Wise security professionals understand that threat actors aren't sitting still, and they aren't playing by the same rules as old-school groups. Lapsus$, for example, is gaining notoriety for its unpredictable behavior, using tactics like extortion and bribing insiders for initial access. It has left even the most experienced security pros scratching their heads.
When you find your organization has been breached, will you be scrambling to figure out your security incident response and remediation plan when your team can't think straight, or will your response be as simple as muscle memory? To minimize the damage done when a security incident occurs, it's important to look inward.
Keep a Tight Ship
I would never dare promise to "eliminate cyber threats," but I can provide strong recommendations to improve internal security. Analyzing some of the latest Lapsus$ victims, we can learn a few things.
First, credential security is imperative. Sooner or later, a threat actor will compromise credentials in your organization. It's not realistic for a business to expect all employees to refuse extortion attempts at all costs. Understanding this reality turns the impossible task into a practical solution.
Security teams should shift their focus from purely preventing credential compromise to tracking user behavior so that anomalies can be quickly identified and acted upon.
Lastly, when discussing the Lapsus$ incidents and others like them that are using extortion and bribery to initiate entry, we must discuss the importance of cybersecurity awareness and insider threat training. Many organizations have put some level of end-user security training into practice. But clearly, that isn't enough to stop novel threat groups from breaching the last line of defense.
Managing Third-Party Companies
Organizations can't prepare their own privacy and security practices in a vacuum — we all depend on a large network of products and services to do our jobs.
Repeat after me: Anyone (or any organization) could easily be a victim of a third-party incident.
If you were to assess the privileges of each of your third-party solutions, would you be proud of what you found? Chances are, there are weak spots in access protocols. Your third-party solutions likely have access to things they shouldn't. Your contractual agreements probably aren't bulletproof either.
While it's important to factor in the balance of manageable risk with return on investment, it's also essential to foster a collaborative yet vigilant relationship with all of your external parties. It's about defining a clear contract with vendors that involves security early on, focusing on shared responsibilities for security, good architecture, and timely communication.
Check on Cybersecurity Checklists
Creating a cybersecurity checklist should be a requirement to do business with any third party. The checklist should include (but is not limited to): thoroughly vetting vendors' privacy and security standards; adding terms and conditions within your contract to address what would happen in the case of an outage and the costs each party would incur; and contingency plans for employees who may depend on technology or software solutions to do their jobs. Take a similar approach whenever your organization is involved in any type of M&A activity, as the risks apply to those scenarios as well.
There will always be risks associated with third-party solutions, but living in a bubble isn't realistic. Managing this risk by having visibility and security capabilities across the entire security incident response life cycle must be the endgame.
Organizations experiencing a security incident must not hide behind a third party and shouldn't blame their employees. They also must not allow lawyers to create smokescreens around what happened. This helps no one in the long term and only saves face until it doesn't anymore.
Communication around current vulnerabilities and threats is constantly flowing in healthy, well-prepared organizations. As a security practitioner, you should be proactive in how you communicate with leadership. It's extremely effective to manage up by sending a notice to leadership about a new breach or vulnerability with your insight added. Security analysts can offer value by proactively showing that they've already checked "XYZ" and that they're running automated queries for indicators of compromise, etc. They can forward that to their CISO for that person to share upward. CISO/SOC leadership can then take action to fill that gap.
Additionally, when a security incident occurs, security analysts should feel comfortable saying "we didn't have the capabilities to identify this incident." Effective operations require reflection on your own security incidents and thought experiments with other shared problems in the security community. Be honest and document everything. From there, they can use these proof points to work with leadership and fill in the gaps.
Culture Is Key
No one with a straight face can deny the importance of security culture when it comes to keeping a tight ship, managing third-party security, and mastering internal communication. Culture weaves through it all. Motivated employees with excellent support from their team members and leadership are less likely to make errors and are also less likely to turn around and give information to a cybercriminal when faced with the temptation of shiny rewards or, worse, revenge.
Fostering a culture of open communication (as opposed to fear of making a mistake) will help your security analysts feel like they can talk to leadership about what gaps need to be filled to properly do their jobs and minimize the impact of future breaches.
Security incidents will happen to everyone, but a well-oiled machine can internally manage and externally remediate in a way that won't lead to extensive damage to a company's bottom line. Many companies are overwhelmed with just the thought of a breach happening — imagine how they panic when a breach actually occurs.
Stay tuned for Part 2 later this week, which will provide advice on handling the public's response after an incident.