Get Threat Ready for 2024

As the year comes to a close, as your organization prepares for the new year, how confident are you about prioritization of threats and risks? In an environment where every enterprise security team must expect cyber attacks, is your team threat ready?

In a recent webinar, Deepwatch experts discussed being threat ready, what that means for security teams facing attacks that continue to grow in complexity, volume, and unfortunately their inevitability. Being threat ready means reviewing more than the alerts and logs from detection tools and controls you have in place, but also how those tools—the people, technology, and processes are used currently in your overall security effort.

Threat Ready Starts with the Basics

Being threat ready starts with reviewing the basics and prioritizing updates or changes to improve your cybersecurity awareness and response. Conduct assessments of your tool utilization, tool updates, gaps awareness, log ingestion trends, and other key security metrics. Consider threats unique to your industry, such as finance or healthcare, and review recent or upcoming changes to regulatory requirements.

Focus. Focus. Focus.

Cybersecurity requires prioritization of the basics. Too many times we see organizations concerned about threat intelligence on the latest ransomware activity or new infostealer, meanwhile, at the core of their security program, the organization has poor MFA usage, internet-exposed RDP, aged remote access, or an unstable/unverified patch management program. Advanced tactics and techniques of threat actors are irrelevant if you can’t close the doors and windows to your own house, and you can’t close the doors or windows you don’t know about.

People

Being threat ready means looking at your people as the lifeblood of your security efforts. It doesn’t matter how many blinky lights you have, they mean nothing without skilled security professionals that know how to use them. Consider skill sets, coverage, training, advancement and the health and well being of your analysts. Review your relationships with other internal stakeholders and your lines of communication to other areas of the business.

Technology

Security tools and technology offer protection and enablement from known threats and issues. Review that they are protecting your organization from business interruption, and if they perform as a force multiplier vs a time sink in helping your people perform at their peak. To be threat ready, consider your critical assets and tooling.  Specifically review the configurations and logging for: Firewalls, EDR, IDS, Authentication, Multi-Factor Authentication, Remote Access, and Proxy.

Today’s security tech stack is either growing or being consolidated, and sometimes a little bit of both in varying organizations. Have you identified gaps in system visibility to address or are you looking at ways to reduce ingest, subscriptions or other costs? What technologies will you reduce, remove, or replace? What is the state of security with key software vendors, and what impact do they have on business continuity?

Processes

With the right people and technology in place, you need well documented processes to ensure accurate responses that are timely and consistent. What access and authentication controls are in place across systems and services? Review incident response plans and key stakeholders. Review your analyst plans, your back-up and recovery plans.

“The password procedure, such as we saw in the MGM attack this year, is highly targeted,” said Jon Haas, Deepwatch Manager of Adversary Response. “Large enterprises must deal with this often, from many different corners of the country or even world. These are people you’ve never seen before. While it’s technically difficult to get past EDR or Firewall, if someone assumes a valid identity because you don’t have the right processes in place, they can do damage.”

Ask Other Stakeholders

Cybersecurity is an essential part of enterprise risk reduction, and meaningful conversations are part of a proactive approach. Ensure leadership contributes to what threat readiness means to them. Have you reviewed or updated incident response and recovery plans? Have you tested incident response and recovery plans?  Discussed board level table tops to provide context to budget asks? What measures are in place to ensure employees are tested and aware of cybersecurity best practices? 

Ask these questions to ensure you are threat ready in 2024:

• What does our organization’s Internet facing footprint look like?
• Does your patch management strategy focus on prioritizing Internet-facing systems & technologies?
• Do you have MFA enforced for externally accessible or high-risk business services?
• What is your plan to review external systems for hardening improvements?
• Have you reviewed, updated, and tested incident action plans?

Make a checklist of your critical visibility coverage:

High Risk

• Host Security Logs
  • DR / AV / HIDS
  • Globally Deployed
  • Win Event (Defender 1116, 1117)
  • Replicator if Possible
• Endpoint Activity
  • High Risk Systems
  • WinEvent (104, 1102, 4624/4625, 4688 With Command Line Audit, 4720, 4728, 7045)
  • Sysmon (1, 3, 6, 7, 11, 18, 23)
  • Terminal Services (21, 22, 25, 40)
  • Powershell Scriptblock Logging (4103, 4104 )
• Network Security
  • IDS (Stand-alone or FW module)
  • Netflow (North/South)
  • Turn on X-forwarded-for
  • VPN Authentication Logs

• Proxy & Email
  • Web Traffic Proxy Logs
  • URL Filtering
  • Email Security
• Cloud
  • AWS Cloudtrail, GuardDuty
  • Azure
  • Critical Storage logging
  • NSG Flow logs
  • Unified Access Log
  • Office 365
  • Google GCP

Secondary Visibility Coverage

• Network Activity
  • Netflow (East-West)
  • Host Based firewall (5156/5157)
• Endpoint Activity
  • All Servers
  • WinEvent (104, 1102, 4624 – Type 10, 4688, 4720, 4728, 7045)
  • Sysmon (1, 3, 6, 7, 11, 23)
  • Terminal Services (21, 22, 25, 40)
  • Powershell Scriptblock Logging
• Email
  • Email Logs

• Infrastructure
  • DNS
  • DHCP
• Auth & AD
  • WinEvent (Auth)
  • Sysmon (Auth)
  • WinEvent (4771)
  • Sysmon (?)

Tertiary Visibility Coverage

• Endpoint Activity
  • All Systems
  • WinEvent (104, 1102, 4624 – Type 10, 4688, 4720, 4728, 7045)
  • Sysmon (1, 3, 6, 7, 11, 23)
  • Terminal Services (21, 22, 25, 41)
  • Powershell Scriptblock Logging

• DLP & CASB
  • DLP Alerts
  • CASB Alerts

• Customer Specific
  • PAM
  • MFA Authentication Logs
  • Accellion

• Vulnerability & Web App
  • Web Application Logs
  • Vulnerability Discovery Scan Results
  • Vulnerability Scan Results
  • Web Application Vulnerability Scan Results

• Asset & Identify
  • CMDB
  • LDAP

2023 Ends a Year of Escalation

This year will go down as one of escalation, particularly in terms of ransomware. After what seemed like a reduction in attacks in 2022, 2023 looks like it will go down as another watershed year for ransomware. It will go down not only as one of increased attacks, but of evolving sophistication and expanded targeting of victims and industries. Key threats include ransomware, supply chain compromises, zero-day exploits, and cloud targeting.

Just last month, a ransomware attack impacting 60 credit unions through third-party credit union technology firm Trellance made national news. In May the MOVEit file transfer attack impacted over 300 organizations and continues to produce victims as new vulnerabilities were disclosed last week, bringing the number of related CVEs to eight. Casino giant MGM lost as much as $100 million in Q3 from an attack in September. An attack on Clorox in October led to retail shortages and a quarterly loss in revenue. 

How threat ready were those organizations? In some ways, they must have been, in others maybe not. What did they miss? Going into 2024 use these points and questions to help determine how threat ready your organization is currently, and to discover areas of improvement to combat the same challenges in 2024. To anticipate, withstand, recover, and adapt to threats in the coming year, ensure your team is threat ready by reviewing your people, technology, and processes with an eye toward improved cyber resilience.

↑