You Must Assume There Is a Cyberattack Coming. Are You Prepared for It?
Companies, according to popular belief, can be classified into three types:
- Companies already subjected to cyberattacks
- Companies that were subjected to a cyberattack but are unaware of it
- Companies who will be subjected to a cyberattack (sooner than you think..)
A comprehensive, mature, and holistic cyber security program that properly supports business goals is critical to reducing cyber risk to meet the organization’s risk appetite; However, even the best program with significant resources will never provide 100% protection.
We can look at the leading enterprises that take cyber security seriously and invest millions of dollars in their security programs that have been severely breached, such as Microsoft, FireEye, NASA, Facebook, and many others. There are several reasons why professional and well-funded activity cannot completely prevent cyberattacks. Let’s begin with the three most important:
Zero-Day Vulnerabilities – You Don’t Know What You Don’t Know
Everyone is aware that APT (Advanced Persistent Threat) groups are positioning and exploiting unknown vulnerabilities on their way to the victim’s corporate network. These types of vulnerabilities are not only unknown to us, but also to the vendors who are unable to provide the necessary remediation (security patch). This type of situation exposes the vendor’s customers, who will be considered potential victims until such a patch is released.
One-Day Vulnerabilities – The Impossible Race
Even if a zero-day vulnerability is made public and a security patch is provided by the vendor, customers will remain vulnerable until the security patch is installed on their systems. Most businesses are hesitant to implement security quickly for fear of causing a system outage.
In some cases, companies preferred to follow their change management procedure, which entails waiting for the patch to gain a larger install base among similar companies, installing the patch in lower test environments, and monitoring the system’s behavior for a few days. An enterprise company usually will fully implement a security patch on a critical system within a few days in a relatively good response time, whereas others may take weeks.
Once a target has been identified, APTs or cybercriminals will patiently wait, sometimes for months, for a relevant one-day vulnerability to be released before exploiting it before the victim has had the opportunity to install the necessary patch. After successfully establishing a foothold, the attackers will open another backdoor (or several) into the corporate network for persistence, allowing the active threat to remain in the network even after the victim has completed the security patch implementation.
According to this fascinating article published by Palo Alto’s research team unit 42, it takes threat actors approximately 24 hours to identify and exploit a random and internet-facing known vulnerability; we can assume this timeframe is much shorter in the case of a well-targeted company.
As far as we can tell, we will always lose in this impossible race.
The Human Factor, or: a Chain Is as Strong as Its Weakest Link
Many businesses devote a significant amount of resources to technological controls while underestimating the risks posed by the human factor. Based on an analysis of HUB’s phishing campaigns conducted as part of Red Team exercises on a variety of organizations over the last year, we can learn that approximately 40% of the valid accounts gathered during the activity provided their credentials to the attacking team.
It is important to note that enabling MFA with any external authentication of the company’s user may reduce the likelihood of such exploitation, but there are a few techniques to circumvent this control as well. Another method of using social engineering to gain unauthorized access is to physically infiltrate the company’s premises and exploit employees’ lack of awareness; from there, the path to network compromise is relatively short.
Here are two articles about social engineering and phishing campaigns that you should read:
What can we do now that we realize we can’t completely avoid cyberattacks? Handling a cyber incident begins before the attack, in the planning phase, and with a wise and mature understanding that such an incident is on the way. In the upcoming article, we will go into greater detail about this critical phase, which may help you respond successfully to your upcoming cyberattack.