When devising a strategy for business IT security, it’s been conventional to focus investment and effort on keeping intruders out of core applications and data stores. Constructing a secure perimeter and then limiting access to approved parties is regarded as the textbook approach.
Unfortunately, however, this strategy offers little protection if an intrusion has already occurred. If threat actors have compromised security barriers and gained access to critical systems, the best Next Gen firewall in the world will be of no help.
More than capturing log files
Some organisations are confident they’ll be able to spot unauthorised activity within their IT systems through analysis of log files. Often having invested significant amounts in tools needed to collect, store and inspect these files, they believe threat actors will leave a trail of digital breadcrumbs that can later be followed and acted upon.
Depending on how they have been configured, logs gather different types of information. This can include dates and times of certain events, user activity and the IP addresses of devices connecting to the network.
However, if a threat actor carries out an action that has not been pre-defined as something to be logged, it will simply go unnoticed. The IT team won’t know what it doesn’t know, and the intrusion may not be noticed for an extended period – if at all.
Once they have gained access to an organisation’s IT infrastructure, threat actors often make use of a technique dubbed ‘living off the land’. This involves making use of tools that are native to the Microsoft Windows environment and are regularly used by legitimate system administrators.
These tools allow threat actors to move laterally between systems and even create new accounts that appear to be those of legitimate users. Once entrenchment has occurred, spotting their activities becomes even more difficult.
Thorough preparation is the key
To deal with unauthorised intrusions - both before and after they occur – an organisation’s IT team must take a series of important steps. These include:
- Have a plan: As part of an overall security strategy, a first step is to create an incident response ‘play book’. If a data breach or intrusion is identified, this document will guide staff through the pre-determined steps that should be followed. This will ensure any response is thorough and effective whilst ensuring IT staff are aware of their responsibilities during an incident
- Enhance endpoint logging: Logging tools are usually focused on an organisation’s servers and databases, however endpoints are becoming the attack vector of choice for many threat actors. For this reason, existing logging tools should be fine-tuned to ensure they are also logging activity observed on any devices connecting to the corporate network.
- Increase user awareness: Even in 2018, employees are still falling for emails that appear authentic but are actually coming from a malicious threat actor. They might contain malicious code or a link to a fake website that harvests personal details. Regular education sessions should be held to ensure all staff are aware of the risks being faced.
- Limit access: It is good security protocol to follow a strategy of ‘least privilege’, ensuring staff only have access to the systems they require for their particular role. For example, someone moving from finance to sales should have their access to finance systems revoked. This means that, if their account is compromised, the systems to which the threat actor will have access is limited.
- Reduce admin accounts: Administrator accounts provide the widest level of access to an IT infrastructure. For this reason, it makes sense to reduce the number of these accounts within any organisation.
- Regular patching of systems: It may seem an obvious step, but a large number of organisations have systems that have not been patched with the most recent software updates available. Having a regular patching process is therefore vital and reduces the attack surface greatly.
- Don’t panic! Finally, if an intrusion is detected, don’t immediately disconnect systems and attempt to remove any associated malware. A better approach is to work with a security specialist who can observe what activity is taking place and advise on the best course of remediation.
IT security is an increasingly important area and paying attention to factors beyond the perimeter is vital. By taking the time to prepare and put in place a series of measured steps, an organisation can be confident it will be able to deal with incidents if or when they happen.