Next Level Cybersecurity

1. The Cyber Attack Chain: Understanding the steps attackers take

The Cyber Attack Chain is a model that depicts the steps that cyber attackers tend to follow in almost every cyber attack.

Five key steps. The Cyber Attack Chain consists of five overall steps:

1. External reconnaissance
2. Intrusion
3. Lateral movement
4. Command and control
5. Execution

Critical detection window. The most valuable time to detect attackers is during steps 2-4 (intrusion, lateral movement, and command and control). By this point, attackers have breached defenses but haven't yet accomplished their ultimate goal.

Inevitable intrusion. Organizations must accept that it's only a matter of time before attackers will intrude. The key to success is early detection before the cyber attack is executed, as once execution occurs, it's often too late to prevent damage.

2. Crown Jewels: Identifying and protecting your organization's most critical assets

Crown Jewels are all of the mission critical and sensitive data, including consumer data, intellectual property and technology assets of the organization.

Comprehensive inventory. Organizations must create a thorough list of all Crown Jewels, including:

• Databases with sensitive consumer information
• Intellectual property (product designs, patents, business plans)
• Critical business data (customer lists, financial information)
• Privileged user credentials
• IoT devices containing or connected to sensitive data

Visualize the attack surface. Beyond just listing assets, organizations should create a visual diagram showing all Crown Jewels and their interconnections within the network. This helps identify potential attack paths and vulnerabilities.

Dynamic process. Identifying Crown Jewels is not a one-time exercise. The inventory must be regularly updated to reflect:

• Mergers and acquisitions
• New products or services
• Changes in technology infrastructure
• Addition of new partners or suppliers with network access

3. Cyber Attack Signals: Early warning signs of attacker behavior

A Cyber Attack Signal is a high-probability signal of cyber attackers at work, trying to hide and avoid detection, while performing one of the tasks in the Cyber Attack Chain.

Focus on behavior. Cyber Attack Signals concentrate on detecting patterns of attacker behavior rather than specific tools or malware, which can change rapidly. This makes them more resilient and effective for long-term detection.

Top 15 signals. The book identifies 15 critical Cyber Attack Signals that organizations should monitor, including:

• Abnormal logons
• Privileged users' behavior
• Internal reconnaissance signals
• Malware signals
• Command and control (C&C) communications
• ICMP packet anomalies
• Unusual logs behavior

Multiple detection opportunities. By mapping relevant Cyber Attack Signals to each step of the attack chain for every Crown Jewel, organizations create multiple chances to catch attackers. If one signal is missed, another may detect the threat in a different step.

4. Patch Window: The critical time between vulnerability discovery and fix

The patch window is the time period between a known vulnerability and the fix (i.e. the patch).

Race against time. Once a vulnerability is publicly disclosed, both defenders and attackers become aware of it simultaneously. This creates a critical window where organizations must either patch or implement temporary defenses before attackers can exploit the weakness.

Prioritization is key. Not all vulnerabilities are equally critical. Organizations should use the Common Vulnerability Scoring System (CVSS) to prioritize patching efforts:

• CVSS scores range from 0-10
• Vulnerabilities with scores of 8-10 require immediate attention

Interim measures. When immediate patching isn't possible, organizations must implement temporary workarounds to protect vulnerable systems while a permanent fix is developed and tested.

5. Privileged Users: Protecting the keys to the kingdom

Privileged users are those users with greater access levels and capabilities required for their jobs than a regular user, such as a network or database administrator with access to the network or database with certain capabilities required to perform their jobs.

Prime targets. Attackers prioritize stealing credentials from privileged users because they provide faster access to Crown Jewels. Sometimes compromising just one privileged account is enough to reach critical assets.

Broad definition. Organizations should consider a wide range of users as privileged, including:

• Domain/network administrators
• Database administrators
• Local administrators
• Business users with access to sensitive data
• Support staff with remote access capabilities
• Vendor/contractor accounts with network access

Behavioral monitoring. Implement the Cyber Attack Signal "privileged users' behavior" to detect anomalies in how these accounts are used. This involves:

• Establishing baseline normal behavior patterns
• Monitoring for deviations in login times, frequency, tasks performed, etc.
• Using AI/ML algorithms to efficiently analyze vast amounts of user activity data

6. IoT Devices: The overlooked gateway for cyber attackers

IoT devices are inherently high risk because frequently manufacturers of these devices are slow to release patches for vulnerabilities or may not be around to keep the device updated, or often they manufacture them without adequate security at the forefront or with preconfigured passwords which are not changed prior to deployment.

Expanding attack surface. The rapid adoption of IoT devices creates new entry points for attackers. These devices are often:

• Easily discoverable on the internet
• Manufactured with weak security
• Rarely patched or updated
• Overlooked in security monitoring

Common vulnerabilities. IoT devices frequently suffer from:

• Weak or default passwords
• Lack of encryption
• Insecure network services
• Insufficient security configurability
• Poor physical security

Mitigation strategies:

• Conduct a thorough inventory of all IoT devices
• Change default passwords to strong, unique credentials
• Segment IoT devices on separate network zones
• Implement monitoring specifically for IoT-related anomalies
• Regularly check for and apply available firmware updates

7. C&C Communications: Detecting malware's lifeline to attackers

The C&C server and the communications with it enable the cyber attackers to perform crucial tasks to move laterally and exfiltrate the data or attain other objective.

Critical detection point. Monitoring for Command and Control (C&C) communications is essential because:

• It's a common element across various malware types
• It indicates active attacker presence in the network
• Disrupting C&C can neutralize malware even if initial infection is missed

Common C&C signals:

• Requests to numeric IP addresses as domain names
• Unusual patterns of DNS queries
• Communications with dynamically generated algorithm (DGA) domains
• Use of unauthorized SSL certificates
• Unexplained large data transfers

Behavioral analysis. Implement algorithms to detect anomalous network behavior:

• Establish baselines for normal traffic patterns
• Monitor for deviations in communication frequency, volume, and destinations
• Correlate activity across multiple devices and time windows

8. Ransomware: The growing threat of data hijacking for profit

Crypto ransomware is perpetrated by cyber attackers using dual encryption (i.e. symmetric and asymmetric).

Two main types:

1. Locker ransomware: Disables system access without encrypting files
2. Crypto ransomware: Encrypts victim's data, rendering it unusable

Increasing prevalence. Crypto ransomware is becoming more common as attackers realize many organizations will pay to regain access to critical data rather than face prolonged disruptions.

Beyond data theft. Ransomware represents a shift in attacker tactics:

• Instead of stealing data, they hold it hostage
• Attacks can target any valuable asset, not just traditional "crown jewels"
• Some variants act as a decoy for more malicious actions (e.g., data wiping)

Early detection is crucial. Monitor for ransomware signals such as:

• Installation of new .dll files
• Attempts to connect to TOR networks
• Creation of specific file types (.pky, .res, .eky)
• Mass renaming of files
• Deletion of backups

9. Cloud Security: Shared responsibility in the digital sky

While the cloud provider will provide the perimeter security, the organization is responsible for security of its data and IP and other assets that are in the cloud (i.e. its Crown Jewels).

Shared responsibility model. In cloud environments:

• Cloud providers secure the underlying infrastructure
• Customers are responsible for securing their data, applications, and access management

Cloud-specific risks:

• Theft of cloud access credentials
• Misconfigured security settings
• Data exfiltration through cloud APIs
• "Cryptojacking" (unauthorized use of cloud resources for cryptocurrency mining)

Adapting security practices:

• Conduct Crown Jewels analysis specifically for cloud-hosted assets
• Implement Cyber Attack Signals tailored to cloud environments
• Pay special attention to API communications and abnormal resource usage
• Don't rely solely on out-of-the-box monitoring provided by cloud vendors

10. Board-Level Cybersecurity: Elevating oversight to the highest levels

Cyber risk is one of the most significant and disruptive risks faced by almost every organization and protecting the Crown Jewels must be the top priority at the highest levels.

Boardroom priority. Cybersecurity can no longer be treated as a back-office IT issue. It requires attention and oversight at the highest levels of an organization.

Dedicated committee. Organizations should consider establishing a dedicated cybersecurity committee at the board level:

• Separate from the audit committee to ensure focused attention
• Include at least one cybersecurity expert
• Clearly define charter and oversight responsibilities

Regular reporting. Provide the board with a dashboard of Cyber Attack Signals:

• Show signals for each Crown Jewel and in aggregate
• Report status of risk mitigation for detected anomalies
• Enable board members to ask informed questions about cybersecurity posture

11. Seven Steps to Early Detection: A methodical approach to cybersecurity

Implementing Cyber Attack Signals is the game changer.

Step-by-step process:

1. Identify all Crown Jewels
2. Identify high-probability TTPs (Tactics, Techniques, and Procedures) for each Crown Jewel
3. Map Cyber Attack Signals for each Crown Jewel
4. Generate Cyber Attack Signals
5. Supplement Cyber Attack Signals (with honeypots, threat hunting, etc.)
6. Update Crown Jewels analysis for significant changes
7. Provide dashboard of Cyber Attack Signals to highest levels regularly

Continuous improvement. This process is not a one-time exercise but a dynamic approach that evolves with the threat landscape and organizational changes.

Leveraging existing tools. Organizations can often use their current Security Information and Event Management (SIEM) systems as a foundation, supplementing them with additional data sources and analytics to generate Cyber Attack Signals.

12. Supply Chain Risk: The hidden backdoor to your network

We need to anticipate that cyber attackers will increasingly hunt for and compromise a supplier first, such as a technology provider, in order to penetrate the target organization.

Growing trend. Attackers are increasingly targeting suppliers and technology providers as a way to compromise multiple organizations simultaneously.

SolarWinds case study:

• Attackers compromised software update process
• Malware distributed to 18,000 organizations
• Remained undetected for over 9 months

Key lessons:

• Monitor closely for Cyber Attack Signals during software updates
• Implement robust vendor risk management processes
• Conduct thorough due diligence on critical suppliers' cybersecurity practices

Mitigation strategies:

• Segment networks to limit supplier access
• Implement strong multi-factor authentication for supplier accounts
• Regularly audit and assess third-party security controls
• Develop incident response plans that include supplier-related scenarios

Last updated: July 31, 2024