Heralding a new era in cyber for the foreseeable future, ‘software vulnerabilities’ not only accounted for the highest number of breaches in 2023, surpassing phishing, but they were also behind some of the biggest breaches, according to Palo Alto’s Unit 42.
The 2024 Incident Response Report analysed how leading cyber crime group, Muddled Libra exploited software vulnerabilities, sharing the top 4 tips for closing them.
Here's the Top 4 tips
1. Protect Credentials
Sudden high volumes of MFA requests are a definite red flag, especially if they go unacknowledged or are aimed at ‘high-privileged’ accounts.
Training end-users not to approve MFA requests they didn’t solicit is therefore critically important, while you can further reduce the human-error burden by requiring number matching as well.
Have a tool and process to rapidly identify and investigate this activity. Give the analyst performing the investigation the information to go out of band quickly. Watch for velocity changes in MFA enrolment. Most people don’t lose their phones often. Put additional scrutiny on changes to high-privileged accounts.
Consider a policy that requires live visual and audible verification with a third party, such as the requestor’s direct supervisor.
This can slow down legitimate requests, but having a well-known policy requiring verification makes junior personnel less vulnerable to persuasion.
Guard against SIM swapping. Educate users to treat loss of phone service as a potential security problem as well. Require devices being used for corporate authentication (even personally-owned devices) be locked with a PIN against port-out and SIM changes in the mobile carrier’s systems.
Watch account creation and reactivation. Alert on new account creation that doesn’t quite fit naming conventions. Alert and escalate on old or intentionally disabled privileged accounts being reactivated.
2. Monitor Behaviour
Log and analyse the usage patterns of your key security tools. Personnel accessing an XDR platform outside their usual work hours might just be industrious, or their account might be under a threat actor’s control.
Many organisations collect these kinds of audit logs but never analyse them for outliers. Do so regularly. Watch for changes in your cloud infrastructure. Monitor both your IT infrastructure cloud (e.g. directory services and cloud storage) as well as service infrastructure, continuous integration and continuous delivery (CI/CD) and similar environments.
Look for changes to logging settings and privileges. Check your code repositories. Ensure you’re not inadvertently exposing secrets, of course. But also look for new connections to third-party infrastructure and unusual patterns of access. And watch the behaviour of your virtual desktop systems.
Check for outlier access patterns and unusual process trees.
(A good endpoint protection tool should catch this itself, but you should still ensure you’re running down investigative leads from time to time rather than just closing everything as a false positive to keep the metrics good.) And try to alert on unusual storage usage, to catch staging for exfiltration.
3. Know Your Applications
If you see red-teaming tools in your environment, make sure there is an authorized red-team engagement underway. One SOC we worked with had a company logo sticker on the wall for each red team they’d caught. Watch which remote management tools are being used in your organization. If you see new tools you don’t normally use, or different versions of the ones you do, dig at that. And try to identify unusual usage of the tools as well. For example, if your remote tools are normally used by IT staff, but suddenly one person in finance is using them, find out why. Endpoint management and inventory tools can help here, too. Use them to scan the fleet and identify new or low-prevalence tools and executables. Then, train your analysts and models “what good looks like” (and doesn’t).
4. Watch the Network
Any connections to your network from commercial VPN providers should arouse suspicion. While many people use such services, especially on their personal devices, try to discourage them. Commercial VPN providers add little if any security to a well-defended network, especially one built on Zero Trust principles.
Privileged users should be held to a higher standard. Collect and monitor the patterns of where they access their accounts from and ask about outliers. If you use a corporate messaging platform that indicates a user’s time and location (e.g., “It’s 9:43 a.m. for Alice”), that can be a fast validator for SOC personnel wondering if Alice is really logging in from Aruba.
Monitor outbound access, too. Look for connections that look like encrypted tunnels, particularly from new or unmanaged systems. If you can interdict connections at the network level (with technology and policy) use that capability judiciously. And watch for commercial file-hosting providers. If you can restrict access to just the ones you have organizational agreements with, do that. If not, monitor connections to the ones you’re not intending to use widely and watch for high data counts in short amounts of time. We have seen terabytes of data exfiltrated in a couple of hours.
You can download the full 2024 Incident Response Unit 42 Report here or if you would like to discuss your security requirements to ensure your data and staff are protected email here to get in contact with one of Enablis’ security experts.