Security Stuff Happens: What Do You Do When It Hits the Fan?

Breaches can happen to anyone, but a well-oiled machine can internally manage and externally remediate in a way that won’t lead to extensive damage to a company’s bottom line. (Part 1 of a series.)

Wise security professionals understand that threat actors aren’t sitting still, and they aren’t playing by the same rules as old-school groups. Lapsus$, for example, is gaining notoriety for its unpredictable behavior, using tactics like extortion and bribing insiders for initial access. It has left even the most experienced security pros scratching their heads.

When you find your organization has been breached, will you be scrambling to figure out your security incident response and remediation plan when your team can’t think straight, or will your response be as simple as muscle memory? To minimize the damage done when a security incident occurs, it’s important to look inward.

Keep a Tight Ship
I would never dare promise to “eliminate cyber threats,” but I can provide strong recommendations to improve internal security. Analyzing some of the latest Lapsus$ victims, we can learn a few things.

First, credential security is imperative. Sooner or later, a threat actor will compromise credentials in your organization. It’s not realistic for a business to expect all employees to refuse extortion attempts at all costs. Understanding this reality turns the impossible task into a practical solution.

Security teams should shift their focus from purely preventing credential compromise to tracking user behavior so that anomalies can be quickly identified and acted upon.

Lastly, when discussing the Lapsus$ incidents and others like them that are using extortion and bribery to initiate entry, we must discuss the importance of cybersecurity awareness and insider threat training. Many organizations have put some level of end-user security training into practice. But clearly, that isn’t enough to stop novel threat groups from breaching the last line of defense.

Managing Third-Party Companies
Organizations can’t prepare their own privacy and security practices in a vacuum — we all depend on a large network of products and services to do our jobs.

Repeat after me: Anyone (or any organization) could easily be a victim of a third-party incident.

If you were to assess the privileges of each of your third-party solutions, would you be proud of what you found? Chances are, there are weak spots in access protocols. Your third-party solutions likely have access to things they shouldn’t. Your contractual agreements probably aren’t bulletproof either.

While it’s important to factor in the balance of manageable risk with the return on investment, it’s also essential to foster a collaborative yet vigilant relationship with all of your external parties. It’s about defining a clear contract with vendors that involves security early on, focusing on shared responsibilities for security, good architecture, and timely communication.

Check on Cybersecurity Checklists
Creating a cybersecurity checklist should be a requirement to do business with any third party. The checklist should include (but is not limited to): thoroughly vetting vendors’ privacy and security standards; adding terms and conditions within your contract to address what would happen in the case of an outage and the costs each party would incur, and contingency plans for employees who may depend on technology or software solutions to do their jobs. Take a similar approach whenever your organization is involved in any type of M&A activity, as the risks apply to those scenarios as well.

There will always be risks associated with third-party solutions, but living in a bubble isn’t realistic. Managing this risk by having visibility and security capabilities across the entire security incident response life cycle must be the endgame.

Communicating Gaps
Organizations experiencing a security incident must not hide behind a third party and shouldn’t blame their employees. They also must not allow lawyers to create smokescreens around what happened. This helps no one in the long term and only saves face until it doesn’t anymore.

Communication around current vulnerabilities and threats is constantly flowing in healthy, well-prepared organizations. As a security practitioner, you should be proactive in how you communicate with leadership. It’s extremely effective to manage up by sending a notice to leadership about a new breach or vulnerability with your insight added. Security analysts can offer value by proactively showing that they’ve already checked “XYZ” and that they’re running automated queries for indicators of compromise, etc. They can forward that to their CISO for that person to share upward. CISO/SOC leadership can then take action to fill that gap. Read more:

You can also read this: U.S Cybersecurity Agency Lists 2021’s Top 15 Most Exploited Software Vulnerabilities

Leave a Reply

Your email address will not be published. Required fields are marked *