Cybercriminals today are consistently working to find new ways to trap potential victims. From masquerading themselves as legitimate users in a network or using new and evolving techniques to slip past detection mechanisms, the array of sophisticated tools in the arsenals of threat actors continues to grow.
And the timing of attacks is also crucial. A survey of nearly 1,000 security professionals found that 86% of companies targeted by ransomware were attacked on a holiday or weekend, while three quarters of the ransomware victims suffered an attack during a major corporate event, such as a merger, acquisition or IPO. Clearly, ransomware groups are striking outside of normal business hours, looking to take advantage of enterprise defenses that are likely to be either lowered or entirely offline.
Threat actors exercise patience to increase their chance of success
With holidays and weekends providing downtime for most of the working population, it presents a big challenge for most organizations. While most organizations run a security operations center (SOC) on a 24/7/365 basis, we know that many reduce SOC staffing during holidays and weekends – often by as much as 50%. A minority don’t staff their SOC at all during these periods, leaving the doors wide open for attackers. By leaving SOCs understaffed, enterprises increase the likelihood of threat actors being able to carry out successful cyberattacks.
There are numerous examples available to dissect. For instance, the disruptive ransomware attack on Transport for London took place on a Sunday. In the US, meanwhile, the ransomware attack against Colonial Pipeline in 2021 occurred over Mother’s Day Weekend. Once they have gained access to a company network, ransomware gangs are typically patient and methodical with their attack strategies, often laying low for weeks, cementing their foothold and elevating privileges while scouting out key data and business apps to potentially encrypt as part of an extortion plot.
SOC staffing doesn’t align with attack patterns
Unfortunately, SOC staffing often doesn’t align with the attack patterns we are seeing, and there are several reasons for that. Work-life balance is important in many organizations and businesses don’t feel that full staffing is necessary considering most employees work weekday schedules. There is also the common misconception that hackers won’t target businesses of a certain size or type – and many organizations feel safe because they haven’t been targeted before. Furthermore, staffing a SOC 24/7/365 is a significant challenge. Maintaining around-the-clock coverage can require 15-20 team members at a minimum.
This creates a costly dilemma. What starts out as a simple commitment to improving security can snowball into a huge operational expense. To reduce those expenses, many organizations opt to scale back by cutting personnel or limiting hours of coverage, thinking that threats are less likely to occur outside of normal working hours. Unfortunately, that’s not the case.
Just as burglars avoid well-patrolled daytime areas, threat actors also look to carry out attacks when fewer eyes are watching. Assuming that you’re safe out-of-hours provides threat actors with open doors for attack. Instead, enterprises must always assume that attacks are imminent, ensuring that their SOC is not under resourced at any point. I call it having an assumed breach mindset. Never wax, never wane, hackers are persistent and never take time off.
Improving focus on identity security
It’s not just about having the right resources in place, but also using those resources in the most logical and effective ways possible, focusing on those areas that are of the greatest vulnerability or pose the most significant potential impact. Here, identity management must take priority. Today, the identity system has become the new perimeter of enterprise security, with 90% of ransomware attacks ending in identity system compromise.
Active Directory (AD), which forms the foundations of identity and access management for the vast majority of organizations globally, is a particularly common vulnerability that threat actors are consistently working to exploit. As a technology that was originally released in 1999, many companies are now faced with managing outdated AD configurations and excessive user privileges that can be exploited relatively easily. Couple this with the fact that AD often lack sufficient monitoring and security auditing, and it can be a challenge for firms to detect unusual or malicious activities quickly enough.
Attackers know about these problems better than anyone else. They know that if they’re successfully able to compromise AD, they’ll gain control of the keys to an organization’s kingdom, providing them access to sensitive data and critical systems. Unfortunately, however, this an area that typically seems to be underestimated or overlooked. Many organizations either don’t have an identity recovery plan at all, or their recovery plan has concerning gaps. Not taking cyberattacks into account, not testing for identity vulnerabilities and testing recovery plans only quarterly or less frequently are common mistakes that can prove costly in case of an attack.
What’s the solution?
For enterprises, it is vital to address these shortcomings, ensuring that key vulnerabilities such as AD are protected and that the security guard isn’t dropped out-of-hours when threat actors are looking to make the most of understaffed SOCs. Businesses must see security as a central part of their business resilience strategy. Just like safety, financial and reputational risk, security can be the difference between an enterprise excelling or collapsing in the face of a catastrophic, game-changing incident.
To achieve this, there are several steps for enterprises to take:
- Have a plan in place: Starting from scratch in the event of a catastrophe isn’t a good place to be. By preparing for potential scenarios ahead of time and testing the protocols on a regular basis, enterprises can more quickly and effectively respond should those situations become a reality.
- Use budgets wisely: This isn’t necessarily about throwing more money at the problem. It’s about using the budgets that you do have to greatest effect, ensuring that existing resources are scrutinized and optimized.
- Adopt ITDR: For organizations looking to use limited resources effectively, identity threat detection and response (ITDR) can be an incredibly useful tool, providing key capabilities such as automated auditing and alerting, attack pattern detection, and the rollback or suspension of unusual changes in AD.
- Enhance productivity through automation: This automated support can also help enterprises to support the skilled security staff that they do have, freeing up engineers to spend time on more interesting, higher value-tasks.
By taking these steps to optimize security performance and leverage automation, organizations can simultaneously bridge the gaps that currently exist in both their SOC staffing and identity security capabilities, enabling them to better protect against, identify, respond to and recover from attacks – regardless of whether they strike on a Tuesday or a Sunday.
We’ve compiled a list of the best endpoint protection software.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here:
Leave a comment