Cybercriminals today are consistently working to find new ways to trap potential victims. From impersonating legitimate users in a network or using new and evolving techniques to slip past detection mechanisms, the array of sophisticated tools in threat actors’ arsenals continues to grow.
And the timing of attack is also crucial. A survey of nearly 1,000 security professionals found that 86% of businesses targeted by ransomware were attacked on a holiday or weekend, while three-quarters of ransomware victims were attacked during a major corporate event such as a merger, acquisition or IPO. It is clear that ransomware groups strike outside of normal business hours and seek to take advantage of company defenses that are likely to be either lowered or completely offline.
Threat actors exercise patience to increase their chance of success
With holidays and weekends providing downtime for most of the working population, it presents a major challenge for most organizations. While most organizations operate a Security Operations Center (SOC) on a 24/7/365 basis, we know that many reduce SOC staffing during holidays and weekends – often by as much as 50%. A minority do not staff their SOC at all during these periods, leaving the doors open to attackers. By leaving SOCs understaffed, companies increase the likelihood that threat actors can conduct successful cyber attacks.
There are numerous examples available to dissect. For example, the disruptive ransomware attack on Transport for London took place on a Sunday. In the US, the 2021 ransomware attack against Colonial Pipeline took place over Mother’s Day Weekend. Once they gain access to a corporate network, ransomware gangs are typically patient and methodical with their attack strategies, often laying low for weeks, cementing their foothold and elevating privileges while scouting out key data and business apps to potentially encrypt as part of an extortion reason.
SOC manning does not match attack patterns
Unfortunately, SOC staffing often does not match the attack patterns we see, and there are several reasons for this. Work-life balance is important in many organizations and companies do not feel that full staffing is necessary given that most employees work weekdays. There is also the common misconception that hackers will not target businesses of a certain size or type – and many organizations feel safe because they have not been targeted before. Furthermore, staffing a SOC 24/7/365 is a significant challenge. Maintaining 24/7 coverage may require at least 15-20 team members.
This creates an expensive dilemma. What starts as a simple commitment to improve security can turn into a major operating expense. To reduce these expenses, many organizations choose to downsize by cutting staff or limiting the number of coverage hours, thinking that threats are less likely to occur outside of normal business hours. Unfortunately, that is not the case.
Just as burglars avoid well-patrolled daytime hours, threat actors also look to carry out attacks when fewer eyes are watching. Assuming you’re safe outside of business hours leaves threat actors open doors to attack. Instead, companies must always assume that attacks are imminent, ensuring that their SOC is not under resourced at any time. I call it having an assumed wrestling mindset. Never grow, never wane, hackers are persistent and never take time off.
Improved focus on identity security
It’s not just about having the right resources in place, but also using those resources in the most logical and efficient ways possible, focusing on the areas of greatest vulnerability or potential impact. Priority must be given to identity management here. Today, the identity system has become the new perimeter of enterprise security, with 90% of ransomware attacks ending up compromising the identity system.
Active Directory (AD), which forms the basis of identity and access management for the vast majority of organizations globally, is a particularly common vulnerability that threat actors consistently work to exploit. As a technology originally released in 1999, many companies are now faced with dealing with outdated AD configurations and excessive user rights that can be exploited relatively easily. Combine this with the fact that AD often lacks adequate monitoring and security auditing, and it can be a challenge for companies to detect unusual or malicious activity quickly enough.
Attackers know these problems better than anyone. They know that if they are able to compromise AD, they will gain control of the keys to an organization’s kingdom, giving them access to sensitive data and critical systems. Unfortunately, however, this is an area that typically seems to be undervalued or overlooked. Many organizations either don’t have an identity recovery plan at all, or their recovery plan has gaps. Not considering cyber attacks, not testing for identity vulnerabilities, and only testing recovery plans quarterly or less often are common mistakes that can prove costly in the event of an attack.
What is the solution?
For enterprises, it is critical to address these gaps and ensure that critical vulnerabilities like AD are protected and that the security guard is not dropped from working hours when threat actors seek to make the most of understaffed SOCs. Companies must see security as a central part of their business resilience strategy. Like security, financial and reputational risk, security can be the difference between a business excelling or collapsing in the face of a catastrophic, game-changing event.
To achieve this, there are several steps companies must take:
- Have a plan in place: Starting from scratch in the event of a disaster is not a good place to be. By preparing for potential scenarios in advance and testing the protocols regularly, companies can respond more quickly and effectively if these situations become a reality.
- Use budgets wisely: This is not necessarily about throwing more money at the problem. It’s about using the budgets you have as best as possible, and ensuring that existing resources are scrutinized and optimized.
- Adopt ITDR: For organizations looking to use limited resources efficiently, identity threat detection and response (ITDR) can be an incredibly useful tool, providing key capabilities such as automated auditing and alerting, attack pattern detection, and rollback or suspension of unusual changes in AD.
- Increase productivity through automation: This automated support can also help companies support the skilled security staff they have, freeing up engineers to spend time on more interesting, higher-value tasks.
By taking these steps to optimize security performance and leverage automation, organizations can simultaneously bridge the gaps that currently exist in both their SOC staffing and identity security capabilities, enabling them to better protect against, identify, respond to, and recover from attacks – whether they strike on a Tuesday or a Sunday.
We’ve compiled a list of the best endpoint protection software.
This article was produced as part of TechRadarPro’s Expert Insights channel, where we feature the best and brightest minds in the tech industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing, you can read more here:
