InfoSec Insider

Three Areas to Consider, to Focus Your Cyber-Plan

DNS, rogue employees and phishing/social engineering should be top of the list of threat areas for organizations to address.

How’s this for concerning news: Half of all organizations don’t have the wherewithal to stop malicious actors from stealing sensitive information, taking down critical assets or damaging customer trust.

According to a recent report from FireEye, 51 percent of organizations don’t believe they are ready for a cyberattack or breach event. Even worse, 29 percent of companies that have a plan in place to address such an event have not updated, tested or reviewed that plan in more than 12 months.

In cybersecurity, twelve months is a lifetime. Malicious actors are always moving and updating their tactics to bypass security measures implemented by organizations and governments. Waiting 12 months to review, test or update cybersecurity responses is like waiting until the engine has exploded to get an oil change. It’s just too late.

There are a myriad of things organizations can do to prepare for cyberattacks. Three-quarters (76 percent) of organizations are getting a good start with a plan to increase their cybersecurity budget in 2020, with 39 percent of U.S. companies increasing their budgets by 10 percent or more. This is excellent news because the first step in preparing for cyberattacks is allocating sufficient resources to tackle the problem. With budgets secured, there are dozens of options available to prepare for cyberattacks.

In terms of prioritizing that budget, remember that everything intrinsically valuable to a company goes over the network with sensitive information passing from device to device. Security professionals must understand the pathways to look for, and the key positions where hackers are trying to gain a foothold.

With that in mind, here are three primary areas where security professionals should focus their efforts on to thwart threats.

DNS translates domain names (mywebsite.com) to IP addresses so browsers can load Internet resources. DNS is the lynchpin of the internet. Without it, everything reverts to an archaic system where people would be required to remember IP addresses to make TCP/IP connections. DNS has made the internet a more user-friendly place. The problem, though, is that DNS is an unencrypted, easily exploitable protocol that hackers love to use. By leveraging DNS, malicious hackers can leak sensitive data by sending it through DNS requests or queries that look something like this: 87a797a48cba94ee585ee2c0d7d6f4cce4dd12f77192a4d0bc562938fb62b1.randomdomain.com.

These types of queries result in NXDOMAIN responses (essentially the response is a rejection because the record doesn’t exist). Those entries don’t exist in a public DNS, but are received by malicious hackers, decrypted and used for reprehensible actions like stealing critical data and selling it to the highest bidder. Well-prepared organizations monitor DNS queries on their network to spot these strange-looking requests and rejection responses.

For security professionals that are serious about protecting their organization, user behavior is a critical area to focus on. Network traffic analytics is the best way to understand what users regularly are doing on the network and to quickly spot any unusual behavior. For example, when your marketing team starts connecting to servers that contain important financial details, it is very likely that this activity is unwanted and should be immediately investigated.

Normal traffic patterns are easily computed when organizations collect network traffic metadata (e.g., NetFlow, IPFIX, etc.) from across the network. This metadata provides nearly everything an organization needs to understand how the network is used – including every record of every conversation. But more importantly, it provides the critical information needed to understand how malicious actors are using it.

The FireEye report outlined the fact that phishing attacks are one of the biggest threats to organizations. Almost a fifth (20 percent) of organizations that have experienced a cyberattack in the last 12 months found that it started with a phishing email. Phishing attacks account for 90 percent of all data breaches and have skyrocketed by 65 percent in the last year. By monitoring user behavior, businesses can gain significant insight into which machines may have been compromised during a phishing attack. When one user is exposed, security professionals can look at other users to see if they have similar traffic patterns, or if they clicked on the same email link as the exposed user. This lets the security professional quickly build a list of suspected machines that are likely infected with the same malware.

In short, in preparation for cyberattacks, creating a baseline of traffic patterns is critical. Such a baseline would include information like DNS queries and geographic details down to city-level information, as well as information related to TLS connection (e.g., TLS version, cipher suite, and certificate subject/common name). This information, when correlated across the network, will provide the context for the traffic behavior, and alert network and security professionals to behaviors and traffic patterns that indicate the start of a cyberattack.

Justin Jett is director of audit and compliance for Plixer.

Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting our microsite.

Suggested articles