoints?
“We’re seeing threat actors living off the land,” says Gayford from Palo Alto Networks. “A lot of times these attackers enter the environment by using the very same technology your systems administrator uses to perform maintenance or do routine tasks. Moving to a heuristic and behavioural-based type of monitoring, where we’re looking at intent, the tooling can be tuned up to prevent those things from happening.”
4 key security considerations to help prevent a breach
When it comes to preventing a security breach, Crowdstrike’s Smolik has four recommendations:
- Security awareness training. Employees need to understand the threats coming at them, and know how to identify them.
- Adversary intelligence. If you can integrate that into your solution and your visibility, you will gain with your other tools, like endpoint detection and response (EDR).
- Conduct an audit of identities and accounts in your environment. If you can prevent a credential thief from using living off the land techniques or pivoting to a more important device, you could potentially prevent a data breach.
- Keep up your IT hygiene. You’ll want to stay on top of things like patch management, and making sure your backups can be restored, among other routine IT tasks.
“Having established relationships is really important,” adds Gayford from Palo Alto. “Knowing somebody who can help you would be a huge benefit. If that day comes, and you’re suddenly locked out of your systems, knowing your IR partners is No. 1,” he says, adding, “organizations that have an IR retainer tend to save money in the long run, during the attack lifecycle.”
Smaller to medium organizations need to understand the risks involved with a cyberattack, not just in terms of data loss, but in terms of regulatory or compliance impacts as well.
How the Canadian cybersecurity landscape has changed
“When you have 60 to 90 percent of your workforce suddenly working remotely, that changes everything,” says Aamir Lakhani from Fortinet. “We’re definitely going to be in a new normal for a while. That means we have to be even more careful about identity management, where people log in from, how do you back up 5,000 individual sites instead of three data centres?”
Also, it might not be a good idea to put too much faith in automation. “If you’re automating things, and you have false positives and mistakes, you’re just increasing those tenfold,” says Lakhani. “You have to make sure you have a good foundation and a secure base.” Once you have that, you can start making decisions around how to secure the cloud and your remote workers.
And when it comes to remote workers, “Everyone knows that remote desktop protocol (RDP) on the internet is a bad idea,” says Lakhani. “You should have VPNs on RDP, or you shouldn’t have direct access to it. But think about what was the easiest way to get 60 percent of your workforce working again, instead of having them sit around and do nothing – it was probably RDP. Now, what do we have to do when we move that fast and make decisions that fast from a security perspective?”
“Removing your front door is an easier way to get into your house,” says Ivo Wiens. “But over time, you might want to put something there.”
“Cloud services are wonderful because they do a lot of great things for us,” says Palo Alto’s Matthew Gayford. “But none of these are just plug-and-play. There might be a turnkey service that gets you up and running, but the security, management, verification and testing all still has to happen. As you migrate these services and bring them into production, always be security minded.”
How security organizations are getting together to defend against supply-chain attacks
“Your security vendors are the ones you trust the most,” says Fortinet’s Aamir Lakhani. “When you hear about supply chain attacks, it can shake your confidence in the security vendors.”
“With these supply chain attacks, we’re seeing more and more of the community get together, not only as private companies, but now reaching out to public entities like the U.S. government or Canadian government.”
“I actually speak with researchers at companies who would be my competitors on an everyday basis,” Lakhani says. “If I find something, I ask ‘Do you want to test it against your systems as well?’ This collaboration between researchers is really important. Sharing that information and letting the best minds have a go at it.”
“Supply chain attacks in general are nothing new,” notes Gayford. “They’ve been going on for decades, if not longer, but now we’re getting to the point where they’re affecting so many people that it’s become a national security risk for all countries. And the fact that it is getting this attention helps to bring it to the forefront of people’s minds. Maybe this is the motivation that they need to get more security resources for this.”