In Part 1 of this series we started to look at some of the tactics that attackers use to initially gain access to systems in your institution. The attack tactics are based on the MITRE ATT&CK Framework, which is used by many security professionals to help identify tactics and techniques used in cyber-attacks. In this article we will look at the remaining techniques, along with controls you should consider to mitigate these attacks:
- Replication Through Removable Media: Attackers can use removable media (USB drives, DVDs, etc.) to deliver malware to a system. To protect against this type of attack, institutions should consider blocking the use of all unapproved removable media. If the use of removable media is required, the “Autorun” feature should be disabled on systems so that programs will not automatically run when a USB drive is plugged into a system. Finally, systems should be regularly patched to ensure that attackers are not able to use known vulnerabilities to infect a system using removeable media.
- Spearphishing: Spearphishing is an electronically delivered social engineering attack targeted at a specific individual, company, or industry. Most commonly, spearphishing is delivered to targeted individuals through email messages or social media. Malware can be delivered through a spearphishing attack either through file attachments or links. To protect against this technique, institutions should employee an email gateway that scans attachments and links and should employ desktop protection solutions on workstations to detect any suspicious behavior. Institutions should also block employees from being able to access personal email or social media accounts from workstations, as attackers will sometimes use personal accounts to attack employees.
- Supply Chain Compromise: A supply chain compromise is when a legitimate hardware or software system is compromised prior to being received by an institution, allowing the attacker to have access to the internal network. The best defense against this threat is to deploy technologies that detect and block suspicious activity within the network or at the network perimeter. Desktop protection software can detect and block abnormal activity on workstations, while web proxies and IDS/IPS systems can detect and block suspicious communication to external Internet sites. Finally, continuous patching and vulnerability management will help detect and remove any known attack vectors on systems.
- Trusted Relationship: Most institutions utilize relationships with business partners to perform tasks. Whether the business partner is a core provider, an IT provider, or an HVAC provider, they represent a risk to the institution if they have access to the institution network to perform their duties. An attacker can gain access to the business partner and then use that access to attack the institution. To mitigate this type of attack, the institution should limit what the business partner can access from their connection. This can be accomplished by implementing firewalls on partner connections or segmenting the network to ensure the partner can only access what they need to. Institutions should also carefully control and monitor the access levels provided to partners to limit what an attacker would be able to access.
- Valid Accounts: Many attacks are initially launched by stealing the credentials of a valid account. The account can belong to a user, or be a system account for which the password is easy to guess. Once the attacker is successful, they could use the credentials to access whatever the valid user had access to. To mitigate this type of attack, ensure that password policies require complex, hard to guess passwords. Implementing MFA on critical connections (especially those belonging to administrators) will ensure that stolen passwords alone cannot be utilized for these accounts. Making sure that all default passwords are changed when systems are implemented will help protect against attacks utilizing default passwords. Finally, regularly auditing usage and access levels of accounts will help identify accounts that have been compromised or might be prime targets of attackers.
If you want to dig deeper into creating a security program that protects against all of the different tactics used by attackers, email us at support@bedelsecurity.com to get the conversation started.