Maximizing cyber protection with tools you already have

Authored by AXA XL North America Cyber Incident Response Team Manager Gwenn E. Cujdik and Brendan Rooney is Managing Director of Tracepoint

Keeping up to date with the latest cybersecurity innovations is pivotal in the defense against malicious cyber criminals. However, it is equally important to ensure that any organization is maximizing their current toolsets to enable maximum prevention and detection capabilities.

The best offense is a good defense. In cyber risk it can be similarly articulated that the best way to combat malicious actors is to prevent an incident from ever happening in the first place. Although a worthy goal, it is increasingly unrealistic to prevent all types of incidents from taking place and the multifaceted implications of such incidents will only increase in their complexities over time.

Regardless of the preventative efforts put forward, cybersecurity compromises can and do occur frequently, making it imperative to ensure that any organization is getting the absolute most out of the toolsets they are relying upon to protect their digital assets and to maintain operational continuity. This can be obtained through an in-depth understanding of how these tools prevent a cyber adversary from gaining access to an environment, but also how they enable visibility to detect and contain the adversary in the event a cyber adversary has gained access to an organization’s network.

Making the most of your existing resources

The best fit solution doesn’t always involve drawing from an allocated budget by investing in the latest and greatest hardware or software products. Instead, what we find with most clients, is that had they enabled some of the native protection and detection capabilities in their current toolsets, they would have been far better equipped to prevent and detect malicious threats to their environment before disaster struck.

Plenty of the malicious activities impacting companies in the United States emanates from sources in other countries. Consider the example of a strategy known as “geofencing” or “geo-blocking”. Geofencing creates a policy to block traffic from IP addresses located in countries where an organization may not be operating.

Although this is not an available feature on all commercial firewalls, every commercial entity in the world invests in firewalls to defend their perimeter and may not be versed in the practice of configuring those firewalls to offer their greatest level of afforded protection. This is but one example, as there are certainly many more.

In the case of detection, it is common for an organization to have some level of security or activity logging within their chosen toolset and/or policies enabled to alert on malicious behavior. These “logs” also record evidence to be reviewed later to help investigator and the organization understand the “who, what, when, where, and how” of an attack. They can be invaluable to both the detection of an event and the response. However, we find that a substantial number of organizations (including large enterprise organizations) may not have a defined awareness of where those logs reside, their respective retention periods or an established protocol in place to monitor those logs for suspicious activity. Without reviewing these logs on a routine basis, it would be incredibly difficult to know what activity might be taking place in the network environment to prevent an event and even more difficult to investigate should an event happen if you are not properly collecting and maintaining these very important pieces of evidence. Relatedly, the same comments are relevant when considering policies implemented to alert on suspicious activity. For instance, depending on an insured’s email tenant licensing tier, there are policies which can be implemented to prompt your administrator when suspicious email forwarding activity is taking place or when such forwarding rules are created by a user's account to begin with. The creation of forwarding rules is a common practice for bad actors after gaining access to a user’s email account. In certain circumstances it is also possible to implement a variety of policies to allow or deny access to various resources based on the user’s role and location, along with enforcing multifactor authentication for successful access to corporate applications and services on their domain(s).

Multifactor authentication (“MFA”) is a commonly accepted means of preventing compromise to user, administrator and service accounts while also protecting access to cloud-based applications utilized in daily operations. From our perspective, the security benefits of MFA far outweigh any frustration of employees in taking additional steps to access email, applications, and networks of the organization. However, you may think you have MFA place, but as it relates to email access, the mere requirement of MFA can be a moot point if legacy protocols such as SMTP, IMAP and POP3 are enabled. If these are enabled, MFA will not be the silver bullet of protection due to such protocols’ inability to support multifactor authentication. Here, bad actors can circumvent MFA by leveraging these protocols to get in despite your best efforts. This is another area which is commonly overlooked by various security resources from within and outside of an organization. Yes, there are fantastic products which are designed to both prevent and detect malicious content from ever reaching a user. However, there are plenty of important steps that can be taken from within your existing email platform prior to opening the proverbial pocketbook.

Endpoint Detection and Response (“EDR”) and Extended Detection and Response (“XDR”) platforms have become a highly sought-after and recommended security tool for preventing and detecting malicious activity in an organization’s environment and rightfully so. These security tools equip organizations with behavioral-based prevention and detection, rather than traditional antivirus products which rely on signatures of known malware used to scan the environment. EDR and XDR platforms provide the ability to see into the systems to observe suspicious activities and behaviors including the installation of tools commonly used in attacks that traditional antivirus tools would miss and even more impactful is that these platforms allow the organization to act on that suspicious activity alerting on an endpoint by isolating it from the network for further investigation. Simply purchasing such advanced toolsets is not enough to prevent and detect bad actors if they aren’t deployed and configured properly. Even in organizations with these platforms in place, we have observed countless situations in which the agent was not properly deployed to the entire network, 100% coverage. Deploying only to a subset of systems in the environment, rather than to the environment in totality creates substantial gaps in visibility into the network, leaves doors open for bad actors to get in undetected and ultimately places limitations on the ability to take action if malicious activity does take place. Think of it as having a fire alarm and sprinkler system in place and only turning it on for half the building. Now think, what if that fire once it started was capable of disabling the alarm and sprinkler system to the whole building? Simple steps involving your existing inventory can make a world of difference.

The baseline and beyond

Once the appropriate security controls have been implemented in an existing product suite, an organization has only achieved its general baseline protection and detection capabilities. Organizations need to look beyond their technology products to ensure that those tools are routinely assessed and implemented appropriately. That’s why AXA XL initiates conversations with clients early and often so we discuss what “taking cybersecurity to the next level” entails and help our clients in connecting with partners like Tracepoint to make the next level achievable.

Through this process, we can collectively assess preparation and provide context of the current threat landscape to align strategy and practice. This is aimed at affording our clients with the opportunity to have an open dialogue on what we’ve seen in the field of incident response and offer advice pertaining to current security investments for optimal utilization in prevention, detection and investigative capacities.

Reviewing firewall configurations, discussing the limitations of their current antivirus product, saturation of their EDR or XDR toolset, or that they have (and are enforcing) adequate email policies are only a few of these worthwhile discussion points. This is intended to be comprehensive and focus on areas that are ripe for exploitation by malicious actors, including the strong potential for human error, a leading cause of cybersecurity compromise.

During the course of an investigation, it is far too often that some form of human error has played a critical role in providing a bad actor with access to an environment. Whether it be through the voluntary forfeiture of credentials, use of simple passwords or allowing a successful connection after a MFA prompt, even the best defenses in the world cannot account for a user’s inability to adhere to well-documented security policies. A key aspect of taking steps to prevent security incidents is by raising awareness of the impact of human error and impressing upon employees the need to take cybersecurity seriously and to observe the organization’s security policies without exception.

As critical as it is to keep a watchful eye on employees as a source of compromise, it is equally as important to take the same precautions with third-party vendors. Every organization should familiarize themselves with their vendors’ privacy and security policies, along with the level of access that such vendors might have into their own environment. Any organization that allows a vendor to maintain some level of remote access is expanding their potential attack surface and without a foundational knowledge of how such access is secured, it may create unacceptable levels of risk. Vendor due diligence should be practiced not only with new relationships, but with previously trusted partnerships as well. With the increased frequency and severity of cybersecurity incidents, it can be argued that the operational supply chain of an organization poses some of its greatest risk. This is yet again another area which organizations can avail themselves of resources already in place. Testing the efficacy of existing security controls, engaging in vendor management, and frequently conducting employee training, rather than adding on more products and more services on top of them can help many organizations maximize their budget and minimize their risks.

In Summary

In recent years it has become exceedingly difficult to understand what the best “first” or “next” step might be in cybersecurity, and some are certainly much further along than others. With a multitude of different products available and marketing information utilizing commonly accepted buzzwords, making your way through the clutter can be an arduous task for even the most knowledgeable security personnel. We strongly encourage any company to take inventory of what they have in place, ensure that it’s been maximized to the fullest extent available and then determine whether it’s appropriate to continue adding more solutions to prevent and detect malicious activity. We know that not everyone has an unlimited budget at their disposal and there are products which are far superior to others, but an organization may have additional security features available that purely go unapplied. With the right help, you can quickly identify those security features and make sizable steps towards preventing and detecting future threats.