Cyber Attack and Protecting Your Business

Self Realization

Acknowledge your infrastructure, Identify the cyber adversaries, Forge a trustable Risk management program and Contingency plan,? Intercept thousands of cyber battles, at ease!?

In the past few months, varied news about the cyber-attack threats led to the ripple effect of causing havoc in Nepali cyberspace as the entire cyberspace industry panicked, unaware of the attacks, their nature and their horrendous impact. Being in the industry, taking a precaution is certainly wiser, however, the reasons for worry may be otherwise. If we follow the quote by Sun Tzu, “If you know the enemy and know yourself, you need not fear the result of a hundred battles”, This gives a broad idea of what we are dealing with.

Where did we lack?

1. Acknowledging ourselves and the nature of Enemies?

Anticipating such rumours, the chances are likely that they shall occur in the near future too. Sometimes, lesser concerns to the rumours may afflict the security posture of the business in a prodigious manner. We are on the verge where we need to run and upscale the business going hand-in-hand and at the same time, focusing on its security. In these challenging situations, cybersecurity seems to be a major game-changer so far. Despite there being no silver bullet to cyber threats, however, an optimum level of result can be achieved without investing much into it. As of the fact, a taboo prevails that cybersecurity is fairly expensive, but it’s not. Diverse organizations seem to overspend it without realizing the actual need. Thus, with the thorough requirement analysis of the requisites with a continuous approach, the organization can bear the minimum investment for lessening the cyber-impact, as no expert can prevent the cyber-attack, but minimize its impact, maintaining a better security posture of the organization.

Let’s ask the following questions to ourselves (Know ourselves and Enemy)

Interrogating ourselves (Acknowledge yourself, and the enemy)

1. Do we know about our systems, Network, third party connection via APIs, VPN connection and so forth?
2. Have we analyzed our contingency plans such as our Incident Response Plan, Disaster Recovery Plan and Business Continuity Plan, and likewise?
3. Do we have an absolute IT Risk management framework, where all the risks shall be addressed until it matches our Risk Appetite level?
4. Have we defined the amount of data loss we could bear along with the outages, and have we defined these Recovery time objectives and recovery point objectives within our IT Risk framework?
5. Have we performed the Vendor Risk assessment before allowing them to connect to our Network or Application? Do we realize the risk factors that they carry along with insecure connections? Does this match with our Risk Appetite level too?
6. Have we subscribed to a Weekly/Monthly Patch management program? If so, how often do we review it?
7. Do we have abundant skilled manpower to perform such tasks? If we have, do we have prior expense procedures for their knowledge upgrade?
8. If Security Technology is found in a wide range, are we aware of the preferred technology that meets our defence layer in-depth? Let’s ask ourselves, is it What we need?, or is it Why we need it?
9. Can the vendor meet our SLA? If so, what is their prior experience in the domain? What are the KPIs set to review their quality performance?
10. How mature is our cybersecurity level? Based on the Performed, Documented, Managed, Reviewed and Optimizing levels, where do we see ourselves in the Reviewed Level? Please remember, “Managed” is considered as good cyber hygiene and it is recommended to be at Reviewed stage. You cannot be there in a short time, take a year or two to reach there as it requires lots of skills, resources and reactive practice.
11. This list of questions can go long……this is it for now.

My Recommendations

1. Despite a shortage of skilled manpower, a good penetration testing engineer is available frequently, leaving the potential findings of a good system administrator or the firewall administrator in shadow. This is the gap that needs to be filled. As of fact, an IT professional cannot become a security analyst without prior knowledge of system, programming or routing/switching. Thus, we need to put more effort into cyber raging or both Red teaming and Blue teaming exercises, as the blue team is as important as the Red one.
2. Working with the World’s Top firewall vendor/OEM directly to assess their capabilities, I have come to realize that it leads to darker shades of cyber-security sooner. Personally, we need to have a better firewall policy, so as to make sure that the firewall is configured as per the policy.?

24/7 monitoring gives the absolute visibility (Depending on the scope) of your Network or System that can identify the complex zero-day attack (Detection, Not prevention). Better SIEM tools along with expert analysts together, thousands of cyber battles can be triumphed(Acknowledge yourself). Most of the SOC service providers, just collect the alerts produced by SIEM tools and send you as a report, always go for service providers who follow the threat hunting practice, this will help you to understand the complex APT attack too. If you are disoriented on how to start, Vairav is here for you to provide adept consultation services.?At Vairav, we provide 24/7 managed detection service from our in-house Security Operations Center and Yes out Tier 5 SoC approach follow the threat hunting.

Although, purchasing just a SIEM or similar branded solutions is not advantageous,? if you are not ready to invest in skilled manpower as tools are just tools without them. Whatever the renowned SIEM can perform, open-source tools like Sysmon and ELK stack provide you with the same result, as it’s important how well you monitor, not the tools you use.

1. Reviewing our Risk management framework, we always ask ourselves, “What if our Risk mitigation plan fails? What will be the contingency plan?” The latter question is an absolute saviour of your business, to be grounded.
2. Subscribe to the Vulnerability Assessment and Penetration Testing program on a regular basis, at least monthly, or if there are some changes made, no matter how small the modifications are.
3. Review the Access Control Rules frequently. Usually, SoC identifies these changes, however, it is always recommended to have an ACL matrix. This aids the SOC to detect the ACL breach efficiently.
4. Password Hygiene is another key component to oversee, as it's not important to change it using complex passwords frequently, but how you’re using it, and how many systems are accessed with the same password? Another question is, most of us forget to limit the Maximum password length as well. What if the attacker applies brute force with thousands of characters in the password field? Does your application handle it?
5. Try a different control tool depending on your defence layers, such as WAF on the application layer, or firewall on the network/transport layer, or EDR on the workstation. If your access control matrix is frequent, then IAM or PAM are suggested too. However, all these tools and their process must be monitored by the SOC team, as it is necessary.
6. Invest in skills, not on certifications. Most of the time, certification showcases the big bubble of so-called “skills”. But once it ruptures, the skills are absent. Hence, invest more on skills, leaving the certification as a latter option, based on the investment.
7. Invest in Threat Intelligence as well, as it provides you with the threat actor TTPs. Why is it important? Once you know their TTP, it helps you configure your control layer. Our Vairav SOC is capable of hundreds of paid and free threat intelligence sources. In addition, we have a local threat intel team that constantly monitors the locally targeted threat.?
8. Your user is always the weakest link in the chain, hence investing in cyber awareness more frequently is always effective, making them the strongest link. After all, Human wall is always better than a Firewall.
9. Lastly, try to meet the compliance requirements, whether it be NRB IT Guidelines or a few PCI DSS requirements. This shall get you more convinced, rather than actual protection, however, you need to meet the compliance, Do you have any options? Or do you? As compliance serves like a Rifle, it provides you self-confidence without realizing that it’s in fact empty, without bullets ;)

I look forward to having an open discussion with you. I’d like to invite you to Vairav technology, a cyber security firm where the technology perfectly blends with experts and the result is unmatched. Try us.

Every cyber battle is won before it is fought - King Prithvi Narayan Shah