Today, cybercriminals are constantly working to find new ways to trap potential victims. From impersonating legitimate users on a network or using new and evolving techniques to bypass detection mechanisms, the variety of sophisticated tools in threat actors’ arsenals continues to grow.
And the timing of the attacks is also crucial. A survey of nearly 1,000 security professionals found that 86% of companies attacked by ransomware were attacked on a holiday or weekend, while three-quarters of ransomware victims suffered an attack during a major corporate event , such as a merger, acquisition or IPO. Clearly, ransomware groups are attacking outside of normal business hours, seeking to take advantage of enterprise defenses that are likely reduced or completely offline.
Threat actors have patience to increase their chances of success
Since holidays and weekends provide downtime for the majority of the workforce, this presents a major challenge for most organizations. While most organizations manage a 24/7/365 security operations center (SOC), we know that many reduce SOC staff during holidays and weekends, often by up to 50%. A minority do not have staff in their SOC during these periods, leaving the doors open to attackers. By leaving SOCs understaffed, companies increase the likelihood that threat actors will be able to carry out successful cyberattacks.
There are numerous examples available to dissect. For example, the disturbing ransomware attack on Transport for London took place on a Sunday. Meanwhile, in the US, the 2021 ransomware attack on Colonial Pipeline occurred over Mother’s Day weekend. Once they have gained access to a company’s network, ransomware gangs are typically patient and methodical with their attack strategies, often remaining discreet for weeks, consolidating their position and elevating privileges as they explore key data and business applications for encryption. potentially as part of extortion. plot.
SOC staffing does not align with attack patterns
Unfortunately, SOC staffing often does not align with the attack patterns we are seeing, and there are several reasons for this. Work-life balance is important in many organizations and companies do not consider that full staffing is necessary considering that most employees work Monday to Friday schedules. There is also a misconception that hackers will not attack companies of a certain size or type, and many organizations feel safe because they have never been attacked before. Additionally, staffing a SOC 24/7/365 is a significant challenge. Maintaining 24-hour coverage may require 15 to 20 team members at a minimum.
This creates a costly dilemma. What starts as a simple commitment to improve security can turn into a huge operational expense. To reduce those expenses, many organizations choose to cut staff or limit coverage hours, believing that threats are less likely to occur outside of normal business hours. Unfortunately, that is not the case.
Just as thieves avoid well-patrolled daytime areas, threat actors also seek to carry out attacks when there are fewer eyes watching. Assuming you are safe after hours gives threat actors open doors to attack. Instead, companies should always assume that attacks are imminent, ensuring that their SOC is not starved for resources at any time. I call it having an assumed default mentality. They never increase or decrease, hackers are persistent and never take time off.
Improve focus on identity security
It is not just about having the right resources, but also about using them in the most logical and effective way possible, focusing on those areas that are most vulnerable or pose the most significant potential impact. Here, identity management must take priority. Today, the identity system has become the new perimeter of enterprise security, and 90% of ransomware attacks end up compromising the identity system.
Active Directory (AD), which forms the foundation of identity and access management for the vast majority of organizations globally, is a particularly common vulnerability that threat actors are constantly working to exploit. As a technology that was originally released in 1999, many businesses are now faced with managing outdated AD configurations and excessive user privileges that can be exploited relatively easily. Add to this the fact that AD often lacks sufficient security monitoring and auditing, and it can be challenging for companies to detect unusual or malicious activity quickly enough.
Attackers know these problems better than anyone. They know that if they manage to compromise AD, they will gain control of the keys to an organization’s kingdom, giving them access to sensitive data and critical systems. Unfortunately, however, this is an area that often seems to be underestimated or overlooked. Many organizations have no identity recovery plan or their recovery plan has concerning gaps. Failing to account for cyberattacks, failing to test for identity vulnerabilities, and testing recovery plans only quarterly or less frequently are common mistakes that can be costly in the event of an attack.
What is the solution?
For enterprises, it is vital to address these shortcomings, ensuring that key vulnerabilities, such as AD, are protected and that the security guard does not leave after hours when threat actors seek to make the most of understaffed SOCs. Companies should view security as a core part of their business resilience strategy. Like security, financial, and reputational risks, security can make the difference between a company excelling or collapsing in the face of a catastrophic, game-changing incident.
To achieve this, companies must follow several steps:
- Have a plan in place: Starting from scratch in the event of a catastrophe is not a good place. By preparing in advance for possible scenarios and testing protocols periodically, companies can respond more quickly and effectively should those situations become reality.
- Use budgets wisely: It’s not necessarily about investing more money in the problem. It is about using the budgets you have to achieve the greatest possible effect, ensuring that existing resources are examined and optimized.
- Adopt ITDR: For organizations looking to use limited resources effectively, identity threat detection and response (ITDR) can be an incredibly useful tool, providing key capabilities such as automated auditing and alerting, attack pattern detection and rollback, or suspension of unusual changes in AD.
- Improve productivity through automation: This automated support can also help companies support the trained security staff they have, freeing up engineers to spend time on more interesting, higher-value tasks.
By taking these steps to optimize security performance and leverage automation, organizations can simultaneously close gaps that currently exist in both their SOC staffing and identity security capabilities, allowing them to better protect against attacks, identify, respond to and recover from them, regardless of whether they strike on a Tuesday or Sunday.
We’ve compiled a list of the best endpoint protection software.
This article was produced as part of TechRadarPro’s Expert Insights channel, where we feature the best and brightest minds in today’s tech industry. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing, find out more here:
