Huntress: The Missing Piece in Cybersecurity
The cybersecurity landscape has become more crowded over the last year. According to Security Boulevard, the number of cyberattacks has increased from one every 39 seconds to one every 11. At that rate, it isn’t a question of “if”; it’s a question of “when.” The increase has not been restricted to specific industries. It happens to large corporations as well as small- and medium-sized businesses.
On January 14, 2021, tech42 sponsored a webinar with Alex Payne from Huntress to discuss The Missing Piece: Cybersecurity and Your Business. Huntress partners with organizations such as tech42 to provide automated detection of hidden threats, analysis of suspicious activity, and attack prevention. The webinar focuses on the threat landscape, and the National Institute of Standards and Technology (NIST) recommended a cybersecurity framework for protection, detection, and containment.
Cybercrime is a billion-dollar industry that operates primarily for financial gain. According to a 2020 study, 55% of all cyberattacks are initiated by organized crime. These groups offer their services, tools, and stolen data over the dark web. Their goal is to be as profitable as possible, which means looking for low-risk opportunities with high financial gain. If companies do not work to close vulnerabilities, hackers will take advantage of the weaknesses because there is little risk involved.
Not only do cyber criminals look for system vulnerabilities as a source of revenue, but they also apply modern marketing approaches to help sell their tools and stolen information. Marketplace sites exist on the dark web where groups can advertise their services. These aren’t the questionable sites as portrayed in movies. They look and operate as any marketplace site — think Etsy, Pinterest, or eBay. Sellers showcase their offerings and even offer specials and promotions to entice buyers to purchase their stolen data, attack tools, or hacking services.
In 2020, over 75% of small- and mid-sized businesses experienced a cyberattack within the prior 12 months. Close to 70% of those attacks resulted in a breach. The distinction between an attack and a breach is significant. Only 5% of companies that detected an attack were able to prevent a breach from happening. However, it is possible for threats to be detected and removed before a breach actually occurs.
Cybercriminals are equal-opportunity attackers. Organized crime may be focused on large corporations with attacks on Garmin, Blackbaud, Magellan Health, and SolarWinds. However, smaller businesses are not immune. Smaller and less mature hacking groups target these organizations to build their hacking skills and build a reputation in the world of cybercrime. For 2021, the targeted industries will continue to be:
Because these sectors are heavily involved in addressing the current pandemic, cybercriminals view the resulting chaos as an excellent opportunity to capitalize on a shifted focus on the pandemic and not on security.
According to Verizon’s 2020 report, the most used attack vectors were:
- Hacking using denial of service or stolen credentials
- Phishing, especially spear-phishing
- Errors from misconfiguration or misdelivery
- Malware, primarily ransomware
These tools are designed to gain unauthorized access to steal information that can be sold on the dark web.
For example, ransomware is an attack that encrypts files and then asks for a ransom to be paid to unlock the files. A variant of ransomware known as Maze not only encrypts the files but also copies the data to a secure location. The hackers threaten to publish pieces of data until the ransom is paid. Having a backup is no longer sufficient to protect against ransomware. An example of ransomware extortion is the attack on Grubman Shire Meiselas & Sacks, an entertainment law firm, where information on Lady Gaga and Bruce Springsteen was released on the dark web as an incentive for the law firm to pay the ransom, which it did.
The latest data estimates the cost of a breach will range from 5.5 million to 2.16 million, depending on the size of the organization. The primary cost of a breach comes from lost business. Approximately 25% of customers avoid doing business with companies that have suffered a breach within the last year.
The remaining costs come from detection, escalation, containment, and response. These costs may include compliance violation penalties. By far, the loss of consumer confidence and company reputation has the potential to have an irreparable impact on a company’s viability.
With the increasing number of attacks and their sophistication, what are the best ways to prevent one? Prevention, while still essential to cybersecurity, is only part of the equation. According to NIST SP 800-171, the best framework is a layered approach that includes the following five-steps. (insert graphic found at 27:22)
It’s hard to fix a problem if it isn’t identified. That’s why the first step in the NIST framework is to assess an organization’s current security. Companies should identify any data or applications that must be in compliance with a country, region, or industry regulations or laws. They then need to look at their current security controls to identify any deficiencies and vulnerabilities. Finally, businesses need to perform a risk assessment to determine the areas of highest risk. Using the collected information, organizations should develop a plan to reach security maturity.
Protection doesn’t mean an enterprise will never experience a cyberattack, nor does it guarantee that a breach will not occur. Its focus is to defend against possible attacks. The protection methods include:
- Antivirus solutions. Every organization and individual should have some antivirus solution operating on their devices. It is a foundational piece of cybersecurity.
- Firewalls. Firewalls are designed to block access to an internal network. Recently, hackers have exploited misconfigurations in company firewalls to gain unauthorized access.
- Multi-Factor Authentication (MFA). Instead of a username and password, authentication is performed by transmitting a passcode to the end user’s cell phone. Once received, the passcode is entered, and the user gains access. The process makes it more difficult for a hacker to steal a complete set of credentials.
- DNS Filtering. Certain websites or IP addresses are known cybersecurity risks. These sites are placed on a list that internet providers should use to prevent questionable sites from sending traffic to an end-user or an end-user accessing a malicious site.
- Email Filtering. Email filtering is performed by mail servers that check email addresses against a list of harmful or banned sites. Emails that use the addresses are blocked from transmission.
- Phishing Training. Phishing is one of the most common ways that hackers acquire user credentials. Some phishing attacks are quite sophisticated, even compromising such tech giants as Google and Facebook. That’s why it is vital that employees be trained on what the latest phishing techniques are to avoid an accidental compromise.
Even with these layers of protection, a percentage of hackers will break through the safeguards. That’s where detection comes in.
Detection services monitor network traffic, looking for suspicious behavior. That might include users that are trying to access parts of the system that are restricted. Or, it might identify users that don’t typically use certain files or applications suddenly using them. Once a potential threat is identified, the solution evaluates the activity to decide if further action is required. Based on the results, efforts may be taken to remove a threat, or an alert may be sent for additional investigation.
Organizations need clearly defined protocols on detecting, analyzing, containing, responding, and recovering from a cyberattack. In the middle of a breach is not the time to ask who should be doing what. For example, someone should be tasked with notifying external sources if needed to remain in compliance. Response also involves containment. Who is responsible for coordinating the effort to contain and remove the threat? Again, knowing who is in charge makes it easier to coordinate efforts. Having IT staff tripping over each other only delays the process and could lead to unforeseen consequences.
The faster a compromise is contained, the lower the costs. If a threat can be detected and contained, then no breach occurs. The effort has saved millions of dollars. That’s why have a response plan in place is crucial to the success of a cybersecurity program.
Recovery happens when data can be restored from a system backup and operations can return to normal. A disaster recovery plan is essential to a safe and secure path back to standard operations. The longer it takes to recover, the more downtime a company experiences. The more downtime, the more lost revenue. It’s estimated that a business can lose as much as $300,000 per hour of downtime.
Note: Huntress has a downtime calculator on their website. (This was mentioned, but I can’t find a link.)
Threat Protection and Detection
From the beginning, Huntress has relied on highly qualified personnel for security guidance. Their goal is to help managed service providers (MSPs), and others deliver detection, response, and recovery services to their customers. tech42 has offered the service to about 800 clients. Over the first year, about a dozen incidents were detected and removed before a breach could happen. If you’re interested in learning more about detection and response in cybersecurity, contact tech42 to discuss how we can help.