Three strategies for organizations to follow to disrupt cybercriminals selling access to their environment
1. Three Strategies for
Organizations to Follow to
Disrupt Cybercriminals
Selling Access to Their
Environment
Unmasking a bad actor at an individual level will help organizations gain more
context, figure out why the attack happened, and calculate future risk.
Threat actors have been selling employee credentials and private access keys to a critical
business application in increasing numbers. To prevent these types of incidents from
2. escalating into full-fledged breaches that damage the company’s credibility, organizations
need to understand that they must respond quickly to maintain visibility outside their
perimeter. External threat hunting, forensics, and the unmasking of actors using
open-source information are common actions (OSINT). Identifying the actor goes a long
way toward deciding whether the organization is a target of opportunity or a victim of a
targeted attack.
Organizations should, however, take the following three measures to ensure the integrity,
confidentiality, and availability of data systems.
Three Strategies for Organizations
Internal and External Triage
Maintaining the integrity, confidentiality, and availability of data systems should be the top
priority. This can be accomplished by identifying the source of leaked credentials. If a
third-party vendor or law enforcement initiates contact, they can keep those user credentials
or private keys when interacting with the threat actor directly.
Also Read: Emerging Cybersecurity Trends in 2021
The account names of the forum members trying to sell the credentials would usually be
known to law enforcement. Once the security team has gathered this data, they can
investigate the threat actors to determine their technical capabilities and how active they are
in underground forums. The dark web vendors, for example, do not have the same technical
capabilities as the malicious agent who gained access to the environment.
3. The extent of the harm is always unclear at this point of the investigation, so one of three
directions should be pursued: 1) removing access, 2) determining the extent of the damage,
and 3) determining whether the threat warrants unmasking the actors in order to learn more
about the attack’s existence.
Unauthorized Access Must Be Removed
Security teams must assess the damage after checking credentials and account access.
This involves determining whether or not data are accessed and exfiltrated, as well as proof
of unauthorized access, the use of malicious tools, lateral movement, and malware
deployment. Implementing a mix of careful logging through two-factor authentication, data
acquisition strategy, endpoint and network monitoring, and patch management is likely to
prevent a full-blown breach.
It’s critical to conduct external threat detection and threat actor engagement in response to
a particular attack to decide whether the actors are attempting to manipulate or monetize
the security incident. It may not be appropriate to reveal the attacker’s identity at this stage.
It’s likely that no further malicious activity occurred within the environment if an assessment
concludes that the attackers obtained access using re-used passwords scraped from
third-party servers, brute force spraying for the correct password, or found a re-used
password from a prior data breach.
And, the other hand, if the investigation leads the security team to believe that the attack
was carried out by an insider or former employee, unmasking and identification will provide
crucial context, allowing the security team to prevent a compromise and potentially take
legal action.
4. Also Read: Improving Security Processes Through Continuous Efficacy Assessment and
Mitigation
Unmasking Attribution
Unmasking the hacker at an individual level can help gain more insight, assess why the
attack happened, and measure potential danger if the company is a victim of a targeted
attack rather than a target of opportunity. Making the decision does not have to be a
time-consuming process.
Over the last decade, attribution has mostly been based on a nation-state or actor basis, but
depending on the attack context, individual attribution is becoming increasingly essential.
Although it’s still important to maintain the network’s integrity, confidentiality, and availability
through perimeter and internal insight, having the same visibility beyond the firewalls is
becoming increasingly important.
For more such updates follow us on Google News ITsecuritywire News. Please
subscribe to our Newsletter for more updates.