Is your security team thinking differently?
Is your security team thinking differently?
Do you even know how any modern threat actors work?
Because if you did you’d stop this old way of thinking:
Detect bad
Respond to bad
Prevent bad
Alert review to zero
100% true positive rate
0% false positive rate
No App Control
No Asset/Config Management
Patch only high CVSS - If you can patch
Getting caught off-guard by the board and CISO on celebrity breaches and vulns
No Attack Surface Reduction
No IR Retainer
No Tabletop exercises with executive leadership
The list goes on…
Put down your Firewall and AV manuals and start reading something more like this:
https://lnkd.in/g2ppeZxY
While it’s not perfect (ask me why over here) the joint Cybersecurity Advisory (CSA) on Scattered Spider is a good litmus on how your people and programs stack up against this criminal actor who is attacking EVERYBODY. No one is safe. Not even our Casinos. Sorry MGM.
Here’s some nuggets to think about:
The actor heavily uses “legitimate” apps that I bet your company uses all the time such as:
- ScreenConnect
- TeamViewer
- Tactical RMM
- Tailscale
How would I block or profile the use of these apps in my environment?
Not good. Not bad. No detecting bad. Not preventing bad.
- Some of the initial access came from the purchase compromise credentials and MFA session tokens on the dark web from info stealer malware like Raccon Stealer and Vidar
- How do your tools and your security team’s currently classify info stealer malware? As PUPs or as critical incidents where sensitive credentials and session data is being exfil’d and sold in an open market for $5?
- Custom, company specific domain names were registered and used in phishing/smishing attacks that were meant to blend in with common company domain names
victimname-sso[.]com
victimname-servicedesk[.]com
victimname-okta[.]com
Are you currently monitoring newly registered domain names looking for potential fraudulent or malicious activity? Staging for future attack infrastructure
RDP services exposed to the internet
Attack surface reduction?
ESXi Server exposed to the internet
Attack surface reduction
Network segmentation
Administration only networks
Properly implemented DMZs
Data exfil from ANYWHERE?
Egress firewall filters?
This list can go on too…
Until organization’s start learning from breaches and how these actors operate, the old way of thinking will just keep producing the exact same results.
Like Apple used to say:
Think Different
I write about the not-so-obvious in cybersecurity to help you pave your own way in the field.
Join the growing readership of cybersecurity professionals for free.
No spam. Ever. Unsubscribe anytime.
