Cyberattacks have become a risk that all organizations need to address. As cybercrime has become more organized and professionalized, cyberattacks have also become more numerous, automated, and sophisticated.
The reality is that any company can be the target of a cyberattack, and prevention is not enough to protect an organization. Even the most effective cyber solution will miss some attacks so organizations need to be prepared to address an attack at every stage of the kill chain (see diagram below).
The kill chain is a helpful framework that allows organizations to identify the various stages of an attack and determine where new security investment and effort can have the greatest effect. By gaining visibility into threats at each stage of the kill chain, an organization has multiple opportunities to detect and respond to a threat before the damage is done.
Here are five ways in which an organization can improve its ability to break the kill chain.
1. Reduce the Attack Surface
Cybercriminals gain initial access to an organization’s systems and environments by exploiting vulnerabilities. By limiting or eliminating the vulnerabilities within an organization’s environment, security teams can make it more difficult to attack. Some techniques for minimizing exploitability include:
- Patch/Vulnerability Management: Cybercriminals are continually scanning the Internet for systems with known vulnerabilities that can be exploited. Regularly and promptly installing updates and security patches can help to close vulnerabilities before they can be exploited.
- Deploying 2FA/MFA: Cybercriminals commonly use compromised user credentials to log into employee accounts or corporate computers. Two-factor authentication (2FA) and multi-factor authentication (MFA) make this more difficult by requiring both a password and one or more other factors (one-time codes, physical tokens, smartcards, etc.) to log in.
- Train Your Employees: Social engineering attacks like phishing are a common way for cybercriminals to gain access to an organization. Security awareness training and phishing simulations can help employees to identify and respond properly to these attacks.
- Network Segmentation: Network segmentation breaks a corporate network up into sections based on business needs. By creating boundaries between these segments, it becomes more difficult to move laterally through the network without detection.
2. Detect What You Can’t Prevent
Prevention-focused security controls are an asset, but they don’t always work. Relying solely on prevention leaves an organization blind to attacks that slip through the cracks. A better approach is to focus on detection and identifying past or current intrusions into the corporate network. Detection is key to responding quickly and effectively to a potential threat and can be accomplished using the following solutions:
- Combined EDR with EPP: Endpoint protection platforms (EPPs) help to identify and block threats to an endpoint, but they’re not perfect. Augment preventative capabilities with solutions focused on detecting intrusions and enabling rapid response. For example, EDR may detect ransomware that slips past EPP enabling incident response or enable monitoring of privileged credentials to detect potential abuse.
- 24x7 Monitoring: Companies face threats from around the world, meaning that an attack can occur at any time, not just during business hours. Round-the-clock monitoring enables an organization to more quickly detect and respond to attacks.
3. Respond Quickly to Prevent Impact
Slow incident response times provide the attacker with a window in which they can expand their foothold and cause additional damage to the organization. Deploying solutions that enable rapid incident response can help to mitigate the impact of an attack. Some examples include:
- Endpoint Detection and Response (EDR): With the rise of remote work, the endpoint has become a major target of cybercriminals and is not always protected by corporate perimeter-based defenses. EDR solutions can detect malware on the endpoint and contain infections from spreading by quarantining infected hosts and terminating malicious processes.
- Network Quarantine: An infection may attempt to spread laterally through the corporate network. Restricting network access for a compromised endpoint can limit the spread of the intrusion.
- Account Lockdown: If a user account is compromised by an attacker, it can be used to move laterally through the network. Promptly revoking access and permissions minimizes the spread of the infection.
4. Don’t Forget Privileged Access
Most successful cyberattacks involve the exploitation of unnecessary and elevated permissions. Cybercriminals commonly will attempt to gain access to user accounts to expand their reach or deepen their access on a corporate network. Accounts with excessive access and permissions pose an unnecessary risk to an organization’s data and other systems. This is particularly important for Active Directory which can give attackers access to most of your environment. Strategies for reducing unnecessary access include:
- Monitoring User Access: Cybercriminals commonly use compromised accounts to carry out their attacks, and privileged attacks are a primary target. Monitor account activities for anomalies that could indicate an attack.
- Restrict Admin Access: Administrator access is an essential part of many cyberattacks. Limiting access to administrator-level permissions can make it more difficult for attackers to gain the access and rights required to carry out their attacks.
- Implement Least Privilege: The principle of least privilege states that a user, application, device, etc. should only have the access and permissions necessary to do its job. Access and permissions should be assigned based on business needs and minimized whenever possible.
- Review Access: People get promoted, change roles, or quit, and their required access and permissions change with these events. Accounts’ access and permissions should be updated at the time of these events and reviewed regularly to see if any changes are needed.
5. Layer Your Approach
Modern cyberattacks are subtle, sophisticated, and designed to slip past security solutions without detection. Implementing multi-layered threat detection and response capabilities maximizes the probability that an attacker triggers at least one alert. Key elements of a defense in depth cybersecurity strategy include:
- Focus on Early Stages: The earlier in the kill chain that an attack is detected and mitigated, the lower the cost and impact to the organization. Double down on capabilities that fall early in the kill chain.
- Diversify Your Security: No security solution is perfect, and some attacks may slip through the cracks. Implementing defense in depth by leveraging different technologies from a variety of vendors increases the probability that one solution will catch threats that another misses.
- Different Capabilities: Include a mix of prevention, detection, and response. Prevent what you can early and detect and respond to what's been missed. Prevention is most cost-effective and doesn't require additional resources to manage/operate.
Consider Partnering with a Modern MSSP
As cyberthreats grow more common and sophisticated, protecting against potentially devastating attacks can be difficult for an SME. Companies need skilled personnel and resources to identify, deploy, and operate the range of cybersecurity solutions needed to manage corporate risk.
For many SMEs, partnering with a managed security services provider (MSSP) is a more cost-effective and sustainable option. MSSPs provide access to essential security expertise and a curated toolset that can be quickly rolled out to an organization. Also, MSSPs can take advantage of economies of scale, distributing the costs of expensive tools across many customers and providing cheaper, more effective security than an SMB can achieve in-house.
SolCyber provides managed security expertise focused on providing the "minimum effective dose" of security, providing protection against cyber threats without creating bloat and taking over your organization. We know what tools work and how to rapidly roll out solutions that provide a clear reduction in cybersecurity and business risk. If you’re interested in learning more about breaking the kill chain on a budget, drop us a line.