Proactive Cybersecurity: 6 Critical Tasks to Mitigate Risk

COMMENTARY

Many in the cybersecurity community took to calling the summer of 2023 as “hot zero-day summer” based on the sheer number of vulnerabilities discovered and exploited in widely used applications during those months.

Zero-day vulnerabilities used to be the domain of nation-state actors, but the growing availability of these vulnerabilities and exploit tools on the cybercriminal underground means more cybercriminals are beginning to use them. To defend against these vulnerabilities and others on the rise, here are six critical tasks to help mitigate the impact of these attacks.

Understand Your Attack Surface

Create an inventory of all public-facing assets to understand the organization’s external attack surface. There are automated solutions for external attack surface management which can help discover and evaluate internet-facing assets and cloud resources.

Use the inventory to perform daily vulnerability scans to identify and address vulnerabilities that are likely to be exploited. Regularly review how assets are configured to find and fix and misconfigurations. The same tools used for discovery can also help identify the vulnerabilities and misconfigurations.

Ensure Near-Full Coverage for Endpoints

Endpoint security tools monitor systems for suspicious activity, malware families, backdoors, and commodity-based threats. The tools also have the ability to isolate a system from its environment to allow for live response forensics once a threat is detected.

Mandiant recommends documenting specific aspects of endpoint security tool deployment, including:

Restrict Network-Based Protocols and Services

For external-facing systems, limit the number of ports and protocols to only those essential for that system or application to work. Special attention should be given to blocking common ports (e.g., RDP, SSH, SMB, WMI, etc.) and services that attackers could use to laterally move from the external system to the corporate network.

Isolate and segment external facing systems from the main corporate network. A deny-list approach can help block unnecessary east-west communication originating from these systems.

To protect against web-based threats and distributed denial of service attacks, organizations should also place the system or application behind a Layer-7 firewall or a Web Application Firewall (WAF).

Implement Strong MFA Across All External-Facing Systems

Multi-factor authentication has long been considered the strongest way to protect identities online, and it still is. However, attacker techniques have adapted as organizations strengthened their defenses.

There have been a number of incidents where the threat actor compromised a weak MFA mechanism, such as one-time passcodes sent over SMS text messages and voice calls, or push notifications sent via an authenticator application. Both SMS and voice calls are unencrypted, putting them at high risk for being intercepted. There have also been an increase in SIM-swapping, where the attacker transfers the victim’s phone number to a SIM card under the attacker’s control in order to receive the authentication requests.

When maintaining MFA push notifications, the authentication platform should provide additional context about the request to help the user make an informed decision on whether to approve or deny the transaction.

Some examples:

Privileged accounts should enforce an even stronger form of MFA authentication, such as hardware tokens or FIDO2 security keys. Additionally, privileged accounts can require the authorized user to provide MFA verification for each session, even if the request originates from a trusted location or over the corporate VPN. This makes it harder for attackers who gained access to the network through other means to gain access to those privileged accounts.

Enhance Logging, Monitoring, and Detections

Wherever transaction-level or object-level logging is available, these enhanced capabilities should be activated on critical and public resources.

Centralizing all logs should be a priority. For organizations with hybrid environments, all logs should be centrally managed and correlated to track user activity across the environment.

Enhance Incident Response Strategy and Processes

Have a well-defined cybersecurity strategy that follows industry best practices and empowers the security team to effectively identify, evaluate, and remediate security threats. The strategy should include channels to report to relevant executive and business stakeholders all cyber risk metrics and measurements transparently and effectively, including those that may have financial, operational, or reputational repercussions.

Align the most important systems and data (e.g., crown jewels) with incident response plans, playbooks, and governance documentation.

In an ever-changing world where cybersecurity threats continue to grow, staying proactive remains crucial. Organizations should prioritize security initiatives based on the type of risk, level of effort required, and capabilities of their security team.

A version of this article and additional trending content can be found in Mandiant’s latest Cyber Snapshot Report, Issue 5.