It’s often said that people are your organisation’s weakest link, and that’s true up to a point. But with the right employee training, they could also be a great first line of defence. When combined with the right security tools, techniques and processes, you could do enough to deter all but the most determined attackers.
It starts with email
Email is usually the first point of call for attackers. Nearly 83% of the 20.4 billion global threats Trend Micro blocked in the first half of 2018 alone were email-borne. Phishing is among the most popular technique for attackers today, precisely because it exploits that major weakness in the organisation: its employees’ credulity. Attackers are past masters at tricking victims into clicking on malicious links or opening malware-laden attachments. According to Verizon, phishing represented 93% of corporate breaches it investigated last year. But a phishing email could also be the start of a ransomware infection or a crypto-jacking attack. Similarly, scam emails purporting to come from the CEO or CFO could trick finance employees into making large transfers unwittingly to the attacker’s bank account. Global losses from these so-called Business Email Compromise (BEC) attacks continue to break records: the latest estimate is $12.5bn.
But while phishing is often the first stage in an attack, it’s certainly not the only method used by hackers today. Increasingly they’re also making use of more sophisticated ways to hide from traditional security filters. Fileless malware attacks aim to “live off the land” by utilising legitimate tools on your PCs to spread and achieve persistence. Because there are no signatures to speak of, they may fly under the radar of many security tools. In fact, ransomware campaigns NotPetya and WannaCry used these techniques as part of their kill chains.
What you can do
Once you’ve come to terms with the fact that, no matter how big or small your organisation, it will always be a target, the fight back should start with a focus on that all-important threat vector: email. Education is a vital first step. Make sure your employees know how to spot phishing attempts and you’ll stand a better chance of stopping that first wave. Free phishing simulators can help here, in providing real-world scenarios and then feedback on each staff member. Carry out regular sessions in bite-sized chunks to get the most out of them.
However, the truth is that phishing attacks are getting more and more sophisticated — so much so that you might stand the best chance of stopping attempts by taking the user out of the loop completely. Sophisticated sandbox-based analysis tools look at emails before they reach your employees, discerning URL links and attachments to check for anything suspicious. Similarly, the latest machine learning systems can help defeat BEC before emails reach the user. How? By learning the writing style of key execs in the organisation, so that if scammers try to impersonate them via spoofed emails, the alarm will be raised.
Insight is key
As well as controls at the email level, it’s vital to gain visibility of your network traffic for a second layer of defence. That means monitoring it at key pinch points — just as you’d deploy CCTV cameras at key points in the building. Once again, the best tools will learn what normal looks like, so they can better understand indicators of suspicious activity. This could be extensive use of Windows Management Instrumentation (WMI) in a fileless attack, for example. WMI is often exploited in attacks using password-stealing software like Mimikatz — so spot the early warning signs and you stand a great chance of disturbing an attack before the bad guys have achieved their ends. Also, be sure to monitor any data leaving the network, to ensure compliance with GDPR.
As with all of the above, it’s important not only for you to know, but also that senior management understands, that cyber attacks are a case of “when” not “if” today. The key is, therefore, to act fast to identify and remediate. To this end, when you’re under attack — especially from self-replicating malware like WannaCry propagating across your network — being able to see which hosts are infected and how they’re being infected, is vital to ensuring a full and speedy clean-up and remediation.
Stopping every single attack from entering the network may be impossible, but if you monitor closely, you should be able to step in before they have a chance to do much damage.
If you are keen to learn more about the solutions and technologies which can combat these specific risks click here.