With SolarWinds Breach, ‘The Hackers Aren’t the Problem’
… negotiator who knows ransomware and all the hundreds of bitcoins now circulating as payment.
Other Obstacles Hackers Don’t Like
Aviad Hasnis, CTO at breach protection vendor Cynet, has other advice.
Begin by increasing awareness across the organization. The goal is to prevent spear phishing attacks (they use both links and attachments) from infecting endpoints with malware and ransomware. Be aware that spear phishing is “targeted and personalized.” That’s according to Barracuda Networks.
“Victims are researched by cybercriminals, who sometimes impersonate a coworker or trusted business,” Barracuda wrote on Channel Futures last year. “In either case, the attackers are generally trying to obtain login credentials or financial information.”
As such, spear phishing represents the typical entry point for RMM attacks, Cynet’s Hasnis said.
One of the best ways to increase awareness is to turn social engineering on its head. Typically, cyberattackers use this ploy. Social engineering imitates known and trusted users, and relies on enticing hooks, to trick employees into giving up information. MSSPs can disguise themselves as potential bad guys and go fishing via email to test employees. Then, when someone clicks the link, a webpage pops up that educates (emphasis on educates — not berates!) the user about what happened and why.
In addition to boosting awareness, make the most of technology (even though technology will not serve as the ultimate deterrent). Deploy an extended detection response product that will detect –and even prevent – spear phishing. Such software “is also advisable to mitigate credential-dumping techniques as well as to detect ransomware which will attempt to use the RMM software to infiltrate customers’ environments while also deleting any existing backups,” Hasnis said.
Traditional, signature-based platforms don’t work so well against modern cybercriminals, he added.
Multifactor Authentication
And like Farajun, Hasnis lobbies for installing multifactor authentication on RMM tools. In fact, he said, MFA usually is just an option in the RMM software. It really ought to be required. MSSPs must enable this capability. This make life harder for potential hackers and eases IT’s worries.
Last, Hasnis suggests auditing RMM accounts. This, he said, will “ensure all enabled users truly require access to minimize the attack surface. Pay particular attention to high-privileged RMM users as compromise of these accounts will certainly lead to damage.”
That goes back to Farajun’s point about assigning someone to oversee permissions as users dig deeper into the organization’s data. It also makes sense to conduct these RMM audits on a regular basis. People come and go; keep up with personnel changes to reduce the risk of insider hacks.
Remember, the goal is not to install every piece of possible technology to avoid a breach. That’s not realistic. However, MSSPs can, for themselves and their clients, set up undesirable obstacles that will spur cyber criminals to look elsewhere.
“We’ll never root out every hacker or spy in the supply chain,” said Phil Straw, CEO of hardware storage vendor SoftIron. “Instead, we need to rethink each layer of the IT stack to deliver greater transparency, enabling security analysts to shine a light into each and every corner where a hacker may hide.”