Maksim Kabakou - Fotolia
In today’s cyber security threat landscape, it pays to be proactive rather than reactive. Malicious actors increasingly spend less time hidden within infiltrated systems looking for weak areas to exploit, sometimes only needing to be in systems for mere hours before finding the cracks in the defences. With the median threat actor “dwell time” reducing to 21 days, IT security teams must have robust passive threat detection tools in place.
It is understandable why security teams try to cover all bases when mapping out possible attack threats. But the reality is that for most organisations, after taking into account the sheer amount of hardware and software used across the network, identifying and plugging all the gaps is unfeasible.
It is at this stage that many security teams dedicate too much time and too many resources in trying to anticipate every kind of attack. Just as a chess grandmaster knows that not every piece on the board can be saved, those in charge of cyber security can improve defences by focusing on the most important pieces.
The Active Directory is often the target of attackers once they have infiltrated the network through an internet-facing vulnerability or because someone in the organisation has been compromised through phishing. Having command over the Active Directory is like gaining control of the company’s “keys to the kingdom”. If the Active Directory is taken offline, a very possible scenario – and one that has happened in the past – is that the IT team could be knocked completely offline and rendered unreachable.
To prevent this kind of situation, one best practice is to apply the principle of least privilege. By reducing the number of devices or people with administrator access, setting up continuous monitoring, introducing a tiered administrative model and establishing Active Directory domain controllers as a server core could reduce the risks.
Legacy technology can also be a primary source of vulnerability for many organisations. Internal systems that may not be internet-facing can often lie dormant and out of view from threat assessments. Unless internal scans are done to identify these systems and any potential security risks, malicious actors may exploit misconfigurations to breach the walls. Legacy systems that are not able to support updates and integrate with newer operating systems similarly remain vulnerable to attack.
Active defence strategies
There are plenty of tools that IT security teams can invest in to carry out comprehensive checks for vulnerabilities. However, it is important that any scans are checking internal systems as well as those externally facing and connected to the internet. A lot of time is often spent trying to keep attackers from ever getting in, while much less thought is given to what is at risk once an attacker does breach the walls and has access to systems. Rooting out any internal misconfigurations will go a long way to protect organisations by stopping criminals from propagating through their systems.
Before any purchases or integrations of new tools or external hardware or software, it is vital to carry out due diligence at the procurement stage, so that security teams can assess the risks of providers. It is equally important that any prospective provider should carry out active assessments of the company’s security risks in order to show that their understanding of the threat environment unique to that company is fully understood.
Malicious actors targeting misconfigured tools is an Achilles’ heel for cyber security teams. Implementing continuous controls monitoring to verify that systems are configured correctly is essential, especially when organisations may have implemented multiple security and IT tools to protect various aspects of the company. By regularly playing out scenarios to identify risks, IT teams have a greater chance of spotting flaws in the system before they are exploited.
When it comes to critical infrastructure such as IT systems, there is an understandable reluctance to change things while they are working. In many cases, changes aren’t implemented until a threat has actually been identified, neutralised or when the damage is already done.
Staying on the front foot in securing systems from cyber threats is not always easy, but it pays in the long run to invest time and resources into gaining a full understanding of your network’s risks, conducting continuous monitoring and ensuring that the foundations of the system are solid, to prevent leaving the door ajar for hackers.
Steve Forbes is government cyber security expert at Nominet
Read more from the May 2022 Security Think Tank series
- Solving for complexity in the networkby Mike Lloyd of Redseal.
- Defenders must get out ahead of complexityby Jack Chapman of Egress.
- Identify, assess and monitor to understand attack pathsby Rob McElvanney of PA Consulting.
- Understanding attack paths is a question of trainingby Mike Gillespie of Advent IM.
- Yes, zero trust can help you understand attack pathsby Paul Holland of the ISF.
- To follow a path, you need a good mapby Petra Wenham of the BCS.