September 15, 2021 | 5 minute read
Resurgent data breaches that can be tied back to a failure to adhere to basic infosec principles have been an unpleasant surprise in a world of modern security frameworks and maturing processes, but they serve as a useful reminder to us all that there is immense value in mastering the basics.
Weak and recycled passwords, patching delays, misconfigured assets or an incomplete asset inventory are all examples of simple lapses that can lead to infiltration from adversaries.
Security teams that self-identify as ‘less mature’ find little solace in strategies like Zero Trust which are aspirational given the current state of affairs, and more achievable in the short term by mature teams with adequate staffing and internal processes to support a Zero Trust framework.
When in doubt, return to the basics and make sure you are excelling in those areas before following every newfangled industry trend on a wild goose chase that may or may not improve your security posture at the end of the day.
Confidentiality, Integrity and Availability, often referred to as the CIA triad (has nothing to do with the Central Intelligence Agency!), are basic but foundational principles to maintaining robust security in a given environment. The CIA triad is useful for creating security-positive outcomes, and here’s why.
Confidentiality: Are my systems protected from outside, unauthorized access?
Being some of the more tech savvy cohorts of people in society, security professionals are well aware that data privacy for consumers is close to nonexistent with the last private corners of our digital lives dissipating rapidly. On the benign side, this lack of privacy means a well-timed social media advertisement for the perfect product that you didn’t even know you wanted (how did they know?!).
On the more sinister side, this lack of privacy could involve nation-state surveillance of journalists, activists and political opponents - a prime example being the DeadRinger campaign, which involved targeted surveillance through compromised telecommunications providers in Southeast Asia that was uncovered by Cybereason in August of this year.
Confidentiality implies an infosec team's ability to keep company information, customer information, proprietary intellectual property and any other data under the infosec domain protected from unauthorized access. Attackers will look to interrupt a state of confidentiality to exfiltrate data or surveil the information that is meant to be kept private.
Earlier this year Microsoft was breached via several vulnerabilities in their Exchange product, which is used by thousands of customers for email and calendar tasks, exposing sensitive government and corporate emails en masse to prying eyes. A breach in trusted and embedded software can lead to scaled attacks that are able to compromise massive amounts of previously confidential information in a single operation.
Cybereason maintains confidentiality of sensitive data via aggressive prevention at the endpoint. We monitor across the breadth of the enterprise and, as malicious behaviors are detected, our platform takes automated action to kill running malware without tying up valuable infosec resources to take manual actions.
These actions are taken when chains of behavior escalate from suspicious to malicious and when it becomes clear that a response action is required--all done with industry-leading results as reported in the recent MITRE ATT&CK assessments.
Integrity: Is my data corrupted, tampered with or impacted by outside threat actors?
Most serious breaches take time to develop, with the dwell times of adversaries in a target’s environment averaging several weeks, and more sophisticated attacks spanning multi-year periods. The anatomy of a modern attack often begins with the compromise of a less-than-vital system.
This creates a foothold for the attacker that can be used to move upward to more vital assets in an environment, with the common goal of getting access to the Microsoft Domain Controller (and thereby the Active Directory database) or some other authentication and credentials database system that may be in use in an environment.
Nearly every sophisticated attack involves some use or attempted misuse of stolen credentials. Once credentials are available to the bad actors, new logins can look normal and privileged access to more types of data and more valuable sets of data creates a way to escalate and elevate the breach activity.
A lack of integrity in an environment can lead to credential misuse, meaning that attackers can manipulate data to achieve various objectives without doing something as noisy and noticeable as encrypting or exfiltrating the data. Common examples include, manipulating financial records to remove traces of transactions and manipulating account balances, or changing blueprints, chemical equations, and recipes to intentionally sabotage a product the organization produces.
These subtle malicious activities can often go unnoticed by traditional security solutions, which is why Cybereason takes an operation-centric approach to threat detection that delivers opportunities for defenders to end malicious operations at multiple stages of escalation before the environment as a whole can be compromised.
Our platform surfaces threats based on malicious behaviors and MITRE ATT&CK techniques, deploys custom detection rules and policies, and threat-hunts against a lengthy historical dataset to leave no stone unturned and maintain the integrity of data and systems.
Availability: Are my systems and data readily accessible for everyday use and approved operations?
As proof that no industry is fully immune to useful proverbs, aviation aficionados will be familiar with the saying “elevate and then navigate,” meaning that while flying, a pilots job number one is to keep the plane in the air at all times, and if a risk appears that jeopardizes the elevation of the plane - troubleshoot that problem first.
As that first and primary need is met, pilots can then continue addressing the emergency and can focus next on navigation. In the CIA triad, availability of IT systems is the primary pillar, on par with “elevate” for pilots, and carries the most weight and importance. A lack of availability is an outwardly-visible sign of disruption.
Adversaries have been known to resort to DDoS (Distributed Denial of Service) attacks to disrupt availability of IT systems, but the more effective and alarming threat of the moment is ransomware.
A well-developed and successful ransomware attack involves the encryption of sensitive data and a lockout from crucial IT systems until a ransom is paid. The ransom payment is unsurprisingly not a guarantee of safe return of the impacted data, which makes sense given that the negotiation is taking place with cybercriminals whose morals are questionable.
Cybereason is undefeated in the fight against ransomware, ending ransomware operations before they can escalate and paralyze business operations. The Cybereason anti-ransomware solution applies a multi-layered approach that combines intelligence-based detection, deception techniques, behavioral analytics and machine learning algorithms that reliably predict and block ransomware before data can be encrypted or compromised, including in attacks leveraging previously unknown, fileless and MBR-based ransomware.
The day-to-day of the average infosec practitioner is chaotic and involves a penchant for spinning plates. Simplifying where possible can lead to small victories that can be built upon over time, and improve the overall security posture little by little until one day it is unrecognizably capable.
A simplified focus on maintaining confidentiality, integrity and availability can help to avoid endeavors that don’t ultimately improve security or create better outcomes and to double-down efforts of worthwhile pursuits.
The endpoint plays a critical role in a defense strategy that supports outcomes of confidentiality, integrity and availability. The endpoint produces valuable telemetry - data artifacts that can be cross-examined to surface adversary tactics, techniques and procedures.
When correlated together, this telemetry can paint a picture of the adversary activity and can be used for a targeted response and recovery. The endpoint is involved in nearly every noteworthy breach, making endpoint prevention, detection and response a vital layer of defense.
Where appropriate, consider a self assessment or a guided assessment to identify gaps in security coverage and test your incident response plan and processes against sophisticated threats to ensure readiness.
Cybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to everywhere - including modern ransomware attacks. Learn more about ransomware defense here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.
JJ Cranford is a Senior Product Marketing Manager at Cybereason, He was previously with OpenText after the acquisition of Guidance Software where he was responsible for the go-to-market strategy for endpoint security products. JJ provides insight into market trends, industry challenges, and solutions in the areas of incident response, endpoint security, risk management, and compliance.All Posts by JJ Cranford