It’s a war zone out there. In the seemingly endless game of cyber cat and mouse, precise intelligence remains the best tool to beat attackers at their own game.
Here’s an analysis of today’s top six network threats and tips for identifying and eliminating them.
Ransomware is by far the biggest network threat, as it offers attackers the best value for money with a relatively low likelihood of getting caught. “There’s also a low bar in the skill category for breaking into this stuff,” says Andy Rogers, senior assessor at cybersecurity and compliance firm Schellman. “There are plenty of Ransomware-as-a-Service (RaaS) companies that will be more than willing to make sure you have the tools you need to unleash a ransomware campaign.”
These “service providers” are at minimal risk, as they do not launch any attacks themselves. “It’s a good deal for them,” he says. Also, the payment comes in the form of cryptocurrency, so it is difficult to track them.
Ransomware has become one of the most profitable criminal industries in the world due to its anonymity and potentially high profits. “Most recent high profile supply chain attacks, like Colonial Pipeline in 2021, have been ransomware attacks where hard drives (HDDs) and solid state drives (SDDs) have been encrypted and hackers have them used to demand ransoms for more than $4.4 million in cryptocurrency,” Rogers notes.
Establishing strong security policies and procedures, including security awareness training, is the best way to avoid falling victim to ransomware. Rogers recommends updating systems and applications monthly, as well as separating vulnerable systems that cannot be patched from critical systems and data. “Maintain regular backups of your data and do so in a way that it cannot be written over by ransomware,” he adds.
2. Zombie botnets
Zombie botnets are created to perform specific malicious actions, such as Distributed Denial of Service (DDoS) attacks, keylogging, and spamming. “These threats are potentially devastating because they can be used to steal your identity or cripple an entire network with a single attack,” says Eric McGee, senior network engineer at data center service provider TRG Datacenters.
Each computer in a botnet is described as a zombie due to the fact that the computer – and its owner – are unaware that the machine is dutifully and mindlessly performing malicious actions. Smart Internet of Things (IoT) devices are particularly tempting targets for zombie botnet attacks.
“It can be easy to ignore the security of your IoT devices…but these devices are often the easiest way for attackers to gain access to your system,” McGee warns. He suggests guarding against zombie botnets on IoT networks by limiting each device’s ability to open incoming connections and requiring strong passwords on all connected accounts.
3. Outdated processes and policies
Outdated, siled manual processes and policies pose a serious, albeit largely self-inflicted, threat to network security. “The number of emerging vulnerabilities and potential exploits is growing exponentially,” said Robert Smallwood, vice president of technology at General Dynamics (GDIT). “An organization’s processes and policies must enable agility and speed so that the organization can pivot and respond quickly and automatically to emerging threats.”
Organizations that have fallen behind or even completely neglected business modernization and refresh processes risk ending up with technical debt that can expand a network’s attack surface.
Many enterprises continue to struggle with rigid and outdated policies while failing to take advantage of the complex automated hybrid environments that make up a modern network, notes Smallwood. “Additionally, many organizations provide policy exceptions for legacy protocols or equipment without providing enough threat mitigation, bypassing security measures such as multi-factor authentication,” he adds.
Critical processes should be reviewed regularly as a fundamental change management task. “As changes impacting the network are made, related processes and policies need to be evaluated,” says Smallwood. For some organizations, this may require an assessment of all network-related processes. “In such cases, it’s best to start with your usual IT service management practices…as well as any process that relies heavily on manual activities.”
4. Man-in-the-middle attacks
In a man-in-the-middle (MTM) attack, a third party intercepts the communication between two unsuspecting parties in order to eavesdrop or modify the data being exchanged. It is a task that can be accomplished in several ways, such as spoofing IP addresses, using a malicious proxy server, or through Wi-Fi eavesdropping.
An MTM attack can be relatively simple, such as sniffing credentials to steal usernames and passwords. At a higher level, MTM can be used to create a sophisticated subterfuge that redirects victims to a bogus, yet very realistic website designed to achieve a particular nefarious goal.
In any form, an MTM attack can be devastating because once inside a network, an intruder can attack laterally, starting in one part of the network and then discovering vulnerabilities that will allow it to migrate to other areas. other areas.
“Because attackers log in with ‘valid’ credentials, it’s often difficult to detect the intrusion, so they have time to work their way deeper into the network,” says Benny Czarny, CEO of OPSWAT, a company specializing in the protection of critical data. infrastructure networks.
MTM attacks are often overlooked and underestimated, says Keatron Evans, senior security researcher at security training firm Infosec Institute. “People think [the threat] can be solved with encryption of data in transit, but that only solves a small part of the problem,” he says.
Another misconception is that network-based threats will magically disappear as soon as an organization migrates to a cloud service. “That’s just not true,” warns Evans. “Stay diligent even when you’ve migrated to a cloud service.”
To ward off MTM attacks, Evans recommends adding port-based security with DHCP snooping and stateful Address Resolution Protocol (DARP) inspection, and upgrading to IPv6 as soon as possible. He also suggests replacing ARP, one of the main enablers of network-based man-in-the-middle attacks, with a new protocol called Neighbor Discovery Protocol (NDP).
5. Business Email Compromise
Business Email Compromise (BEC) is a serious network threat faced by businesses of all sizes in all industries. “As enterprises increasingly adopt conditional access policies, like single sign-on, BEC fraud is growing in scope and financial impact,” said Jonathan Hencinski, director, threat detection and response at Expel, a detection and response managed cybersecurity company.
BEC attacks lead directly to compromised credentials. The most difficult type of attack to detect is one where the attacker enters through the front door with valid credentials. BEC attackers use VPNs and hosts to circumvent conditional access policies.
“A common approach for these types of attacks is to use legacy protocols to bypass multi-factor authentication (MFA) in Office 365,” Hencinski says. “Once an attacker has compromised credentials and is in the network, they can access critical controls and sensitive information across the organization.”
BEC attacks can hit any network at any time. “Since 2019, we have seen a 50% increase in the use of VPN services and hosts to access compromised accounts,” Hencinski says. “Using these services allows attackers to circumvent conditional access policies that deny connections from certain countries by geo-IP records.”
Detecting BEC attempts is a simple three-step process. “The first step is email inspection to prevent and detect phishing emails trying to steal employee credentials and to spot when a malicious actor is using an employee’s account to send emails. phishing emails,” says Hencinski. The second step is authentication monitoring to detect the use of stolen credentials. “The third is account monitoring for the distinctive signs of BEC account takeover,” he notes.
6. Extension of tools
The proliferation of tools, with IT and network managers struggling to manage dozens of different network protection technologies, can make the goal of becoming an attack-proof enterprise harder to achieve. The cyber complexity caused by the proliferation of tools and the lack of easy cybersecurity management can expose IT and security teams to devastating cyberattacks, warns Amit Bareket, CEO and co-founder of network security service provider Perimeter81.
Bareket cites a study recently conducted by his organization that found that 71% of CIOs and associate executives believe that a high number of IT tools makes it harder to detect active attacks or defend against data breaches.
Keith Mularski, managing director of cybersecurity at EY Consulting, says following basic security practices is still the best way to protect against all types of network threats. “Isolate critical systems and networks from the Internet and tightly control who or what has access to them,” he advises.
Trust nothing and segment everything into your operational systems, recommends Mularski. “Be sure to avoid ‘implicit trust’ – everything and everyone who accesses your network must be authenticated, no matter where they are, when they access it, or who they are.”
To enhance preparation, Mularski also suggests running programmed simulations. “Like an athlete, you want your team to increase muscle memory and execute response procedures quickly and more intuitively in the event of a violation or incident.”