Guest author, Chris Witham, Director of Operations, Sicarius
For over 20 years, Chris has honed his skills across a wide variety of IT disciplines, including systems administration, IT security, digital forensics, risk and compliance, and incident response. Chris has provided first-rate digital forensic services for cutting edge organisations in federal law enforcement and private enterprise, both locally in Australia and Internationally. His resume includes working with the Australian Federal Police, Blackpanda and KordaMentha, supporting sophisticated, and at times high-profile investigations.
The measures that we take right now to protect our businesses against cyber attacks have a direct correlation to the chances of whether or not cyber criminals will gain access to our networks and data, as well as the negative impact that any breaches will have. Over the years that we have provided Incident Response (IR) services, there are some common pitfalls we see businesses of all sizes make regarding the protection of their systems and data. Many of these relate to businesses not taking some basic proactive strategies for security. When these basic strategies are overlooked, the chances that a breach will occur are much greater.
From all of the breaches that we’ve seen, these are the common pitfalls that small to mid-sized enterprises (SMEs) should try to avoid.
Being unprepared for a cyber attack
Once a breach is confirmed, businesses need to react swiftly. This can be nearly impossible without a predetermined plan. Usually, this is formally documented in an Incident Response Plan (IR Plan), which can also be complimented by Incident Response Playbooks that address specific types of cyber attacks. Unfortunately, it’s often been the case that once we are engaged and begin our response, we find that no plan exists, and we start from scratch. It can take considerable time to gather the information that we require to remediate the situation.
An IR Plan outlines the procedures and protocols to be followed when responding to and recovering from a cybersecurity incident. Specific components will vary depending on each organisation, but an IR Plan typically includes:
- Key personnel who will form the incident response team and their roles and responsibilities.
- Guidelines for classifying the severity and impact of cyber incidents.
- Processes for detecting and reporting security incidents.
- The different phases of the incident response and steps that will be undertaken within each phase.
- Some rules and protocols for communicating with stakeholders, regulatory bodies and law enforcement.
The absence of an incident response plan can cause chaos within an organisation once a cyber incident has been confirmed. With no plan there is no clear roadmap for containing the damage, notifying affected customers, or restoring the compromised systems. Management is left in the position of having to assemble an ad-hoc incident response team, but the lack of pre-established protocols and coordination can further hinder their efforts.
All organisations need to have some incident response strategy in place, starting with a comprehensive IR Plan. With an IR Plan, businesses are much better equipped to detect any breach, respond swiftly, contain the damage, and communicate effectively with stakeholders.
Improper vetting of emails
Phishing is a very common practice employed by cyber criminals. With phishing attacks, a threat actor will send emails or other types of messages that appear to come from a legitimate source, in an attempt to trick users into providing sensitive information or get them to click on a dangerous link.
We’ve seen countless breaches occur from this simple technique. Examples include threat actors sending fake invoices with alternate payment details, emails containing links that will download and install malicious software, and emails asking users to provide their account details and passwords.
Employee education and awareness plays a significant role in preventing phishing attacks from succeeding. For most of the successful phishing attacks that we have witnessed, an employee of the victim company lacked knowledge of typical phishing techniques and was not able to spot the warning signs in order to identify a suspicious email.
In addition to employee education and awareness programs, businesses can employ an advanced email protection platform, which can significantly mitigate the risks of these types of attacks.
Email protection solutions like Cloudflare Area 1 can analyse incoming emails in real-time, scanning for indicators of phishing attempts. They also contain robust email filtering and spam detection mechanisms that block or divert suspicious emails from reaching user inboxes.
In addition, email protection systems can automatically scan and analyse URLs present in incoming emails, checking them against databases of known malicious websites. If a link is deemed suspicious, the platform can either block access to the website or display a warning message to the recipient, alerting them to potential dangers.
Log retention plays a crucial role in the event of a cyber attack by providing extremely valuable information to investigators and responders. Logs capture a wealth of information about system activities, user actions, network traffic, and security events. When these logs are available to incident responders they can be analysed during and after a cyber incident to reconstruct the timeline of events, identify the attack origin, understand the methods employed by the attackers, and determine the damage.
As advanced incident responders, we examine countless log types to perform in-depth investigations and uncover suspicious activities, unauthorized access attempts, or other anomalous behavoir. Unfortunately, by default many applications and systems limit the size of their logs, meaning that only a small amount of data will be available.
Log collection and retention is the practice of storing and preserving the log data generated by various systems, applications, devices and network components within a network. Many log collection systems can gather log data from multiple sources, such as servers, applications, firewalls, routers, and other network devices. The collection system stores the log data in a centralised repository or database which makes it available for analysis and forensic investigations.
Essentially, log collectors are an invaluable resource for incident response, and can be easily implemented within an organisation.
Not patching applications and software
Cyber criminals will often use the security flaws found in out-dated software applications to gain unauthorized access to a network. We’ve seen this exact method used in many Incident Response investigations.
“Application patching” is the process of updating and fixing software applications to address issues like security and performance. This involves applying software updates called “patches”, and these are provided by the software developer. Applying patches will usually resolve security flaws and/or improve the functionality of the application.
In the vast majority of cases, these patches are provided free of charge from the developer. The Essential Eight strategies published by the Australian Signals Directorate (ASD) recommends updating applications within 48 hours of the patches becoming available and warns against using any applications that are out of support and do not receive security updates.
To make the process of patching applications more efficient, patch management software tools are available. These tools streamline and automate the process of deploying and managing software patches across an organisation’s IT infrastructure, ensuring that applications stay up to date. They will generally also feature many other components that test and monitor software updates.
Patch management software is something that we recommend to any of our clients that may have difficulties keeping their various applications updated and secure.
Outsourced cybersecurity partners can help companies avoid common pitfalls
These pitfalls may seem a bit overwhelming for a small department or IT leader to avoid, especially if cybersecurity isn’t an area of expertise for the IT team. However, organizations can lean on a managed security partner such as SolCyber who can serve as a cybersecurity department ready and capable of providing proactive prevention, detection, and response efforts 24/7, ensuring key security measures are in place.
It's an easy and efficient way to ensure your company is protected and has the expertise needed to adapt and react to any new vulnerabilities, threats, and attacks.
To learn more, set up some time with them for a free consultation.