Cybercrime saw an uptick in 2020, as individuals and businesses alike have migrated to distanced, online solutions due to the COVID-19 pandemic. Verizon’s 2020 Data Breach Investigations Report (DBIR) analyzed a record high of 157,525 incidents in 2020, of which over 3,900 qualified as full-fledged data breaches.
Monitoring for and identifying attacks before they occur, and addressing them immediately, is the best way to keep your company safe. Thus, cyber attack detection is one of the most critical elements of a cyberdefense program.
Cyber Attack Detection Best Practices
The convergence of safety hazards and newfound vectors of cybercrime has led at least one major publication to refer to 2020 as a cyber pandemic, as well. Among the most changes has been an increase in frequency and severity of attacks on national governments and critical health infrastructure, which can have far-reaching consequences for stakeholders worldwide.
In order to protect against ever more complex and diverse attacks in the future, the following best practices (in conjunction) are the best ways to keep your company safe:
- Keeping all your systems up to date
- Filtering email and incoming traffic
- Tracking user accounts and access
- Regularly conducting penetration testing
- Utilizing comprehensive security services
In the sections that follow, we’ll break down all these best practices in detail, along with resources and links to help facilitate your adoption of these practices at your company.
#1: Keep Systems Up to Date
First and foremost, a baseline security practice keeps all hardware and software updated up to the most recent and robust security standards available. In practice, that means leveraging available resources built into hardware and software, such as automatic update functionality.
To that effect, it can be helpful to generate regular patch availability reports that determine the extent to which your system is protected, relative to standards defined by regulatory contexts:
- Standards established by the PCI-DSS for credit card information security
- Particular FINRA practices recommended for financial institutions
- Safeguards for protected healthcare information, per HIPAA requirements
- NERC CIP standards for critical security infrastructure businesses
- Recommendations from NIST for government and DoD contractors
Regular updates don’t just help to detect attacks; they also help to prevent them. Attacks most frequently occur on outdated software. But baseline compliance and regular updates are far from enough; you also need to continually monitor databases like the common vulnerabilities and exposures (CVE) list to remove or change software before updates release proactively.
#2: Filter and Monitor Email
One of the biggest threats facing an organization comes from incoming traffic sent to or otherwise accessed by employees. Of all attacks surveyed in Verizon’s 2020 DBIR, 17% involved malware, commonly distributed via email, and 22% were categorized as “social.”
An equivalent of 22% of breaches qualified as “phishing” attacks, a particular form of social attack in which malicious emails are disguised as harmless or even necessary business communications.
In a typical phishing attack, emails are sent out to a wide variety of recipients with a false sender (such as a company’s CEO) used to catch victims’ attention and persuade them to click a link, download a file, or otherwise expose the company to attack. In some exceptional cases, often called “spear phishing,” a smaller group of recipients is more specifically targeted with a closely curated message, such as (usually stolen) information only known to a manager.
To protect against these and other similar threats, a firewall and DNS filter is bare minimum protection. But more complex and proactive web filtering, applied in addition to your firewall, can help screen out the most insidious attacks that make it through even a strong firewall.
#3: Track Access and Accounts
According to Verizon’s 2020 DBIR report, misuse of authenticated user accounts are an even bigger vector of attack — about 37% of threat activity detected in 2020 involved the use of stolen credentials. One of the reasons these attacks are so dangerous is that they circumvent attack monitoring that overlooks authorized users’ behaviors by their nature.
Therefore, detecting attacks that victimize users’ accounts necessitates robust identity and access management, including but not limited to:
- Tight access controls – User passwords or passphrases should meet minimum standards for length and complexity, such as given amounts and types of characters.
- Passwords or passphrases should be changed regularly
- Previously used passwords must be banned from future use
- Multi-factor authentication – Ideally, users should need to use a combination of factors to authenticate their identity, including some combination of:
- Something known, like a password, passphrase, or PIN
- Something owned, like a secondary device or account
- Something about the person, like biometric information
- Monitoring user behavior – Once users log in to protected accounts and systems, their behavior and use patterns need to be controlled and monitored.
- Limit user access as much as possible
- All use, even for authorized users, needs to be carefully documented
- Irregularities in use should result in an immediate freeze of access
With strict monitoring and control of user accounts, a hacker will be less likely to access protected systems illegitimately. You will also be able to identify and restrict access more quickly if an account is compromised.
#4: Conduct Regular Penetration Tests
Another innovative practice that can help detect attacks as they occur and mitigate them is penetration testing. Also referred to as pen testing, this is an advanced cybersecurity area that leverages “ethical hacking” to get inside the minds of cybercriminals and understand how they can attack you — and how to stop them.
This is less a detection mechanism proper than a proactive practice.
Pen testing can help uncover the various vulnerabilities available and how an attacker could penetrate your systems (external) or how much damage they can do once inside (internal).
The tester and organization negotiate terms for the test, including how much information the tester begins with (or needs to “dig up” in preparation). The hacker then starts an in-depth simulation of what an actual attack would look like, doing as much (virtual) damage as possible. The deeper and more realistic, the better: that way, an organization gets the most accurate picture of how an attacker would behave. The best defense is often a good offense.
#5: Use Comprehensive Services
Finally, one last best practice an organization might leverage is both the most robust and the simplest: using an all in one suite, like managed detection and response (MDR) services.
Combining all the best practices named above with other cybersecurity practices and integrating them company-wide, the best MDR packages include:
- Event threat detection – Complex vulnerability monitoring, including both actual attacks and breaches as they happen and their various risk factors and early indicators.
- Incident response – Systematic plans for responding to attacks, including measures to stop the attack immediately, then recover assets and functionality as soon as possible.
- Root cause analysis – Detailed proactive analysis of current and past attacks to determine their causes and create and implement a plan to eliminate them.
- Regulatory compliance – Closely related to patch management (above), compliance advisory services ensure all required safeguards are followed.
In conjunction with a robust cybersecurity architecture and training program, comprehensive MDR services can be the best way to find and address attacks, minimizing their impact on your organization’s safety — and that of its many stakeholders.
Professionalize Your Cyberdefenses
The talented team of experts at RSI Security is ready and willing to help with any cybersecurity challenges facing your organization. That includes all of the services mentioned above and a host of diverse issues faced by businesses in any industry. We’ve provided cyberdefense solutions to companies of all sizes for over a decade. Yours could be next!
For robust cyberattack detection, prevention, and mitigation, contact RSI Security today.