The battle between cybercriminals and IT security tools has been a feature of daily business life for years.
Organisations try to remain a step ahead of attackers while ensuring their systems and data remain secure.
Traditionally, organisations met this challenge by creating secure perimeters. The goal was to have strong external protections in place that keep the bad guys out while allowing the organisation to function normally.
Fast forward to 2021, and this situation has changed. Rather than working within a secure perimeter, a significant proportion of business activity now happens externally. Whether staff is working from home or accessing resources in the cloud, the perimeter no longer exists.
The number of threats has also escalated, with many organisations now facing a tsunami-like wave that threatens to overwhelm current defences. With more and more business activity now digital, this wave is only likely to grow higher.
The fact that attackers have also switched tactics further exacerbates the challenge. Rather than trying to break through defences, they focus instead on obtaining legitimate credentials and IDs that allow them simply to log in to the target infrastructure.
Cybercriminals obtain user credentials in a variety of different ways. It could be by tricking a staff member into revealing them due to a phishing email or phone call. Alternatively, they may successfully access a resource such as Active Directory, which contains credentials for an entire organisation.
Once they have gained entry, cybercriminals are likely to explore the infrastructure to determine the location of valuable data and the best way to cause disruption. They could then follow up by exfiltrating data and introducing malware that encrypts key files.
Monitoring for and preventing such unauthorised activity is a challenging task. It can be difficult for security teams to distinguish between legitimate user network traffic and those who should not be there.
Increasingly, organisations find that artificial intelligence (AI)-based tools can help with this monitoring task. The tools can spot unauthorised activity even at times of high data volumes.
Once the organisation identifies the unauthorised parties, it can take steps to disrupt their attack attempts. Disruptions could include pointing them to fake data or supplying them with fake credentials.
Another step organisations can take to overcome the attack tsunami is to review and tighten user access privileges. Users should access and use only the applications and data sources they need for their particular role.
Should attackers compromise a user’s credentials, they will only have access to a subset of the organisation’s IT infrastructure rather than everything.
Often, staff gets escalated privileges over time as they change roles or move into different parts of their company. For this reason, the organisation should conduct reviews regularly to ensure that so-called ‘privilege creep’ is not occurring.
Create an attack playbook
Despite undertaking security steps such as these, there is unfortunately still a very real chance that cybercriminals will gain access to critical applications and data, causing disruption and losses.
For this reason, organisations must have a documented plan for the steps to follow if and when an attack takes place. This playbook should cover everything from removing the cyberthreat and restoring systems to which the organisation must notify external parties.
It’s also vital that the organisation regularly review its playbook. Systems, applications, and networks are constantly changing, so an approach that may have worked 12 months ago might not be as effective today.
The wave of cyberattacks washing across the business landscape is showing no sign of slowing. However, organisations can have the best possible chance of not falling victim by shifting to an identity first security posture and closing security gaps related to protecting credentials, privileges, and the systems that manage them.