In Googling the “worst year in history,” you might come across the year 536. It was a year dubbed “the worst year to be alive” by a medieval scholar because of extreme weather events. This was probably due to a volcanic eruption early in the year, creating lower average temperatures in Europe and China, resulting in crop failures and famine for yet another year. Future scholars may look at 2020 similarly, for myriad reasons, including the pandemic.
By Aaron Reason, Senior Director of Information Security, Consolidated Communications
But how will 2020 be evaluated in the eyes of technology watchers and cybersecurity experts? The year 2017 competes, with the WannaCry ransomware attacks, one of the largest cybersecurity attacks in history. But looking back at 2020, in the way of cybersecurity, it was undoubtedly a fast-paced and hectic year, with a multitude of new threats, some created by the pandemic. More ransomware gangs formed, and they upped the stakes from simply encrypting systems to holding data hostage. 2020 was chaotic, with new vulnerabilities that empowered cybersecurity criminals.
As the rest of the business world makes strides toward normalcy, the prognosis for network security is a challenging one. Consolidated Communications foresees more attacks and the potential for more disruption than ever. If you are like me, this underscores an exciting opportunity. Cybersecurity forces us to stay sharp and is continually challenging us to be better at what we do.
Ounce of Prevention Equals a Pound of Cure
Regardless of business size, attacks will be initiated in the same way, including phishing (payload delivery or credential theft), a vulnerable internet-facing host, drive-by download of malware due to work from home self IT, social engineering, or one of a dozen other methods.
In 2021, the critical tasks remain: We will need to stay on top of tuning our SEIMs, keeping up with our vulnerability scanning and mitigation programs, making sure hosts on our networks have proper endpoint detection and response, and maybe even building out new runbooks for our SOARs (Security Orchestration, Automation, and Response). There are a million things to keep our security engineers and us busy, so I wanted to mention a few ideas which might be a bit outside the box.
The top five cybersecurity approaches you should consider are:
1. Teams/Slack Notifications for Critical Issues
This is an easy win. Figure out some malicious activity indicators and alert your top security engineers via post to a Critical Channel when they trigger. This goes beyond everyday SEIM offenses, and there are ringer alerts for the most critical events for which time is of the essence. Challenge your team to develop a few indicators each, such as misuse of service accounts (service account being used on a non-approved machine), or alert them when a regular user account tries to RDP into a domain controller from a non-bastion host. You could build a firewall policy for known command and control IPs/URLs, and if it hits, have your firewall post to the channel. When your EDR has a critical alert (menterperter, C&C, PowerShell abuse), post it to the channel. If you have SOAR, these alerts might be easy; if not, a little python and API goes a long way.
2. Start Learning Incident Response
This will enable you to know when to cash in on your IR retainer hours and when not to. We have all had those moments when you see something that might not amount to much, or it could be the beginning of a hectic day/week/month. Having some tools in your toolbox to know the difference between a false alert and a potential breach is helpful. Maybe your EDR has everything you need to do forensics, or perhaps you can spend some time building out a Velociraptor instance for querying machines and dumping memory. Regardless of how you do this, it is worth the time spent learning some forensics. IR dollars are expensive, and they can disappear quickly; if you can tackle the basics on your own, it will be well worth it.
3. Harden Your Critical Infrastructure
We spend much time on all the security tools and policies and sound designs to kill the attack chain…To read the full story, subscribe to CISO MAG.
This story first appeared in the January 2021 issue of CISO MAG.
About the Author
Aaron Reason is the Senior Director of Information Security at Consolidated Communications. Before his work at Consolidated, he led a team providing cybersecurity services for government contracts and has worked in education, utility, federal and nonprofit verticals. Aaron is skilled in SIEM, Networking, Data Center, Cyber Security, DDOS Mitigation, MSSP, and Information Assurance.
All views are personal and attributed to the author(s). The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.