Think Like a Hacker: Knowing What to Look for So You Can Prevent It

To view the recording of our Tuesday Tech Talk, click HERE

Cybersecurity incidents continue to make the news. Here is the Five Nines’ take on typical breaches and how to avoid them.

The Ins and Outs of a Breach
There are 4 phases of a typical breach – preparation, detection & analysis, containment, eradication & recovery, and post-incident activity. Oftentimes, a human in the organization is the first one to notice that something is off. By the time this happens, it’s far too late. Sophisticated technical monitoring is a simple but effective measure to put in place, yet it’s hard to implement in-house unless you’re a very large organization with many resources dedicated to it full time. There are many providers of this service such as Arctic Wolf, Huntress, CrowdStrike, and Perch. Typically, we see these hackers evade human analysis until they want to be noticed by dropping ransomware, but even a hack of low sophistication will trip the monitoring software left and right.

When an incident occurs, this is what will need to take place in the first 72 hours:
1. The organization affected should contact their cyber insurance provider’s 24/7 incident line. Pro tip: Store this number outside of the system so you can quickly access it even if you’re locked out.
2. Cyber insurance will then coordinate a legal team for confidentiality.
3. Cyber insurance and legal will then contact an Incident Response technical firm.
4. Contracts from legal and Incident Response will be sent for signatures. Pro tip: Make sure your “signature-power” people are aware of the process beforehand.

1. Shut down internet access, inbound and outbound.
2. Sweep for “indicators of compromise” across all systems.
3. Disconnect network connections or hibernate questionable systems. Do not shut down or forensic data will be lost.

1. With the help of an Incident Response firm, continue seeking, cleaning, and reloading potentially compromised systems. This process could take at least 30 days when engaging with an IR firm, but they will continue to monitor months after to make sure the hacker is fully eradicated.

Business Continuity and Recovery:
1. Know your workarounds. Paper processes, cell phones, Gmail accounts, etc. Limp along to keep your organization operational.
2. Recover data and systems while trying to preserve as much as possible for forensics.
3. Do not pay the ransom for stolen data. Likely, the hacker will take your money and still sell the data to another hacker down the line.
4. Be careful when loosening internet restrictions. Do not let the floodgates open without certainty that your system is secure.

Vulnerabilities Hackers Look For
Cybercrime is a criminal business. There are people out there that this is their full-time job. The aim is to make money as quickly as possible, so your goal is to not be the “soft” target. These low-effort/low-sophistication attacks can be avoided by a couple of simple steps:
1. If your system can be seen from the internet, it will be probed constantly. Hackers are not just looking for security flaws in the product or configuration, but also usernames and passwords. Be diligent about password hygiene and management.
2. High-profile services like Office365, VPNs, Citrix, Remote Desktops are especially popular to target.
3. All systems that your users use to “get in” to the system to do their work should be protected by multi-factor authentication.
4. Human weaknesses can be minimized by implementing security awareness training such as KnowBe4. Employees will become more aware of the benefits of good password hygiene, management, and how to spot hazardous links and attachments.
5. Implementing next-generation endpoint protection software like Cylance, Sophos, SentinelOne, CrowdStrike, Cisco AMP, Carbon Black, etc. will also set your organization up for success.

Questions to Ask
1. What do we look like “from the internet”?
2. Do we require multi-factor authentication on everything a hacker can directly touch from the internet?
3. Are we monitoring our environment?
4. Is our cyber insurance policy sufficient?
5. What is our deductible/retention, and what are our coverage limits?
6. Do we have an extortion line item of at least 10% of our annual revenue?
7. Do we have our 24/7 insurance number handy?
8. Do signature-power people know the drill?