The move comes as organisations adjust to a new wave of threats and address the increased risks associated with the FireEye breach, which disclosed techniques for bypassing security defenses. While business email compromise (BEC), phishing attacks, and malware are still dangerous weapons in a cyber criminal’s arsenal, they are increasingly using advanced persistent threat (APT) tactics to circumvent defences and avoid detection. For this reason, security teams must adopt a layered approach to security to prevent their most valuable assets from falling into the wrong hands.


Making the most of COVID-19 chaos

Always on the hunt for new opportunities, cyber criminals have been busy using the COVID-19 chaos and uncertainty to their advantage. They know the crisis caught many businesses off guard, so they are exploiting the rapid shift to remote working. They’re targeting vulnerabilities in devices and networks and weaker remote worksite security controls.

Virtual private networks (VPNs) are among the most popular methods for connecting staff to corporate networks when it comes to remote working. However, these are also a popular entry point for threat actors who exploit unpatched vulnerabilities or use credentials stolen via phishing campaigns.

In more normal times, perimeter security often stops such activity. However, with workforces accessing the network at different times and from other locations, spotting unauthorised infiltration has become much harder with the extreme shift in behavioural baselines.

Changing tactics

Threat actors are not only using COVID to their advantage but are also changing tactics to avoid detection and maximise results. Gone are the days of the “smash-and-grab” approach, in which a criminal would go in heavy and fast, triggering an immediate alert that indicates a corporate network compromise.

Instead, more attackers have now switched to a low-and-slow approach, taking time to move carefully through an IT network looking for the most valuable assets. Attackers use port scanning or credentials stolen either from users themselves or via Active Directory, which conventional security tools struggle to identify. This approach can allow attackers to lurk within a network for months as they move laterally to more secure areas to access the most valuable sensitive data.

The recent SolarWinds Orion supply chain attack is a dire example that one should pay heed to and stresses the need to detect threats that evade perimeter detection early. Security researchers estimate that the adversary had compromised the code for over nine months, and during this time, could have affected over 18,000 organisations.

Another waiting-game tactic is also yielding results as working practices change. Dormant malware infections have compromised vulnerable systems operating outside the perimeter, waiting to activate weeks or months later when staff return to the office. In effect, they are jumping the firewall.

A better security approach

Attackers will use a range of tactics and techniques to achieve their objectives. Once they’ve compromised the network, it’s typically only a matter of time before they get what they want. However, there are ways for security teams to get on the front foot and prevent attackers from establishing a foothold.

A good approach is to create defences that include multiple elements, each designed to detect, triage, and remediate various attacks at different points both outside and inside the network. The more defensive layers there are, the harder it is for an attacker to break through.

While end-point security and even behavioural analytics are commonplace, they can leave gaps in an organisation’s defences. These tools can’t provide the full spectrum of early detection for in-network threats and activities related to credential theft, discovery, lateral movement, and data collection.

One way to fix this is to deploy deception and concealment technologies. These technologies protect valuable assets – such as Active Directory objects, files, and folders – by hiding them from attackers and presenting any unauthorised user with fake data to derail their attack and steer them into decoy engagement servers for observation. Attackers think that the assets they have found are genuine when, in fact, they have fallen into a deceptive environment that monitors and records their every action.

The moment intruders attempt unauthorised access or interact with the deception environment, the security team receives alerts. These early alerts give them time to shut down the attack or allow the adversary to continue moving through the decoy environment to study their methods further to identify weaknesses in their security controls.

Deception and concealment technologies can also integrate with various security measures, including endpoint detection and response (EDR), to improve detection coverage and share threat data quickly for faster response and remediation.

Banks and other financial services firms are under more pressure than ever to protect their critical systems and data stores. Adding a deception-based security strategy as part of a layered security approach better equips these organisations to identify and deal with any threats that emerge.

Jim Cook, ANZ regional director at Attivo Networks