As threat actors' sophistication has grown dramatically in the last few years, organizations haven't kept up with implementing the necessary countermeasure controls.

John A. Smith, Founder & Chief Security Officer, Conversant Group

October 5, 2022

5 Min Read

Businesses are grappling with increased costs, including cyber insurance, which saw premiums rise an astounding 92% year-over-year in 2021. The ballooning cost is due, in part, to a rise in business interruption costs, which are affected mostly by threat actors' ability to find and destroy an organization’s backups and production data, preventing timely recovery.  

Backups were targeted in 94% of attacks and impacted in 68% of attacks according to Veeam's "2022 Ransomware Trends Report." Without a backup to restore, an unplanned downtime cost 35% more than planned downtime, according to IBM. A proactive approach to securing your environment actually represents a cost savings. 

In the last couple of years, threat actors' sophistication has risen exponentially, but organizations haven't implemented the necessary technical controls and configuration to keep pace. The cybersecurity industry and many cybersecurity professionals are policy and compliance oriented, but the hackers don't go after your policies. They go after your controls and configurations. 

As a last line of defense, there are precautions like immutability that can help your backups survive, but the success or failure of most companies' security methods heavily depend on the users — those that don't have an IT or security background. Unfortunately, most organizations' technical controls and configurations don't reduce the likelihood of users' endpoints being leveraged to enact damage. 

Too many organizations allow (sometimes unwittingly) an array of meeting software, remote access software, password managers, browsers, personal email services, and file-sharing tools. This unsanctioned tech sprawl leads to a greater opportunity for threat actors to harvest your users' credentials, exfiltrate data, gain access to an endpoint, or obtain remote access. Cisco was recently breached by allowing users to access personal email services and save corporate passwords in the browser.

Most breaches follow predictable progression. Here is an example: A malicious email is accessed by a user, who clicks a link that gives their credentials away or grants local access to a threat actor. The threat actor then installs a remote access Trojan (RAT) on the endpoint, and harvests privileged credentials either from the endpoint via a credential dumper like Mimikatz, the Dark Web, or a network share. Then, the threat actor leverages the privileged credentials to move laterally through the network, find, and exfiltrate the most valuable data, destroy the backups, and encrypt all production data.

So how do you prevent becoming a victim of common attack methods?

Improve Education

All users need to be educated on the evolving risk posed by everyday tools and how attackers use them, especially email. According to Verizon's "2022 Data Breach Investigations Report," threat actors prefer email for malware delivery; 86% of malware delivery is performed via email.

IT professionals need consistent training, as well. Too often, victims believe the breach they suffered was random. IT professionals are often ignorant of their environment's vulnerabilities and misconfigurations, and how sophisticated hackers have become at exploiting them. 

Getting security done right requires a concerted, driven, anti-political personality to push an organization to take necessary steps. Even blocking personal email services within an organization is likely going to be met with pushback, but it needs to be done.

Get An Assessment

Finding a partner that can perform a thorough technical assessment of your environment by leveraging breach knowledge is a great extension of your IT department and a worthwhile investment. IT systems often have weak configuration and unsuitable technical controls. However, organizations are often operating unaware of these accepted risks.

A regular cadence of assessments, at least annually, is important because risk is always changing and vendors are continuously releasing updated features and services. The technical controls' suitability and configuration must be regularly checked so they don't compromise your security posture.

Even big vendors like Microsoft have defaults set in a way that make organizations more vulnerable out of the box. Recently, Microsoft warned of large-scale phishing attacks against more than 10,000 organizations. Reportedly, the attackers were able to bypass Office365’s multifactor authentication (MFA) capability.

If the MFA is misconfigured, it won't secure your organization and could even be grounds for insurance coverage denial. An assessment would flag such misconfigurations. If your controls are orchestrated properly, it's going to be more difficult for a threat actor to leverage harvested credentials for access.

Establish Roles

Ultimately, security is everyone's job, but IT professionals and security teams need to have clear responsibilities and partner not only with each other, but executives, too. Internal politics need to be put aside for the greater good of protecting the organization from threats.

In some cases, for instance, leadership doesn't allow the IT team to do what needs to be done to properly secure an organization, pushing back on controls that may seem too harsh.

There is often a natural tension between security and IT, as well. If CISOs and security teams are asked to make an environment secure after the IT infrastructure has been built, they are going to have a hard time trying to implement security piecemeal based on what already exists. You can't duct tape your way to a secure IT environment.

Once you have your marching orders, you need to gear your security plan toward stacking controls and securing endpoints, among other things. If a threat actor gains access to an endpoint, most organizations will have lost. With the right technical controls and configuration, you can better protect your endpoints, credentials, production data, and ultimately your backups.

About the Author(s)

John A. Smith

Founder & Chief Security Officer, Conversant Group

John A. Smith is Founder and Chief Security Officer of Conversant Group and its family of IT infrastructure and cybersecurity services businesses. He is the founder of three technology companies and, over a 30-year career, has overseen the secure infrastructure design, build, and/or management for over 400 organizations. He is currently serving as vCIO and trusted advisor to multiple firms.

A passionate expert and advocate for cybersecurity nationally and globally who began his IT career at age 14, John is a sought-after thought leader, with dozens of publications and speaking engagements. In 2022, he led the design and implementation of the International Legal Technology Association’s (ILTA’s) first annual cybersecurity benchmarking survey.

John studied Computer Science at the University of Tennessee at Chattanooga and holds a degree in Organizational Management from Covenant College, Lookout Mountain, Georgia.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights