Prepared Statements Don’t Stop What Has Already Happened
In the rapidly evolving digital landscape we find ourselves in, the importance of being prepared for risks pertaining to our cyber assets cannot be overstated. As technology advances and we have developed tools to aid us in the pursuit of ever-more productive, scalable and efficient business opportunities, cyber criminals have also grown ever more advanced in their pursuit for the means to compromise our assets.
Cyber defense should therefore be considered a critical component of all modern corporate strategy. The objective of this two-part blogpost series is to present organisations, both large and small, with an overview of available options that can facilitate both the establishment of a robust incident response recovery function in the event of a breach, ultimately to enhance the security posture of the organisation. By adopting these measures, organisations can effectively gain the means necessary to respond to an incident and limit the potential damage that a threat actor may cause.
The need for IR
Despite the diligent efforts by developers and network administrators to ensure that they adhere to security best practices, attackers have matured in their capabilities and therefore, the cyber risks faced by organisations are still present, despite these efforts. An organisation’s ability to respond to an incident is its last line of defence, which should be seen as more of an eventuality, rather than a possibility. For example, the following incidents are just a small subset of the breaches experienced by large corporate organisations in 2022:
- [February 2022 Nvidia Lapsus$ Data Breach](https://www.malwarebytes.com/blog/news/2022/03/nvidia-the-ransomware-breach-with-some-plot-twists)
- [March 2022 Microsoft Lapsus$ Group Breach](https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/)
- [March 2022 TransUnion Data Breach](https://newsroom.transunion.co.za/update-south-africa-cyber-incident/)
- [May 2022 Dis-Chem Data Breach](https://mybroadband.co.za/news/security/444004-dis-chem-data-breach-3-7-million-client-records-exposed.html)
- [October 2022 Microsoft BlueBleed Data Breach](https://socradar.io/sensitive-data-of-65000-entities-in-111-countries-leaked-due-to-a-single-misconfigured-data-bucket/)
- [December 2022 LastPass Data Breach](https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/)
As can be seen in the above examples, a breach could carry significant consequences for an organisation. The impact itself is dependent on the specific goals that an attacker has set out for themselves, but can be quite severe depending on the nature of the threat actor and their capabilities. Consider the lengths that a nation state actor may go to, for example, if their target is known to store a plethora of confidential information that could prove useful in the pursuit of other goals.
It is also crucial to acknowledge that the security of a system is only as strong as its weakest link. Attackers tend to exploit the path of least resistance, thereby minimising their cost and emphasising the need for comprehensive security measures that address vulnerabilities across the entire technology stack.
Regardless of threat actor motivations, these are realities that most organisations have to face, and the expense associated with cyber security is therefore an unavoidable aspect of modern business operations. Furthermore, compounding the matter, these very risks are encountered not only by large organisations, but small-scale startups as well, that have recently emerged from business incubation. While the amount and type of resources these organisations can use are vastly different, all businesses, large and small, face this universal and costly battle.
Before the Storm
As Sun Tzu stated, “To win a hundred victories in a hundred battles is not the highest skill. The highest skill is to subdue the enemy without fighting.” Being prepared for battle, equipped with a comprehensive strategy and well-executed plans, surpasses the hasty rush into confrontation. This philosophy holds true in the realm of cyber security, where proactive preparation, robust defenses, and strategic response plays a pivotal role in safeguarding against attacks and minimising their impact.
For example, organisations that make use of Oracle solutions, such as MySQL or Oracle Java, should keep themselves informed of security updates by keeping track of Oracle’s [Critical Patch Updates](https://www.oracle.com/za/security-alerts/) and Security Alerts [mailing list](https://www.oracle.com/security-alerts/securityemail.html), or make use of a vulnerability monitoring platform to keep track of vulnerabilities that have been introduced to the estate through dependencies. This would aid system administrators in learning about security vulnerabilities and implementing security patches in a timely manner.
Additionally, investments into providing development teams with an opportunity to learn about security best practices through course upskilling, would greatly aid in the reduction of common vulnerabilities such as those listed in the [OWASP Top 10](https://owasp.org/www-project-top-ten/). In a practical sense, this would translate to software development practices that are more inline with security best practices; however, these measures are limited to the software that developers have direct control over. Modern software development relies on external code that is often open-source in order to reduce development time and talent requirements, which effectively means that while developers may benefit from being able to use this code, attackers have the benefit of being able to review this code to identify potential vulnerabilities.
One example of this, a [supply-chain attack](https://blog.f-secure.com/podcast-supply-chain-attacks/), has recently been a topic of great concern. These open-source solutions are usually incorporated into projects that corporations make use of as part of their product offering and have been known to be the cause of an undetected breach being present on many corporate estates for [a significant period of time](https://duo.com/decipher/dozens-of-malicious-data-harvesting-npm-packages-found).
Unfortunately, this places us in a perpetual game of cat and mouse. Cyber attackers tirelessly seek vulnerabilities and exploits to breach defenses. Defenders, must stay vigilant, employing proactive measures, advanced technologies, and threat intelligence to anticipate and counter a threat actor’s every move. Meanwhile, threat actors employ stealth, deception, and innovation to exploit weaknesses and evade detection. This dynamic interplay between security defenders and malicious actors creates a perpetual challenge where staying one step ahead is essential to safeguarding valuable assets and maintaining the integrity of digital systems.
Small versus big – the unique challenges faced by SMMEs
While larger corporations may enjoy luxuries such as the possession of a dedicated internal Security Operations Center ([SOC](https://www.ibm.com/topics/security-operations-center)), equipped with an extensive array of enterprise solutions to facilitate the management of their security infrastructure, smaller organisations do not have comparable access to such abundant resources.
Despite the resource constraints faced by smaller businesses, there are alternative solutions available that can empower them to enhance their defensive capabilities and somewhat close the gap to larger enterprises. Cloud-based security services, for instance, offer affordable options for threat detection, monitoring, and incident response. Managed security service providers (MSSPs) can also assist by offering cost-effective outsourced security expertise and technologies. Moreover, adopting a risk-based approach and prioritising essential security measures can help small organisations allocate their limited resources efficiently.
Accounting For The Inevitable
In the regrettable occurrence of a security breach, the effectiveness of an organisation’s response is significantly impacted by the degree of preparedness and the breadth of knowledge held within the organisation. Consequently, the availability of comprehensive network maps and asset registers should be of paramount importance in ensuring the protection of the organisation’s environment.
This imperative often poses a predicament for small and medium-sized enterprises (SMMEs). Although the intrinsic value of security products tailored to safeguard their infrastructure is widely acknowledged, the accompanying expenses frequently present significant barriers, especially when factoring in organisation-specific considerations, such as logging and data retention requirements.
Additionally, it is crucial to acknowledge the importance of forensic assistance in addressing security breaches. Timely and effective forensic analysis plays a pivotal role in understanding the scope and impact of an incident, identifying the root causes, and gathering critical evidence for legal and investigative purposes. Engaging forensic experts who possess the necessary expertise and tools can greatly enhance an organisation’s ability to accurately assess the breach, aid in remediation efforts, and provide valuable insights to prevent similar incidents in the future. By incorporating forensic assistance as part of their incident response strategy, organisations can bolster their resilience and strengthen their overall security posture. These expertise, however, usually come at a premium cost and therefore might not be feasible for most SMMEs, further putting them on the backfoot were a major breach to occur on their estate.
Planning For Security
“In preparing for battle, I have always found that plans are useless, but planning is indispensable.” – Dwight D. Eisenhower
Eisenhower’s quote pertains to the military domain, acknowledging the limitations of strictly adhering to plans in dynamic contexts. However, he accentuates the indispensable nature of planning, which fosters discipline, augments situational comprehension, and facilitates well-informed decision-making amid evolving circumstances. Eisenhower’s pragmatic stance underscores the paramount importance of adaptability and flexibility, while underscoring the significance of the planning process itself while dealing with security incidents.
Several measures can be taken to bolster the security posture of our estates, in an effort to defend ourselves. These would include ensuring that we have implemented solutions such as a [Secure Development Life-Cycle](https://www.microsoft.com/en-us/securityengineering/sdl/practices), and ensuring that we keep up with security bulletins pertaining to the various solutions we make use of.
Fundamentally, having well-defined plans is crucial to establish a consensus on security approaches. However, it is equally essential to remain open to deviations from those plans when confronted with situations that surpass existing defenses. With this perspective in mind, the next blogpost in this series endeavors to discuss various options that could effectively guide the planning process, ensuring organisations start off on a solid foundation and remain adaptable in the face of ever-evolving security challenges.