How defence in depth can sink cyber attacks

By Carolyn Crandall, Chief Deception Officer at Attivo Networks

The cybersecurity of financial institutions is appearing as a top priority for the Bank of England in the coming months. The central bank will focus on stress testing IT defences for online attacks and establishing new standards for how quickly and effectively financial institutions should contain these breaches. The objective is to improve banks’ operational resilience to withstand unforeseen future crises, such as the impact of COVID-19.

The decision comes as organisations adjust to a new wave of threats, in which opportunistic cybercriminals have continued to exploit weaknesses across a larger digital attack surface. While business email compromise (BEC), phishing attacks, and malware are still dangerous weapons in a threat actor’s arsenal, they are increasingly using advanced persistent threat (APT) tactics to circumvent defences and avoid detection. CISOs need to deploy a layered approach to security to prevent their most valuable assets from falling into the wrong hands to defend against these attacks.

Pandemic opportunists  

Threat actors are opportunists that have used the COVID-19 chaos and uncertainty to their advantage. They know that the crisis caught many businesses off guard at the beginning and exploited the rapid shift to remote working en masse to target vulnerabilities in devices and networks and weaker remote worksite security controls. According to figures from the FBI’s Internet Crime Complaint Center, the result has been a 400 percent increase in cyber attacks since the start of the pandemic.

Virtual Private Networks (VPNs) are among the most popular methods for connecting staff to corporate networks remotely. However, these are also a popular entry point for threat actors exploiting unpatched vulnerabilities or using credentials stolen via phishing campaigns. Microsoft recently revealed that COVID-related phishing campaigns rose to more than 30,000 a day, while independent research from industry consortium FS-ISAC found that phishing emails against bank employees rose by a third over the first quarter of 2020.

In regular times, perimeter security often stops such activity. However, with workforces accessing the network at different times and from other locations and systems, spotting unauthorised infiltration has become much harder.

Attackers go low and slow to avoid detection

Threat actors are not only using COVID to their advantage but are also changing tactics to avoid detection and maximise the payout. Gone are the days of the ‘smash and grab’ approach, in which threat actors go in heavy and fast, triggering an immediate alert that attackers had compromised the corporate network.

Instead, they have now switched to a “low and slow” approach, taking their time to move carefully through an IT network looking for the most valuable assets. Attackers are using port scanning or credentials stolen either from the users themselves or via Active Directory, which conventional security tools will struggle to identify. These allow attackers to lurk in the system for several months to gain a foothold in the network and move laterally to more secure areas to access sensitive data. In 2019, attackers  spent, on average, 206 days on a network before detection, a number that is likely to increase in 2020.

Another waiting game tactic is now yielding results as working practices change. Dormant malware infections have compromised vulnerable systems operating outside the perimeter, waiting to activate weeks or months later when staff return to the office. In effect, they are jumping the firewall.

Defence through depth

Attackers will use a range of tactics, techniques, and procedures (TTPs) to achieve their objectives, and once they’ve compromised the network, it’s typically only been a matter of time before they get what they want. However, there are ways for CISOs to get on the front foot and prevent attackers from establishing a foothold.

Carolyn Crandall

Creating defences that include multiple elements, each designed to detect, triage, and remediate various attacks at different points both outside and inside the network, provides defenders with an advantage. The more defensive layers there are, the harder it is for an attacker to break through.

While endpoint security and even behavioural analytics are commonplace, they can leave gaps in an organisation’s defences. These tools can’t provide the full spectrum of early detection of in-network threats and activities related to credential theft, discovery, lateral movement, and data collection.

One way to fix this is to combine deception and concealment technologies. These protect valuable assets – such as Active Directory objects, files, and folders – by hiding them from attackers and presenting any unauthorised person with fake data designed to derail their attack and steer them into decoy engagement servers for observation. These deceive attackers into thinking that the assets they have found are genuine, when, in fact, they have fallen into a deceptive environment where their every action is monitored and recorded.

The moment intruders attempt unauthorized access or interact with the deception environment, the CISO and their team receive alerts. In response, they may shut down the attack or study the attackers’ TTPs, enabling the security team to build a threat informed defence where they can identify and remediate any weaknesses in their security controls. Defenders can also use this attack information to update defences for threat hunting other incidents and identifying similar suspicious activities quickly in the future.

Deception and concealment technologies can integrate with a range of other security measures, including Endpoint Detection and Response (EDR), to improve detection coverage and to share threat data quickly for faster response and remediation. In fact, combining EDR with data concealment gives organisations an average 42 percent boost in detection.

Businesses operating in financial services are under greater pressure than ever before to secure their IT networks and build resilience in the face of persistent attacks. Deception and concealment technologies provide a powerful diversion that hides and prevents access to valuable assets whilst gathering new insights for strengthening existing security measures.  As part of a robust, layered cyber defence, it provides a vital deterrent that prevents attackers from achieving their ultimate goal.