A data breach is a cyber incident that violates the sensitive, protected, or confidential data of an organization. The breach can be overt, such as a ransomware attack where a threat actor holds an organization’s data hostage until the organization pays the ransom demand, or covert, such as a malware attack where a threat actor may wreak havoc in a network for weeks or months before detection. Either way, a breach can trigger business, regulatory, and legal issues that disrupt an organization with lingering effects.
Doug Howard, CEO at Pondurance, explains how attackers orchestrate a breach and the impact these attack methods can have on an organization in the Threat Landscape Update: A Challenging Year Ahead webinar. Doug discusses topics of concern including current attack techniques, breach investigations and validations, and recommendations for how to improve your cybersecurity.
Sophisticated threat actors are using proven attack techniques and new, creative ones to infiltrate networks. The use of business email compromise is on the rise, especially for organizations that have multifactor authentication (MFA) but haven’t yet turned on enforcement.
“It’s great to have MFA,” Doug says. “But if you don’t have enforcement on, it’s not much better than using username and password.” He strongly recommends using MFA rather than single-factor authentication for virtual private networks and any type of remote access, including the cloud.
Ransomware attacks have increased this year, too, but not at a significant rate; however, Doug expects the ransomware trend will accelerate in 2024. Threat actors also are using legitimate tools, such as payment platforms and desktop remote access tools, in illegitimate ways to gain unauthorized access into an organization’s network.
In addition, Doug talks about “confirmation of the compromise,” where a threat actor claims to have compromised an organization’s data and provides some proof of a compromise. But is it an actual breach? Doug offers details about how your organization can determine if data was indeed exfiltrated by the threat actor.
Investigations and Violations
The anatomy of a breach includes eight distinct actions that a threat actor takes for a successful breach. These actions include reconnaissance and resource development; access; execution, persistence, privileged escalation, and credential access; defense evasion; discovery; lateral movement; collection; and command and control. Doug explains these actions taken by the threat actor during the breach and discusses the subsequent business, regulatory, and legal actions taken by the organization following the breach.
When a breach is suspected, the cybersecurity team, executives, and board members can feel on edge. But it’s crucial to know precisely when to declare the suspicious incident to be a breach.
“Always involve the lawyers quickly,” Doug suggests. By involving legal counsel at the onset of the incident, the attorneys can offer guidance on when to make the legal determination that a breach has occurred and provide notification of the breach.
To limit the damage immediately after a breach, the attorneys must perform a legal analysis to get answers to questions such as: What information was accessed? What compliance areas or regulatory requirements were violated? Who do we have to notify? What is the time period for notification? Then, a risk analysis must be conducted to avoid a secondary attack in the near future. Doug advises that executives should talk with employees about the breach and stresses the importance of determining areas for improvement.
“Make sure that you’re improving on all those areas that created friction,” Doug says. “Because unfortunately, threats continue to evolve, and ultimately, almost any company is going to have one or a few events in their next 10-year history.”
What can you do to protect against threat actors in today’s threat landscape? Doug gives several helpful suggestions on how organizations can improve their cyber environments. His recommendations include knowing where your personally identifiable information and regulatory data live within your system, communicating regularly with employees to reinforce user awareness training, and modernizing 24/7 detection capabilities, to name a few.
A breach can trigger business, regulatory, and legal issues that disrupt an organization with lingering effects, so be prepared. Know the attack techniques, understand the requirements of breach investigations and validations, and get recommendations on how to improve your cybersecurity in the current threat landscape. To learn more, watch the webinar.