In 2012, when Sean Sweeney became CISO for a large university, info-security strategies focused on preventing breaches. At that time, “CISO stood for ‘chief information scapegoat officer,’” said Sweeney, a presenter at Sage’s 2017 CyberCrime Symposium. “It was my job to prevent every possible attack against the university 24x7x365. That’s an unwinnable job, right?”
Right. That’s why the prevention mindset has since shifted to one far more pragmatic. To best protect their organizations, CISOs approach enterprise security with an “assume compromise” mentality, said Sweeney, chief security advisor for Microsoft’s Enterprise Cybersecurity Group. “Today, we understand that if determined attackers want to get into an organization, they’re going to get in.”
CISOs with an “assume compromise” worldview “invest properly in protect, detect, and response controls,” said Sweeney. When protective controls fail — as they inevitably will — SOC teams fall back on their detection and response technologies and processes to minimize damage.
In his talk, “Critical Hygiene for Preventing Major Breaches,” Sweeney cited this mindshift, as well as one that reshapes what constitutes security success, as foundational elements for battling traditional ransomware and newer rapid destructive cyberattacks. Building on these cornerstone concepts, he outlined cyber-hygiene practices critical to both preventing and mitigating breaches.
Ruin Your Enemy’s ROI
Security leaders who recognize that breaches are inevitable develop a multi-layered security posture. They’re also able to make a more-powerful case for investing in prevent, detect, and response technologies and infosec staffing.
The second mindset shift cited by Sweeney involves security ROI. CISOs struggle to calculate ROI to rationalize security spend, he said, when attacker ROI is a better measure of success. Cybercrime is a business, and like organizations they target, cyber-crime leaders want high returns on their investments. CISOs see return when they ruin that ROI.
If organizations implement proper controls, they’ll not only improve their security posture, but negatively impact their attackers’ ROI by forcing them to invest in more-expensive threats. “If we can deter opportunistic and other basic attacks, and then slow or stop the more-determined ones, we win,” said Sweeney.
A Three-Pronged Strategy
Sweeney recommends a three-pronged strategy for battling ransomware and rapid cyberattacks:
Part 1: Invest more resources in preventing inexpensive opportunistic attacks, forcing attackers to develop more costly and sophisticated threats.
Informed by specific threats they’ve seen and broader threat intel, CISOs invest more resources in preventing inexpensive opportunistic attacks, forcing attackers to develop more costly and sophisticated threats. Among this low-hanging fruit is traditional ransomware, which has become a weapon in the standard attacker toolkit for a reason. “It's a cheap attack technique — and it works,” said Sweeney.
“By focusing investments on low-cost, high-likelihood attacks, we force bad guys toward more-expensive threats. They then have to reconsider whether targeting a specific organization is worth it,” Sweeney said. If they still want in, they’ll have to rely on specialists to find vulnerabilities and develop the threats to exploit them, or even be willing to burn a zero day, to get a foothold in the network.
Sweeney’s front-line recommendations include:
- Implement advanced email protection services. If there’s no budget, enforce baseline email protection, such as blocking email-transmitted executables and macros.
- Educate users on hygienic email use and other security best practices. Make sure they understand that email is a communications tool, not a file-delivery mechanism.
- Apply all security updates. Patches cover not only operating systems, but applications that run on them. Update browsers and plug-ins and analyze the URLs employees visit to ensure none point to malicious drive-by sites.
- Isolate or retire end-of-life servers and workstations. Disable their ability to connect to the Internet.
- Restrict privileged access and bolster access privilege management. Consider, for example, just-in-time provisioning, which gives administrators one-time, time-restricted access privileges.
- Use anti-malware solutions that receive real-time updates.
Part 2: Contain damage by preventing cyber-actors from traversing networks at will.
Here, security teams work to contain damage by preventing cyber-actors from traversing networks at will. This effort, said Sweeney, includes restricting access to shared files and securing privileged access. Require administrators that access the production environment to use a hardened workstation disconnected from the Internet. Implement automated endpoint detection and response (EDR) tools so security personnel can detect and respond quickly. Consider keeping a security services firm on retainer for cases where incident response requires additional resources. (Microsoft, said Sweeney, offers a free “Security Privileged Access Roadmap,” as well as free tools, to guide SOC staff).
Part 3: Ensure data is backed-up, not accessible to attackers, and there’s a process to restore it.
Even when they’re detected, cyber-actors who’ve breached defenses with these threat types can sometimes encrypt an entire IT environment before teams can respond.
To ensure business continuity, said Sweeney, follow disaster recovery best practices, including backing-up critical systems and application data and ensuring attackers can’t access back-ups. Back-up servers running on the targeted network will fall, too, so backing-up locally and to the cloud are smart practices. “Remember, if attackers own your endpoint, they’re going to own those backups as well,” said Sweeney.
Finally, he said, test these back-up systems regularly to make sure they’ll function properly should disaster strike.
This is the fifth post in our series presenting key takeaways from our 2017 CyberCrime Symposium, held November 2-3, 2017. The program was packed with an incredible line-up of speakers discussing the latest tools and techniques being used by cybercriminals, and most importantly, what attendees could do to enhance their organization's cyber resiliency. If you couldn’t get a seat at the event — centered on the need to “Think Global, Act Local” — or want a refresher on various sessions, this is a not-to-be-missed series!