With more malware gaining a foothold into networks via fake certificates, early detection rests on strong IAM and IOC monitoring.
Let us assume an organization is under ransomware/malware attack despite implementing utmost precautions during an asset deployment.
When symptoms such as weird traffic patterns and file activities in their networks; mass and continuous deletes of hard drives; slowness in the system; irregular i/o access patterns start taking place, the organization will need to restrain the spread of the attack immediately, before the ‘domino effect’ of all of these activities (i.e., indicators of compromise—IOC) escalate.
This point, raised by Raj Srinivasaraghavan, CTO, SecureKloud Technologies Ltd, led to the following Q&A with CybersecAsia.net for details on the latest cyber defence trends via watching for domino effects.
CybersecAsia: How can watching for domino effects help an organization to determine its response to an attack?
Raj: To be vigilant against attacks, there are two things that organizations can do. The first is to have a constant watch on the authenticity and security protocols of all the assets that get deployed on their network—from servers, databases, firewalls to even USB drives, certificates or mobile phones. A complete security screening and analysis of such deployments is necessary if an organization needs to be 100% safe. Secondly, they can deploy mechanisms to analyze the after-effects of such deployments of any asset. If suspicious effects start to occur, recognizing and analyzing the domino effects of all of these across the network can help the IT team decide how critical the intrusion is, and what portions of the network need to be shut down in order to investigate.
CybersecAsia: When the domino effect has been analyzed after the deployment of some compromised asset, what next?
Raj: The immediate action should be to isolate the attack zone/point: it could be a machine, a subnet, a webserver, an app server, or even an edge network point. To analyze the threat propagation pattern, one must check the log files to identify the attack zone/point. All entry points to the network should be shut down and investigated (regardless of whether log files are available or not).
Once the problem is detected, one must carefully identify the modus operandi of the attack and plug any weaknesses/holes that led to the attack.
The network should be brought back up only after a thorough assessment of the attack’s root cause. That is why isolation is essential. Because if one can effectively isolate, the downtime from the attack can be kept minimal.
CybersecAsia: With recent incidents involving Wiper malware that deletes data permanently, what extra precautions should cyber defenders implement?
Raj: In the case of Wiper Malware, hackers impersonated a legitimate company to procure certification for their malware to establish a foothold into a network asset. If we see the deployment pattern of this or any malware, it always happens through an act of impersonation/breach of a trusted source.
The trusted source could be a port, IP address, certificate, firewall configuration, IAM access policy rule or more. The only way to eliminate such attacks is to check for strange traffic or program execution patterns that are taking place (that includes massive deletes of files).
These domino patterns could be detected by a routine and continuous assessment of all the trusted certs, trusted endpoints, trusted users, trusted networks, and trusted devices. Access permissions to delete should be kept away from normal users or processes. If admins can have access to delete permissions, then enforcement of multiple approvals before deleting files and directories from hard drives should be put in place.
One important aspect is to trigger a routine automatic backup (with backups through correct permissions) of data, which could help ease the attack recovery process.
Finally, having a constant watch on all the procurement, deployment and commissioning operations of network ports, assets, certs, devices, and servers on a 24×7 basis can help avert such attacks.
CybersecAsia: As new forms of cyberattacks continually emerge and evolve, what advice do you offer IT teams?
Raj: The best practice to mitigate cyberattacks is by being vigilant and proactive. Conducting continuous surveillance at an ultra-refined security level certainly helps. Predominantly, in organizations where network and cloud resource deployments happen at higher frequencies these two steps are mandatory.
IT teams should be wary of external threats, but they also need to constantly look for internally triggered voluntary and incidental threats.
All endpoints, devices (both cloud and on-premises), handshake points between two networks; IAM access points, management of certs/keys through key stores, etc., should be on the radar almost daily.
CybersecAsia: How has the role of a CISO and cyber security head changed over the last few months?
Raj: CISO and cybersecurity leadership responsibilities have become more proactive than ever before. Areas that have come under scanner in the last few months are:
- Increases in ransomware, malware, phishing, and easy spread of these threats via known and trusted devices from inside the network (apart from unknown attacks)
- Frequencies of vulnerability assessments and penetration testing
- The need to take even more proactive measures to plug security holes that can expose traffic patterns of an organization
- Continual assessments of security policies and implementation of appropriate changes in cloud and on-premises environments
- Tighter management of internal and external identities on a daily basis
- Assessment and mitigation of any threat to devices, especially those connected to corporate networks—specifically at edge locations
- More proactive measures for data loss prevention and mitigation
- Implementation of zero trust and zero-knowledge security combined with the implementation of least privileges even to higher-order users
- The need to have detailed logs of all assets, their security, access, procurement; and deployment policies documented in a safe place other than the systems/networks themselves
CybersecAsia thanks Raj for offering his insights.