Setting the Scene
The most frequent cyberattack that we are seeing lately is Business Email Compromise’ or BEC. We are still seeing a pretty high volume of attacks on business networks directly, but BEC is prevalent at the minute.
The biggest trend we are seeing is how quickly phishing type attacks are being improved on through the use of AI to become more convincing, this is being compounded by as businesses increase the use of legitimate AI generated communications which is making these types of email or communication more familiar to end users.
All businesses are potential targets but that being said businesses whose customers are primarily other businesses are high value targets especially if they are in an industry that already has an inherent amount of trust or authority such as solicitors or accountancy firms.
How the Attacks Unfold
Attacks can start from something as simple as clicked link in a malicious email or from somebody reusing their same work credentials for a private service like a social media login or MyFitnessPal or PaddyPower type account. If these services, get compromised and user accounts stolen they will be used to try and gain access to the user’s business account. Once an account has been successfully compromised a sophisticated attacker will review the access they have gotten and decide if the account is valuable enough itself due to the access it has or if the account is better off being used as a staging ground to try and compromise other users with higher access or other businesses that may have more valuable or more easily useable data this decision can be made in a couple of hours.
The most common attack entry point is still email accounts and VPN accounts that are not MFA protected or have weak MFA enforcement for example MFA only being enforced once every 30 days. Personally, our standard is a minimum of 1 MFA sign in per device every 5 days for user accounts and once ever 2 hours for administrator accounts.
The biggest misconception that I am still running into is business’s assuming they aren’t a target because they are SMB or they don’t deal with “sensitive” data. When often these are the businesses targeted most as they can be an entry point to other organisations.
Detection and Response
A combination of monitoring and user reports is how we detect most incidents, its becoming more common however for the users to be entirely unaware they where under attack when we call them though. Most often we get alerts for login attempts or worse successful logins from countries that users would not normally work from at which point we contact the user by phone to verify if they are travelling and reset their logins if required or enforce conditional access policies to limit where they account can be logged into from.
Once an attack is detected the Security team will work to lock down the entry point should it be a user account or network port etc. Then we contact the affected party to advise on what we have seen and advise what needs to happen to allow restore legitimate access. We then review the available logs around the specific incident to determine the extent of the breach and what data/assets have been impacted.
The Main Difference is Impact.
A small cyber incident is a minor security event that causes limited disruption or damage, can be contained quickly, and does not significantly impact business operations, data integrity, or reputation. For Example. A phishing email is received but identified and reported before anyone clicks the link / A single employee’s password is compromised but no data is accessed / Malware is detected and removed by antivirus software before spreading.
A serious cyber incident involves a significant breach or disruption that impacts business operations, exposes sensitive data, or causes financial, legal, or reputational harm. These incidents often require escalation, external support, and regulatory notification. For Example. Ransomware encrypts company data, halting operations / Customer or employee personal data is stolen or leaked / Attackers gain long-term unauthorized access to internal systems.
Lessons Learned
MFA, MFA, MFA. It is no longer an optional security measure, we have found lately that we are getting the most pushback from senior management figures in businesses around having regular MFA enforcement which is unfortunate as they often have the most access to sensitive data and systems it also makes it more difficult to get buy in on security practices from the rest of staff when the people in charge don’t buy in.
Location compliance policies have been massively successful in reducing successful attacks, in instances where users have been successfully phished and their logins compromised, or their MFA token hijacked through malware by blocking login attempts with correct credentials that are coming from un approved networks or countries. We have been able to get several users accounts secured before any actual breach has happened while the hackers are trying to figure out what country they can use to login from.
Adopting a policy of least privilege which means that staff only have access to the data they need to do their jobs and no more. This requires businesses to have a solid grasp on the data they have stored and to have knowledge of who needs what access and defining roles for staff that have specified access. This not only limits accidental data disclosure but also limits how much access a malicious actor can have should an account be compromised.
Technology & Best Practices
MFA and Conditional Access policies have become the first line of defence for user accounts without these tools the question changes from “Can we be compromised? to When will we be compromised?”. Rolling out a capable EDR solution to all business workstations and servers is now a necessity EDR stands for Endpoint Detection and Response and is the next step beyond what Anti Virus solutions because they can monitor behaviour on devices in realtime to contain threats where Anti Virus can only catch static threats like malware that matches its internal defined list of malware.
EDR, Conditional Access, ZTNA (Zero Trust Network) Advanced Mail Filter.
Our Managed Security Services Monitor for unusual or malicious behaviour in M365, as well as on internal networks through Managed EDR which allow us to respond in real time to incidents which significantly reduces the impact and disruption caused by cyber threats.
Human Factor & Awareness
User behaviour plays a major role in business cyber attacks and while businesses should strive to limit mistakes through internal policy its neither possible nor practical to limit all possible user behaviour that may lead to cyber attacks. Those risks that cant be addressed through policy should be covered in regular security awareness training.
Training should be at least somewhat tailored to users based on their role in a company, but I would say everyone would benefit from regular Email Security training as phishing is the start of most major incidents.
I have an incident where a user has fallen for a phishing email, clicked the link supplied their credentials and then realised their mistake, They immediately reset their password and called the IT support desk when we reviewed their logs we could see that the malicious actor had begun to log into their account but where locked out before they could access any data by the user resetting their password. This type of action only happens in environments where staff are not fearful of reporting mistakes.
Looking Ahead
I expect that AI powered scam and phishing campaigns to get more prevalent and more convincing over the next 6-12 months.
By consistently upskilling our team as new technologies emerge and get adopted in the business environment and keeping up with new security tools and how they can be integrated into our existing security stack.
Security by culture > Security by decree. Security often if not always comes at the cost of convenience, losing convenience causes friction with staff. This can be mitigated by ensuring staff understand why security measures are put in place and the ramifications for failing to do so.
