Plugging the gaps: Australian organisations are leaving their defence barriers wide open
Article by Accenture A/NZ security practice lead Joseph Failla.
When the Australian Government became a major target of cyber attackers in June 2020, the Prime Minister didn’t pull any punches in warning that all levels of government, critical infrastructure and essential services are under increasing attack by criminal hackers.
Worryingly, Accenture data shows that only 43% of Australian organisations are actively protected, and security teams are identifying only 58% of breaches.
Yet, many of the criminals succeeding in stealing data or infecting enterprise systems with ransomware are not incredibly sophisticated. They are walking through the gaping holes in Australia’s organisational defences – gaps that leadership teams don’t even realise are there.
There are multiple recent incidents where attacks were preventable and where companies were materially affected because they didn’t have the basics right. Here are some examples of those basics:
If you can’t see it, you can’t defend it
Having as much visibility as possible across the IT environment is essential. Gaining visibility might not be cheap – but it’s worth the investment.
Threat hunters can help identify where the organisation lacks logs for specific artefacts, before ensuring all logs are ingested by a security information and event management (SIEM) tool that provides real-time analysis of all the security alerts generated by applications and network hardware.
Backups won’t save you from ransomware
Many executives think their backups and offline copies are protection against ransom demands. If service is denied, they’ll simply reopen by spinning up the backup system.
But now criminals have evolved their modus operandi. Domain admin access attacks are becoming more vicious. Perpetrators are selling access to other bad actors. Before deploying ransomware, they are exfiltrating sensitive information and threatening to leak the stolen data if their ransom isn’t paid.
You can spot attacks before they happen
Criminals love ransomware because it’s easy to use and devastatingly destructive.
In 2019, the cost of ransomware to organisations around the world increased by 21%. The good news is we can now detect moves to install ransomware in time to stop deployment.
Before ransomware is rolled out, hackers need to spend weeks or months inside the system planning the attack. Threat hunters can detect traces of these actions. They look for tiny anomalies in the noise of the system and follow these ‘breadcrumbs’ to identify and stop attackers before they hit.
You need to clean the house before reopening for business
Once an attack occurs, security teams are under enormous pressure to get systems up and running. But ransomware needs to be thoroughly cleaned out, or backups risk getting reinfected.
The priority should be getting everything clean and 100% in working order before bringing the business back to normal operations.
You should shut the stable door after the horse has bolted
Weathering an attack and getting systems back up and running is not the end of the story.
Often, attackers return to the scene of the crime to see if they can get in again, so continuously monitoring the compromised indicators prevents criminals using the same ‘door’ to sneak back in and do more damage.
COVID-19 makes incident response more complex than ever
COVID-19 has created an additional layer of difficulty around cybersecurity practices, and it’s not limited to COVID-related phishing efforts.
Lockdowns and work from home have slowed breach responses. Security teams are struggling with physical constraints, such as limited access to data centres and employee laptops, lack of a war room to convene incident response teams and limited forensics capabilities.
In this environment, security leaders may need to change how they train people on cybersecurity best practice. Response teams must establish and train for new processes to mitigate attacks and security tools must match the new operating model – whether that’s in the cloud or relying on home networks.
What’s more, organisations’ pre-COVID response playbooks almost certainly need updating. Regulators are demanding documentation on how enterprises are responding to breaches in the current environment, particularly when it comes to escalating ransomware attacks. Victim companies are in a difficult position, but regulators – and insurers - are not taking a kinder, gentler approach.
Do your homework now – not during a crisis
By the time an incident is over, the executives and directors involved may wind up better versed in cybersecurity and incident response than they’d ever imagined.
But they always wish they’d been as clued up before the attack hit. Getting acquainted with cybersecurity strategies in the half-hour before the media find out the company has been hacked only adds to the stress of the moment.
Understanding what you’re dealing with from the get-go improves the speed of the crisis response, reduces panic and provides confidence when briefing the market and employees.
Most importantly, understanding and then putting in place the essential ‘get rights’ of cybersecurity – strong visibility, good tools and threat hunting – will help close the gaps and ensure the organisation is not an easy mark for opportunistic criminals.