2021 was a busy year for cybersecurity experts and IT professionals as businesses worldwide faced a barrage of cyberattacks. In January the Identity Theft Resource Center reported that the number of publicly-acknowledged data compromises in the U.S. increased 68% in 2021 compared to 2020, with ransomware-related incidents having doubled in each of the past two years. What’s more, the average total cost of a data breach increased to $4.24 million last year, the highest recorded in almost two decades. The same report shows that organizations with more than 50% of their workforce working remotely – as many still are – took nearly 316 days to locate and contain breaches, compared to the regular average of 287 days.
The number, intensity and variety of these attacks are only expected to increase in 2022 as cybercriminals continue to devise new strategies to monetize their efforts. A significant cybersecurity incident is not only a business crisis: it can also become a powerful catalyst for enhancing fundamental IT capabilities. As a growing universe of products and service providers compete for attention to be included in the plan, a clear starting point may not be evident. So, where to begin?
Starting the Cyber Resilience Journey
The list of security standards and models with which organizations could align can appear daunting. Implementing robust resilience against cyber-attacks is a journey, and there are many approaches and tools that can reduce risk effectively. Organizations looking to take the first steps should begin with a risk-based approach that includes critical coverage to reduce the risk of the most common types of attacks, ease response, and mitigate damage should an attacker gain entry. This approach should include five foundational elements:
- Endpoint Detection & Response (EDR) with Next Generation Antivirus (NGAV) Functionality: All servers and end-user systems should have agents installed and blocking capabilities activated. By installing tooling on all servers and end-user systems organizations can capture telemetry and block known or suspected malicious activity. The telemetry will help security analysts and incident responders, either in-house or outside teams, quickly identify and resolve incidents. This capability can represent the difference between a minor intrusion that can be understood and contained within minutes and a full-blown ransomware attack that materially impacts your business. While not a silver bullet, the blocking (NGAV) capabilities are also important to block known and unknown threats.
- Multi-factor Authentication (MFA): Implementing MFA protects Internet-facing systems, including email and VPN, by requiring more than just a password. This could be a token generated by a smartphone application or a numeric code sent to the user’s mobile phone via text message. Organizations should focus on covering email, virtual private networks (VPNs) and other systems that could provide entry to the network. Users reuse passwords that can be exposed in other attacks and leveraged against your systems and groups with malicious intentions constantly guess common passwords. Without MFA, Internet-facing systems are one step away from being compromised.
- Local Administrator Password Solution (LAPS): Organizations should ensure every system has a unique local administrator password that is different from all others. When an attacker gains access to a system, whether through exploiting a known or new vulnerability, guessing a password, or convincing a user to click a malicious link, one of the first things they attempt to do is use that system as a pivot point to leapfrog to other systems within the network. If these passwords are the same on every system, it is extremely easy for an attacker to quickly move about the environment. The point at which the attacker begins lateral movement is often the inflection point where a simple incident turns into a complex, costly, impactful one.
- Resilient Backups: Many organizations have designed their backup systems to be resilient against physical disasters such as earthquakes that take a data center offline but did not design resilience against an attacker intentionally corrupting them. In the age of ransomware, extortionists continue to refine their tactics to drive forward their business – which is convincing their victims to pay ransom demands. One of the ways they do this is to find and corrupt victims’ backup files – prior to encrypting files – to increase victims’ pain and incentivize them to pay quickly. Resilient backups isolate archived data from intentional corruption by an attacker who gains access to the network. Organizations should protect at least one backup mechanism from being corrupted deliberately by an attacker who has administrative-level privileges in the environment. There are multiple approaches to addressing this goal, typically involving a cloud-based secondary backup mechanism that is configured to be “immutable."
- System, Patch & Vulnerability Management Tooling: Organizations should install tooling to ensure that IT administrators can take control of any organization-managed system, whether in a physical data center, in a cloud environment, in an office, or in a hotel room with a road-warrior employee. Admins must be able to perform basic activities such as installing software, checking for operating system and application vulnerabilities, and installing patches. Having this basic capability is crucial to investigating and resolving incidents and has a multitude of other benefits that reduce risk every day.
These five foundational elements will help organizations begin their cyber resilience journey but are by no means an exhaustive approach to cybersecurity. Organizations should also understand their Internet footprint and ensure available services are protected. By assuming that services available to the Internet at large will be tested frequently by potential attackers, organizations conducting frequent scanning can ensure that network configurations have not inadvertently exposed systems that were not intended to be Internet-accessible.
Over the years, cyber threats have evolved and escalated - our approach to building resilience should do the same. Organizations looking to build their cyber resilience for the future should take tangible measures to improve their IT infrastructure’s resilience today, and these five foundational elements are a great first step that will save your organization pain and money overall.