Denial-of-Service & Distributed Denial-of-Service Attacks

A denial-of-service attack overwhelms the system’s resources so that it cannot respond to service requests. A distributed denial-of-service attack is also an attack on system’s resources, but it is launched from a considerable number of other host machines that are infected by malicious software all controlled by the perpetrator.

Unlike attacks that are designed to enable the attacker to gain or increase access, denial-of-service does not provide direct benefits for attackers, unless the attacked resource belongs to a business competitor, then the benefit to the hacker is real and measurable. Another purpose of a DoS attack can be to take a system offline so that a different kind of attack can be subsequently launched.

There are several types of DoS and DDoS attacks. The most common are ping-of-death attacks, TCP SYN flood attacks, teardrop attacks, smurf attacks, and botnets.

Ping of death attacks

This type of attack uses IP packets to ping a system with a packet size of over the maximum of 65,535 bytes. IP packets of this size are not allowed, so the attacker will fragment the IP packet. Once the target system reassembles the packet, it can experience buffer overflows making the system vulnerable.

Ping of death attacks can be avoided by using a firewall that checks the total size of fragmented IP packets.

TCP SYN flood attacks

This type of cyberattack aims to make a server unavailable to legitimate traffic by consuming all available server resources. The attacker floods the target system’s connection queue with initial connection request (SYN) packets, but it does not respond when the attacked system replies to those requests. This causes the victim’s system to time out while waiting for the response from the attacker’s device, which makes the system unavailable when the connection queue fills up.

To counter such cyberattacks, you should consider setting up a firewall to stop inbound SYN packets and you can also increase the size of the connection queue while decreasing the timeout interval on open connections.

Teardrop attacks

This attack involves sending fragmented packets to a machine. The attacked system attempts to reconstruct packets during the process but fails and eventually crashes.

If you do not have patches to protect against teardrop attacks, then you should disable SMBv2, and block ports 139 and 445.

Smurf attacks

By utilizing IP spoofing and Internet Control Message Protocol (ICMP) echo requests, hackers can overwhelm a target network with traffic. These ICMP requests originate from a spoofed “victim” address. For instance, if the victim’s IP address is 10.0.0.90, the attacker would spoof an ICMP echo request from 10.0.0.90 to the broadcast address 10.255.255.255. This request would go to all IPs in the range, with all the responses going back to 10.0.0.90, overwhelming the network. Unfortunately, this process can be automated to generate huge amounts of fraudulent network traffic.

To protect your devices from a smurf attack, you should disable IP-directed broadcasts on the routers. This will prevent the ICMP echo broadcast request at the network devices. Another solution would be to configure the end systems to not respond to ICMP packets from broadcast addresses.

Botnets

Botnets are a network of computers infected with malware under the hacker’s control. These bots are used to execute attacks against a victim’s system, often overwhelming the target system’s bandwidth and processing capabilities. These DDoS attacks are difficult to trace because botnets are located in different geographic locations.

Botnets can be mitigated by RFC3704 filtering that denies traffic from spoofed addresses and traces traffic to its correct source.

Another solution is black hole filtering, which rejects undesirable traffic before it enters a network.

Conclusion

NetScout Systems, a network performance software vendor, reported that in the first half of 2021, threat actors launched 5.4 million DDoS attacks. More than 50% of those were DDoS extortion attacks in the financial industry.

According to Kaspersky, in the last quarter of 2021, the total number of DoS attacks increased by 52%, compared to previous quarter, and 4.5 times higher than in Q4 of 2020.

As businesses and financial institutions evolve, it is essential to have a cybersecurity strategy in place that includes not only professional human intervention, but also automated solutions that can detect and block modern DDoS attacks.

Types Of Cybersecurity Attacks

A cyberattack is a deliberate attempt to breach the information system of an individual or an organization. Below we describe some of the most common types of cyberattacks.

Man-in-the-middle (MitM) attacks

This type of attack occurs each time a hacker gets fraudulent access to a client-server or other private communication. The most common types of man-in-the-middle attacks are the following.

Session hijacking occurs when an attacker hijacks a session between a trusted client and a server. The attacking device will replace its IP address with the one of the trusted client. If the server continues the session, the attack is successfully executed.

IP spoofing is utilized to disguise the attacker’s IP, usually with randomized numbers.  IP stands for Internet Protocol, which is the set of rules governing the format of data sent via the internet or local network. The IP address is the identifier that allows data to be sent between devices on a network: they contain location information and make devices accessible for communication.

To prevent such attacks, organizations rely on deep packet inspection (DPI) solutions, which utilize granular analysis of all headers not just the IP address.

A replay attack occurs every time a hacker intercepts and saves old communication and then reopens a discussion, impersonating one of the participants.

To counter such attacks, IT security teams utilize session timestamps and a cryptographic nonce “number only used once” which is a random number that can be used just once in a cryptographic communication.

Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks

A denial-of-service attack overwhelms a system so that it cannot respond to service requests. Similarly, a DDoS attack targets the system’s resources, but it is launched from several host machines controlled by the perpetrator.

Unlike cyberattacks that are designed to penetrate a system to get unauthorized access, DoS attacks do not provide direct benefits for attackers. However, if the targeted resource belongs to a competitor, then the benefit to the attacker can be measured.

A DoS attack can also be used to take a system offline to facilitate a different kind of attack.

There are several types of DoS attacks, such as teardrop attacks, botnets, etc.

Drive-by download attacks

Generally, the drive-by download attack is utilized for spreading malware. Hackers often look for insecure websites and exploitable vulnerabilities to include malicious scripts into HTTP or PHP code on some of the pages. These scripts might easily install malware directly onto the victim’s device if she/he visits the website, or it might redirect the victim to a second website controlled by the hackers.

A drive-by download will target an app or a web browser that is vulnerable due to lack of updates.

To protect your organization against such attacks, you should keep your browsers and operating systems up to date and avoid loading unsecure, suspicious websites.

Phishing & spear phishing attacks

Unfortunately, phishing attacks are increasingly popular among hackers. This type of cyberattack usually involves sending emails that appear to be from trusted sources with the goal of gaining personal information or influencing victims into taking certain action.

Such an attack combines social engineering and technical methods. It could be an email attachment or a link to an illegitimate website that can trick you into downloading malware or disclosing personal information.

Spear phishing is a targeted type of phishing activity. Attackers closely investigate their targets and create messages that are personal and relevant. Therefore, spear phishing can be very hard to identify and even harder to defend against.

Hackers usually utilize email spoofing for conducting spear phishing attacks. Basically, they change the sender’s email address, making it appear as if it is coming from someone you know, maybe a manager (e.g. CEO fraud) or a colleague/partner.

To reduce the risk of being phished, you should apply the following suggestions:

Analyze any email you consider suspicious.

Move your mouse over the suspicious link, but do not click it! Just move your mouse cursor over the link to see the destination URL.

Email headers define how an email got to your address. The “Reply-to” and “Return-Path” parameters should lead to the same address included in the email.

Password attacks

As we all know, passwords are the most used mechanism to authenticate to any information system. Access to a person’s password can be obtained by using social engineering, gaining access to a password database, etc.

Two of the most common password attacks are brute-force attacks and dictionary attacks.

The brute-force attack occurs when hackers or preconfigured bots try many different combinations, such as old passwords, stolen personal information, etc.

The dictionary attack involves a dictionary of common passwords that is used to attempt to gain access to a user’s computer and network.

To protect against dictionary or brute-force attacks, you should implement an account lockout policy that will block any login attempt after a few invalid user/password combinations.

SQL injection attacks

SQL injection has become a common issue with database-driven websites. It occurs when the hacker executes SQL queries to the database via input fields.

A SQL injection attack can allow the perpetrator to read information from the database, insert, update, or delete database data, execute admin operations, recover the content of a certain file, etc.

To protect your organization from a SQL injection attack, apply the least privilege model of permissions in your databases.

Cross-site scripting (XSS) attacks

XSS attacks use third-party resources to run scripts in the victim’s browser or application. The attacker injects malicious JavaScript into a website’s database. When the victim loads a web page, the server transmits the page with the attacker’s payload as part of the HTML body to the victim’s browser, which executes the malicious script. For instance, it might send the victim’s cookie to the attacker’s server, and the perpetrator can extract it and use it for session hijacking.

To defend against such cyberattacks, always make sure that you treat anything that generates data from outside your system as untrusted. Validate all the input data and create a whitelist of known, acceptable input. Examine and remove unwanted data.

Malware attacks

Malicious software can be described as unwanted software that is installed within the victim’s information system. There are many types of malware that hackers use such as: macro viruses, file infectors, polymorphic viruses, trojans, etc.

Conclusion

A good defense requires understanding the offense. Unfortunately, attackers have many options, such as DDoS assaults, malware infections, and brute-force password attacks trying to gain unauthorized access to business data.

Measures to mitigate these threats vary, but IT security basics stay the same. So, keep your systems and anti-virus databases up to date, regularly train your employees, configure your firewall to whitelist only the specific ports and hosts you need, keep your passwords unique and strong, use a least-privilege model in your IT environment, make regular backups, and continuously audit your IT systems for suspicious activity.

What To Do After A Data Breach?

All organizations face the risk of a data breach because of a cyberattack or another type of security incident. Recovering from such an incident could be complicated, no matter how big or small your company is, especially if sensitive data is exposed.

How To Respond To A Data Breach?

If your business is the victim of a data breach and you are wondering how to react efficiently, consider the following steps to help minimize the impact.

Contain The Security Breach

Some people might be tempted to delete as many files as possible after a data breach occurs, but preserving evidence is crucial to assess how the breach occurred to prevent it from happening again.

Firstly, try to determine which servers, applications, and/or devices have been compromised and contain them as quickly as possible to ensure that the attack does not spread and damage more assets.

To stop an attack from spreading within your network, you should disconnect the affected servers and take your network offline as quickly as possible.

Change the credentials for all your critical accounts and servers.

If your IT staff is not specialized in digital forensics you may want to hire a specialist to conduct the investigation.

Assess the Security Breach

You need to determine the root cause of the breach within your system to help prevent the same kind of attack from happening again.

If you have discovered that you are a victim of a broader attack that targeted multiple organizations, follow updates from authorities charged with monitoring the situation and report accordingly.

Key Aspects:

You need to identify who has access to the servers that were compromised, which network connections were active when the breach occurred and how was the attack initiated.

You may be able to pinpoint how the attack vector penetrated your system by checking your firewall logs, your antivirus program, the email service, or your Intrusion Detection System.

You also need to find out who may have been affected by the breach, including employees, customers, and third-party vendors.

Assess how severe the data breach was by identifying what information was targeted, such as mailing addresses, specific accounts, credit/debit card numbers, etc.

Data Breach Notification Plan

Communicate with your staff and let them know what happened. Define clear authorizations for team members to report on the issue both internally and externally. Remaining on the same page with your team is paramount while your business is recovering from a security incident.

You may need to consult with your legal team to figure out the best way to avoid a legal hassle.

If you don’t have a cybersecurity plan in place or an IT security team to handle such situations, StratusPointIT professionals can help you defend against and recover from IT security incidents.

Key Aspects:

Notify your cyber insurance provider.

When a cyber event occurs, your insurance company may have experts who will walk you through the proper response steps. Contact your insurer as quickly as possible to limit the consequences of such an attack and for planning the next steps.

Notify your customers.

Communication is key to maintaining a positive, professional relationship with your customers. Provide them with means to specifically ask questions related to the breach.

Your employees should be aware of your organization’s policies regarding data breaches. Also, consider restricting your employees’ access to sensitive data based on their job roles and regularly train them about how to prepare for a data breach and how to avoid one.

Prevention Methods

The FBI has provided additional tips that can help businesses protect themselves against cyber incidents.

Never download attachments or click links within emails received from senders you do not recognize.

Do not provide usernames, passwords, social security numbers, financial data, or other personal information in response to an email or phone call.

Avoid using the same password for multiple accounts.

Your organization must evaluate the technologies in place and invest in more up-to-date solutions to ensure best protection.

Make sure you review and update information security policies, business continuity plans, and data breach response plans.

Also, conduct frequent security checks to help reduce the likelihood of a similar incident occurring again in the future and educate your staff about data breach protocols.

A data breach can be undoubtedly stressful, but if you take the necessary steps, it can make your business better prepared next time a similar incident occurs.

How to create an incident response plan?

An incident response plan is a well-documented plan that includes a series of phases that helps IT security professionals recognize and properly react to cybersecurity incidents.

According to Gartner, the SANS Institute (founded 1989) is one of the world’s premier cybersecurity training organizations. The SANS Institute methodology includes 6 incident response phases as follows: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned.

Within each phase, there are specific areas that should be considered. Next, we will analyze each phase and identify the items that need to be addressed.

The Preparation Phase

This phase is all about ensuring your employees are properly trained regarding their incident response roles and responsibilities in the unfortunate event of a data breach.

Make sure all aspects of your incident response plan (security training, hardware, software resources, etc.) are approved and funded in advance.

Thoroughly explain and document everyone’s roles and responsibilities. This phase must be tested to assure that your employees will perform as they were trained. The more prepared your employees are, the less likely they will make critical mistakes.

Make sure that everyone has been trained on security policies, that your incident response team know their roles and have participated in mock drills.

This is also a good time to update and patch your systems, review your remote access protocols, change all user and administrative access credentials, and harden all passwords.

The Identification Phase

During this phase the security team will determine whether your organization systems have been breached. A cybersecurity incident could originate from many different areas.

Briefly, you will acknowledge how and when the incident was discovered, also who discovered it. You will follow the necessary steps to identify the source (point of entry) of the attack vector. Then you will assess how it affects your operations.

The Containment Phase

When a breach is first discovered, people are usually tempted to securely delete everything so they can just get rid of it. This approach will likely hurt the organization in the long run because you will be destroying valuable evidence that your IT security team will need to determine where the breach started and create a plan to prevent it from happening again.

Instead, contain the breach, quarantine the malware you have identified, so it does not spread and cause further damage to your business. If you can, disconnect affected devices from the Internet.

Have short-term and long-term containment strategies in place. Keeping up-to-date backups is essential to restore your business operations.

The Eradication Phase

Once you have contained the issue, you need to find and eliminate the root cause of the breach. This means all malware should be securely removed, systems should again be patched, and updates should be applied.

Whether you do this in-house, or hire a third party to handle it, you need to be thorough. If any piece of malware or security vulnerabilities remain in your systems, you may still be losing valuable data, and the liability will only increase.

The Recovery Phase

This is the process of restoring the affected systems back to a pre-attack version. During this time, it is important to get your systems, devices, and business operations up and running again.

Make sure you monitor the situation, especially the systems/apps that were previously affected to ensure similar attacks will not reoccur by updating your security incident response plan accordingly.

Lessons Learned

Once the assessment is complete, gather all incident response team members and discuss what you have learned from the security incident. At this point you will analyze and document everything about the breach.

Documentation may be used for data breach insurance. This can save the company from prospective legal costs and fines, not to mention the brand damage associated with a data breach which can be harsh for a business, especially if the organization is a startup.

Identify what worked well in your response plan, what changes need to be applied, what weakness did the breach exploit, etc. All the lessons you learn are valuable and will strengthen your organization against future cyberattacks.

No one wants to go through a security incident, but it is essential to prepare for one. Know what to do when it happens and regularly test your plan’s efficiency. For this purpose, regularly orchestrate cyberattacks to test your organization’s incident response plan and how fast your team reacts. This habit will generate at least two important results: a deep understanding of your plan (tasks, processes) and a list of gaps that should be addressed. If there is room for improvement, all changes must be properly documented for them to have real, lasting value for your security operations team.

Azure Active Directory Conditional Access Policies

What is Conditional Access?

Azure Active Directory Conditional Access is a feature that helps businesses improve both cybersecurity and compliance. By applying such policies, organizations will refine the authentication process reducing the risk of unauthorized access.

Usually, it is the legitimate account owner typing in the username and password pair. Once logged in, the user can access all the data, applications, and business resources he/she has been granted permissions for. But sometimes, it is the attacker who tries to login with the user’s credentials, putting your organization at risk.

To reduce this risk, organizations can put additional authentication measures in place, such as multi-factor authentication (MFA) requiring the user to type the unique code sent to their mobile device, a fingerprint, etc.

This strategy is efficient. Microsoft reports that 99.9% of organization account compromise could be stopped simply by using the MFA security feature. The problem is that sometimes MFA can be insufficient, like when it is a privileged administrator accessing highly sensitive resources. In such a case, additional evidence that the authentication request is legitimate is recommended.

The Conditional Access feature helps organizations strengthen the authentication protocol. For instance, you can create a policy that requires the administrator, so not the regular users, to complete the MFA step.

You can utilize variables like the user’s location and the type of authentication protocol being used. For instance, you can block all requests that come from certain countries, allow all requests from your headquarters location, and require MFA for all the rest.

Conditional Access Policies

When creating Conditional Access policies there are several basic actions you should take, such as:

  • Verify the user’s identity during sign-in.
  • Verify the security of the device used for the connection.
  • Require MFA for users, inclusive of any administrators.
  • Implement Geo-blocking
  • Disable legacy protocols that don’t support MFA (POP, IMAP, SMTP, ActiveSync.

Improving MFA

While multi-factor authentication contributes to a more secure account, burdening users with MFA challenges is not always the best approach. If users are required to go through MFA requests each time they open their accounts, they can fall into the trap of approving challenges without verifying the legitimacy of each request. Unfortunately, this could mean that someone accidentally accepts a sign-in request generated by a hacker. Therefore, user experience is extremely important when implementing Conditional Access policies.

So, instead of challenging a user with MFA at each login, create a strategy that combines signals to verify the identity of the user, as for instance, the user’s known location. By using multiple signals before requesting MFA, this will drastically reduce the number of requests the user receives.

Business Data Protection

Conditional Access supports many features besides multi-factor authentication. Some organizations ignore the fact that anybody can install Outlook or OneDrive on a personal device, and then copy mailbox and data to that device. So, when an employee leaves, the company has no control over any data copied to these personal devices. Ensuring that users can copy business data only to company devices is crucial for compliance and security purposes.

Less is More

When the organization wants to change a policy, or the responsible team needs to investigate a sign-in, a high number of conditional access policies can make the task very challenging. Therefore, you should think about the bigger picture since the beginning of this process and combine as many conditions as possible into one policy.

Try to group policies based on different signals, such as: the type of data, type of user, and the ownership of the device.

When it comes to type of data, access to SharePoint should be stricter compared to Microsoft To-Do, which does not contain as much sensitive data.

Based on the type of user, administrator accounts need stricter policies than regular users.

The ownership of the device is very important because there is a big difference between the management of personal and corporate devices. Personal devices should not be trusted with as much data as corporate devices. The latter category usually has adequate security controls in place.

Documentation is Necessary

As the number of active policies increases, documentation becomes important. It should include details of the configuration and a description of each policy. This will help you revert the policy to the original state and remind you why it was implemented in the first place. While this might not be necessary for smaller organizations, it is mandatory for enterprises.

Besides documenting policies, be sure to document exclusions and not just mentioning the ones that are active, but more importantly: who added the exclusions and why. This way you can review the exclusions and decide whether they are still useful.

In addition to implementing multi-factor authentication in an intuitive way, Conditional Access policies can limit what files users can access or download, in certain scenarios, improving the security of your organization.

Benefits Of Using A Password Manager

We all want our sensitive data to be protected, yet some users often rely on weak passwords because memorizing complex passwords is painful. This approach is dangerous.

Unless you want to constantly safeguard a hard copy list of all your passwords, you should consider setting up a password manager. Such a solution can help you easily oversee and handle all your login credentials for any online account and maintain proper password security.

These solutions are also very handy when it comes to auto filling fields and syncing your data across PCs, Macs, iPhones, Android-powered devices, etc.

What is a Password Manager?

A password manager is basically an encrypted vault that securely stores login information used to access applications and accounts. Besides keeping your identity, credentials, and sensitive data safe, some password managers utilize a password generator to create strong, unique passwords every time. All passwords are stored in an encrypted database and locked behind a master password.

With all the recent cyber incidents, having a unique password for each account you use means that if one gets hacked, your stolen password can’t be used on other accounts. You are basically using multiple passwords to create your own security features.

A 2017 report from LastPass found that people had to remember 191 different passwords, on average, just related to their work.

While technology usually makes our lives easier, new websites and applications we sign up for involve new passwords we have to remember. It is almost impossible to remember all of them. A 2021 Last Past survey reveals that 80% of respondents were concerned about changing passwords frequently, but 48% of them stated that they won’t change their password unless it is required.

By using large lists of stolen passwords bought off the dark web, hackers can brute force their way into other websites or use old passwords to extort users. According to the 2019 Verizon Data Breach Investigations report, 80% of data breaches are caused by compromised, weak, or reused passwords.

What are the benefits of using a password manager?

Firstly, you don’t have to remember all those passwords. A password manager can securely keep them for you. Once your usernames and passwords have been entered into the vault, your master password is the only one you must remember. Entering the master password unlocks the vault, so you can then retrieve whatever password you need.  Add more security to your vault by two-factor authentication. A strong password combined with a two-step verification protocol provides the most protection.

If you choose a cloud-based password manager, then you can access your password vault from any device, anywhere.

Some password managers can securely keep more than username/password pairs. Sensitive information such as shipping addresses and credit card information can be protected too. With just one master password or a fingerprint, the user can access them and autofill web forms.

They can generate new passwords for you. Typically, you will be prompted to choose if you would like the password manager to create a password whenever you create a new account with a website or application.

They can alert you to a phishing site. Spam emails are deceptive, as they look like they are coming from a legitimate sender. Links included within such emails send the recipients to malicious websites designed to steal their sensitive data. Browser-based password managers will not auto-complete the username and password fields because they won’t recognize the website as the one tied to the password and thus protecting your data from a potential exploit.

Password managers save time. In addition to storing your passwords, some password managers also auto-fill credentials allowing you to quickly access your accounts.

There are password managers that can sync across different operating systems. For instance, if you are a Windows user at home and a Mac user at work, you will be able to quickly access your passwords regardless of which platform you are on.

Password managers help protect against identity theft. By using a unique password for every account, you are essentially improving the security of each account. If one of your accounts gets hacked, attackers won’t be able to get into any of the others.

Many robust password managers can assist in collaboration.  This feature allows you to share passwords securely, between employees or external clients.

Types of password managers

Desktop-based password managers store passwords on your device (Mac, laptop, etc.) in an encrypted vault. Usually, the user cannot access those passwords from any other device.

Cloud-based password managers store encrypted passwords on the service provider’s network. The service provider is responsible for the security of your passwords. The main benefit of cloud-based password managers is that the user can access their password vault from any device that is connected to the Internet.

Protect your data like a professional and use a password manager to keep your credentials safe and secure.

How to mitigate the risk of a ransomware attack in 2022

As you probably know, malware is a malicious software (file or code) which can:

  • lock a device or make it unusable;
  • take control of certain devices to attack the organization;
  • steal, delete, or encrypt sensitive data.

Ransomware is a type of malware that prevents the users from accessing their devices or certain files. Ransomware most likely will spread to other machines within the network, as happened with the WannaCry malware.

Usually, the victim is asked to contact the hacker via an anonymous email address or follow instructions on an obscure web page, to make a payment. To unlock the device or for being able to access the encrypted data, the payment is usually requested in a cryptocurrency.

However, even if the ransom is paid, there is absolutely no guarantee that the user will get access to the device, or the files.

Sometimes, malware may look like ransomware, but after the ransom is paid the files may not be decrypted. For this reason, it is crucial to always keep offline backups of your most important files.

Organizations must proactively protect their assets against these complex cyberattacks. Strong defenses and a resilient cyber security posture require not only technical measures but also ransomware-relevant business continuity planning.

Here are a few aspects that should be considered in order to protect your organization and its assets.

Maintain multiple versions of file not just basic backups.

Companies will need to utilize systems that can create snapshots several times a day or maintain multiple versions of file created over the course of the day, to enable a quick restoration process to a specific moment. In the unfortunate case of a cyberattack, this effort considerably minimizes the productivity loss. Also, the IT security personnel will need to routinely test the backups to ensure the data is restorable and to determine the time it takes to restore. This way the organization will estimate the downtime it will need to handle in the case of a successful ransomware attack.

Use the principle of least privilege.

Limiting the file access rights to the minimum level of permissions that users need to perform their work is extremely important. This measure will reduce the number of files that could be encrypted in the event of a ransomware attack.

Limit the risk of initial attack vectors.

Ransomware attackers need access to your system to damage it. They obtain access through phishing schemes, unpatched software, and employee password reuse. Organizations should aim to reduce the likelihood of ransomware attacks by implementing and maintaining strong vulnerability management programs, reducing their attack surface, and providing security training programs for all personnel.

Plan for an attack, even if you think it is unlikely.

Even though they were not the intended targets, there are numerous examples of companies that have been indirectly hit by malware.

Develop an internal and external communication strategy. It is important that the right information reaches the right recipients in a timely manner.

Determine how you will respond to the ransom demand and the threat of your organization’s data being published.

Ensure that your incident management plan and supporting resources are available in case your network is compromised.

Improve your incident management plan. This will help clarify the roles and responsibilities of staff and third parties and prioritize system recovery.

Use Endpoint Detection & Response (EDR)

Nowadays, attacks are expanding beyond local machines trying to block entire systems. Botnets and IoT networks can be used to increase ransomware’s affects.

Modern antivirus solutions can identify and block new types of malware. However, hackers are constantly adapting their methods. Many types of malware are untraceable by standard solutions, such as polymorphic malware which is a type of malware that constantly changes its identifiable features to avoid detection, or fileless malware, etc.

Under these circumstances, to improve cybersecurity, an IT department should implement an integrated endpoint security solution. EDR security integrates the collection, correlation, and analysis of endpoint data, as well as alerting and responding to imminent threats.

Companies must be prepared for these increasingly sophisticated types of attacks. By hiring a professional team and taking the necessary steps, you will be able to protect your IT infrastructure from modern ransomware attacks.

Managed Detection and Response

A Managed Detection and Response (MDR) security solution is a high-level 24/7/365 security control that includes a range of security activities including cloud-managed security for organizations that cannot maintain their own security operations center (SOC). MDR services combine threat intelligence, advanced analytics, and human expertise in incident investigation and response deployed at the host and network levels to help keep your organization secure.

Relevant analytics, threat intelligence, and forensic data are passed to professional analysts, who classify alerts and determine the appropriate response to reduce the effects and risk of incidents. Then, through a combination of human abilities and machine capabilities, the threat is removed, and the affected endpoint is restored to its original state.

EDR or MDR?

Though Endpoint Detection and Response (EDR) solution provides you with the platform to investigate and remediate threats, it still requires human intervention. An MDR solution provides a certified team of cybersecurity professionals that will handle monitoring, incident response and remediation services to help keep your business secure. Endpoint detection and response is part of the tool set used by MDR providers.

EDR records and stores behaviors, and events on endpoints and may trigger rules-based automated responses. When a suspicious situation is identified, it is sent to the IT security team for human investigation. EDR gives security teams the ability to use more than just indicators of compromise (IoC) or signatures to understand what is happening within their networks.

Over time, the EDR tools have become more and more complex, incorporating modern technologies such as machine learning, behavioral analysis, and the ability to integrate with other complex solutions.

MDR Fundamentals

 

Managed Prioritization

Prioritization helps organizations that struggle daily with large volumes of alerts to determine which one should be addressed first. Managed prioritization, also known as “managed EDR”, applies a set of automated rules and human inspection to differentiate between false positives and true threats.

Threat Discovering

Behind every threat is a person who analyzes the options and decides how to avoid being caught by their targets’ countermeasures. While machines are increasingly smart, the human mind is still needed to add the missing element that no automated detection system can provide. Threat hunters with skills and expertise identify and alert on the most advanced threats in order to catch what the layers of automated protection can’t.

Managed Investigation

Managed investigation services help businesses understand threats faster by providing security alerts with additional context. Therefore, organizations can clearly understand what happened, when it happened, what was affected, and how far the attacker went. With that information at hand, they can plan and execute an effective response.

Guided Response

The guided response provides actionable advice on the best way to isolate and remediate a specific threat. Organizations are advised on activities such as whether to remove an endpoint from the network, how to eliminate a threat or recover from a cyberattack.

Recovery & Remediation

The last phase in incident response is remediation. This step is crucial as the organization’s reputation is at stake. Managed remediation will restore systems to their pre-attack state by removing malware, cleaning the registries, removing any unauthorized access and persistence mechanisms. Also, during the remediation phase, the IT security personnel will ensure that further compromise is prevented.

 

Conclusion

In-house security teams may lack the resources and the time to fully utilize their EDR systems, which can leave an organization even less secure than it was before it implemented an EDR solution. MDR solves the problem by introducing human expertise, specific processes, and threat intelligence.

MDR is designed to help organizations acquire enterprise-grade protection while avoiding the costs of building and maintaining a security operations center or hiring enterprise-level security staff.

For more information, please check our IT security services page.

Windows 11: Performance, Security, Requirements

Beyond a reorganized start menu and a sleek taskbar, Windows 11 also offers several new features that will definitely catch the eye of the user.

The newest version of the most popular operating system has been optimized for hybrid working, where employees split their working time between the office and home, with new options designed to allow users to multitask and pick up from where they left.

According to Microsoft, Windows 11 also sets new standards for performance and security, which will help organizations optimize their productivity and protect employees against modern cyberthreats.

Improved Collaboration & Productivity

One of Microsoft’s main goals was to deliver a new level of interoperability with collaboration platform Teams. Therefore, in Windows 11, users can launch Teams chats and meetings by single clicking the icon that holds a front position in the taskbar.

Microsoft has launched a series of features, such as “Snap Layouts” and “Snap Groups, that help users increase their productivity. The former feature gives users a higher range of display options when working across multiple windows or applications.

The “Snap Groups“ feature can be used to restore all windows to their previous location and orientation, making it easy for users to resume the work from a previous point.

These new features are designed to help users better organize their windows to see what is needed but in a cleaner layout.

Performance & Security

As expected, the Microsoft Windows team has focused during the product development process on both performance and security.

Although the company has not provided hard evidence yet, it stated that Windows 11 authentication service “Windows Hello” loads faster compared to previous versions.

The new operating system reportedly uses less energy too, which translates into longer battery life.

Separately, Microsoft highlighted Windows 11’s security credentials, with new protections added at chip and cloud level to ensure organization assets remain secure no matter where the users are located.

With security being at the core of the operating system, Microsoft has also introduced a new set of hardware requirements for Windows 11. For instance, all Windows 11-compatible CPUs must feature an embedded TPM and support secure boot, virtualization-based security (VBS), etc.

However, while these requirements will shield users against certain cyberattacks, they are expected to create hassles for some organizations.

Hardware requirements

Windows 11 brings a significant change in supported CPUs since the release of Windows 8. A lot of CPUs are not officially supported. If you want to use the latest operating system, your computer should be equipped with an Intel Core 8th-generation processor or newer or an AMD Ryzen 2000 processor or newer. The 8th-generation Intel processors arrived in late 2017, and Ryzen 2000 chips arrived in 2018. So, if your computer is more than four years old, there is a good chance that it is not supported by Windows 11.

Another hardware requirement for Windows 11 is a piece of technology named Trusted Platform Module, also known as TPM.

TPM chips perform cryptographic operations that provide security by verifying the authenticity of a system at launch. They also include features that protect systems from tampering.

Windows 11 will require all machines to feature TPM 2.0 support built into the CPU or an additional chip connected to the motherboard.

NOTE: To check if your device has a compatible Trusted Platform Module just go to Start > Settings and type “Device security” and check your “Security processor” to make sure it provides additional encryption for your device.

A recent report from device audit organization Lansweeper reveals that only 44% of workstations are eligible to receive the automatic Windows 11 upgrade.

The situation looks worse when it comes to virtual machine workstations, because only 0.23% of them have TPM 2.0 enabled. And as for the hypervisors, only a few are currently able to meet the necessary requirements to run the latest OS version.

Ready for upgrade?

Microsoft has been consistent across the various Windows management tools, such as Endpoint Manager and Windows Update for Business, so everything feels familiar to administrators.

Although Windows 11 have undergone extensive testing, both in the development process and during early-access, bugs have been reported.

At one point, Windows 11 impacted the speed of storage drives (SSDs, hard drives). Microsoft, though, has since issued a fix in the latest Windows 11 cumulative update.

Another problem relates to memory leaks. Reportedly Windows 11 could take up extra RAM when the user opens multiple instances of the File Explorer. However, this isn’t a problem every user is having, but according to official reports, the issue is currently under investigation.

Windows 11 supports new ways of working and further improves workstation security. IT teams and business executives will need to decide whether these benefits are worth the inevitable hassles that early adopters face.

Endpoint Detection & Response

Endpoint Detection & Response (EDR) is a complex endpoint security system that combines real-time monitoring and collection of endpoint data with rules-based automated response and analysis capabilities.

The main functions of an EDR security solution are:

  • To monitor and collect data from endpoints that could indicate a threat;
  • To analyze this data to identify threat patterns;
  • To automatically respond to identified threats to remove or contain them, and notify the IT security team;
  • Forensics and analysis tool to research identified threats and search for any suspicious behavior.

Adoption

The EDR adoption will only increase over the next few years. According to Stratistics MRC’s Endpoint Detection & Response: Global Market Outlook (2017-2026), sales of EDR solutions, both on-premises and cloud-based are expected to reach $7.27 billion by 2026, with an annual growth rate of about 25%.

One of the factors pivoting the EDR adoption is the rise in the number of connected endpoints. Another important factor is the increased sophistication and complexity of modern cyberattacks, which usually focus on endpoints as some of them are easier targets for breaching networks.  Insurance carriers are also beginning to require an EDR solution to be able to provide cyber insurance.

Endpoint Attacks

The average IT department has thousands of endpoints under management. These endpoints are desktops, servers, laptops, tablets, smartphones, smart watches, and digital assistants.

The SANS Endpoint Protection and Response Survey reveals that 44% of IT teams manage between five thousand and five hundred thousand endpoints. Each of these endpoints is susceptible to become an open door for cyberattacks. Endpoint visibility is therefore crucial.

Modern antivirus solutions can identify and block many new types of malware. However, cybercriminals are constantly adapting their methods. Many types of malware are untraceable by standard solutions. For instance, polymorphic malware which is a type of malware that constantly changes its identifiable features to avoid detection, or fileless malware, a recent development that operates in the computer’s memory and avoids malware signature scanners.

To improve cybersecurity, an IT department may implement several endpoint security solutions, as well as other security applications, over time. However, multiple self-sufficient security tools can overcomplicate the threat detection and prevention process, especially if they overlap and produce similar effects. The better approach is an integrated endpoint security solution.

EDR Security: Components

EDR security integrates the collection, correlation, and analysis of endpoint data, as well as alerting and responding to imminent threats.

EDR tools have three major components:

Data collection software agents. These agents handle endpoint monitoring and collect relevant data about certain processes, connections, and data transfers.

Automated response. Pre-configured rules in an EDR system can identify known types of security threats and can trigger automatic responses, such as logging off the user or alerting a team member.

Analysis and forensics. An endpoint detection and response solution can incorporate real-time analytics, for fast diagnosis of threats, and forensics tools, for threat hunting or conducting post-attack analyses.

Forensics tools enable IT security personnel to investigate breaches to better understand how an exploit managed to penetrate security. The IT security staff also uses forensics tools to identify threats within the system, such as malware or other exploits that might pass undetected to an endpoint.

EDR Capabilities

New features and services are expanding EDR systems’ capabilities to detect and investigate threats.

Threat intelligence services provide organizations with large pools of information on current threats and their characteristics. That collective intelligence helps increase an EDR’s ability to identify exploits, especially multi-layered and zero-day attacks.

In addition, new investigative capabilities in some EDR solutions leverage artificial intelligence and machine learning to automate the investigative process. These capabilities will allow the EDR solutions to learn more about the baseline behavior of an organization, and it will use this information, along with a variety of other threat intelligence sources, to defend the organizations’ systems.

Information such as IP addresses and registry keys change frequently. However, identifying patterns and characteristics that remain unchanged is therefore crucial. An EDR solution can use the common behavior to identify threats that may have been altered in other ways.

IT security teams face steadily more complex cyberattacks, as well as increased diversity in the number and types of endpoints accessing networks, so an advanced solution to deal with this situation is recommended, and sometimes required.