Pondurance Security Operations Report: 2021 Q1
The Pondurance Quarterly Report shares data collected by Pondurance
Managed Detection and Response (MDR) and Incident Response (IR)
teams. It provides a glimpse into the growing attack surface and
threats that organizations face in today’s threat landscape.
Phishing attacks continue
to be the top attack vector
seen by our analysts.
Top attack vectors
Fraud attack glossary
- Phishing: The fraudulent practice of sending emails pretending to be from reputable companies in order to entice individuals to reveal personal information like passwords and credit card numbers.
- Malware: Collective name for a number of malicious software variants, including viruses, ransomware and spyware.
- Ransomware: Ever evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable.
Human error and
to be leading causes of
Root Causes of Data Breaches
- 19% Compromised Credentials
- 19% Cloud Misconfigurations
- 16% Vulnerability in third-party software
- 14% Phishing
IBM Cost of Data Breach Report1
The Regulatory Landscape Continues to Expand and Evolve
Privacy laws designed to protect consumer’s rights to privacy
require businesses to have mechanisms in place to protect
this type of data
The California Consumer Privacy Act (CCPA) was signed into law on January 1, 2020 — a significant breakthrough in protecting consumer privacy in the United States. Since then, the CCPA has expanded to the California Privacy Rights Act (CPRA) and paved the way for other states like Virginia to introduce its privacy law, the Consumer Data Privacy Act (CDPA).
These privacy laws protect a consumer’s right to privacy and require businesses to have mechanisms in place to protect this type of data. The CDPA requires that organizations prioritize and ensure administrative, technical, physical data security practices are in place to safeguard the confidentiality, integrity, and accessibility of personal data. As bad actors continue to find new methods to penetrate networks and server ecosystems, organizations must have a plan to protect their bottom line and consumers from data breaches.
As state proposals evolve faster than we could have predicted, it is only a matter of time before more states (Washington and Oklahoma) create a patchwork of privacy regulations, making it difficult for businesses to meet each state’s requirements — solidifying the need for a federal privacy law. Learn more about the new privacy laws in our blog: Data Protection and Privacy Trends — Virginia Becomes the Second State to Enact a Privacy Law Set for 2023.
Organizations face growing challenges when trying to protect themselves from cyber attacks.
Customer Pain Points
Shortage of cyber security talent
Difficult to manage multiple tools and investigate all alerts
Undocumented processes in event of an attack or breach
Lack of visibility across the enterprise
Technology alone can’t deter motivated attackers
Security professionals are expensive to hire and hard to retain
Technology is difficult to maintain
New compliance and regulation requirements
Inability to quickly remediate or reduce attacker dwell time
Organizations are turning to
the growing field of MDR
service providers to support
and mature their cybersecurity
At Pondurance we combine expert human intelligence, state-of-the art technology and proven
proprietary process to provide personal, proactive around-the-clock support for our clients.
Protect Your Domain Controller — The Heart of Your Network
Security hygiene issues
are the most common way
a domain controller is
Organizations need to refocus the importance of foundational security hygiene. The need for foundational security is obvious but not widely practiced. Through our MDR and IR engagements, we have seen an increase in attacks targeting domain controllers (DC). This article details the common techniques used to gain unauthorized access into DCs as well as foundational hygiene approaches to protect DCs.
In 2020, we saw that 45 percent of attacks were financially motivated and the healthcare sector was quite popular among larger scale attacks with a 55 percent rise in cyber attacks. These largescale attacks wreak havoc on businesses and result in extended periods of downtime causing a loss of revenue, consumer trust, possible privacy violations, and most importantly, damaging its reputation. As ransomware continues to lead the headlines, another area of focus businesses need to keep in mind is a domain controller compromise.
Gaining access to the domain administrator or enterprise administrator privileges is essentially equivalent to taking the keys to the castle. Compromises to the domain controller result in unauthorized access to sensitive data such as credit card information, business and consumer data, employee information, user credentials, business email access, patient data and more. Failing to protect personal identifiable information (PII) is widespread and will drive high fines and significant regulatory consequences under the California Consumer Privacy Act (CCPA) and other state regulations.
Threat actors execute a number of exploits that allow data exfiltration, extended reconnaissance, and outright theft to intellectual property. In addition, they can weaken or entirely disable other controls with access to the domain controller often leading to ransomware.
Security hygiene issues are the most common way a domain controller is initially compromised through unpatched systems, open ports, misconfigurations, stolen credentials, and bad user behavior. When prioritizing assets, the domain controller is often overlooked as a critical asset but in reality it should be top of the list.
Three Common Attack Methods & Prevention Techniques
The following are common techniques we are observing for accessing domain controllers as well as the best way to prevent these attacks:
Compromised User and Administrative Credentials
Attack Method: Gaining user credentials for an endpoint, administrative credentials, or a VPN makes the first step of a domain controller compromise much easier.
Prevention: To prevent a bad actor from seizing credentials, ensure that multi-factor authentication is enabled on compatible protocols for all domain level systems.
Legitimate Credentials via Remote Desktop Protocol (RDP)
Attack Method: RDP is a legitimate tool that enables IT departments to remotely and easily access and manage Windows systems. RDP exploit programs and services are easy to purchase and use. It
is the most frequently abused protocol when considering lateral movements, network entry and exploitation.
Prevention: If you must enable RDP,
ensure that there are compensating controls associated with it such as registered origin IP addresses, destination-only access, and individual credentials with multi-factor authentication added.
Altering Configurations Over Server Message Block (SMB)
Attack Method: Server Message Block (SMB) is a critical protocol for Active Directory and also serves as a network file sharing protocol. Backdoor installation over Server Message Block (SMB) with legitimate credentials can occur as well as other user initiated actions like Phishing or clicking a Malicious payload file.
Prevention: SMB requires protection from attacks where a server or device might be tricked into contacting a malicious server running inside a trusted network or to a perceived trusted remote server outside the network perimeter. Segmentation, traffic monitoring, enhanced authentication and firewall best practices can enhance security preventing malicious traffic from accessing the system or its network.
The domain controller is the heart
of any distributed network.
At the highest level, known basic hygiene approaches to protecting the domain controllers are the best long-term strategy. Protecting email by implementing an email defense filtering system combined with URL/IP outbound blocking capabilities are key to staving off malicious emails that can lead to privilege access vectors. Separating the use of local system administration from domain administration can reduce access in the event an endpoint such as a laptop is compromised and an attacker is able to test these credentials on the administrator level.
These gaps in the attack surface are critical reasons to monitor the domain controller at a system and application log level, monitor access logs for anomalies such as non-domain IPs and for failed attempts, monitor network traffic at a port and payload level, and implement an EDR solution and schedule more frequent enhanced audits. As domain controller attacks continue to increase in frequency and evolve, it is critical that businesses are aware of the current attack patterns that lead to unauthorized access to assets.
The cost of a data breach is only increasing year-over-year, and businesses should focus on securing their assets with a holistic cyberdefense solution and prioritize security awareness training throughout the entire business.
How Pondurance Can Help
Our mission is to ensure that every organization is able to detect and respond to cyber threats – regardless of size, industry or current in-house capabilities. We combine our advanced platform with decades of human intelligence to decrease risk to your mission.
Closed-Loop Managed Detection and Response
Recognized by Gartner, Pondurance provides 24/7 US-Based SOC services powered by analysts, threat hunters and incident responders who utilize our advanced cloud-native platform to provide you with continuous cyber risk reduction. By integrating 360 degree visibility across log, endpoint and network data and with proactive threat hunting we reduce the time it takes to respond to emerging cyber threats.
Pondurance MDR is the proactive security service backed by authentic human intelligence. Technology is not enough to stop cyber threats. Human attackers must be confronted by human defenders.
When every minute counts, organizations need specialized cyber security experts to help them respond to a compromise, minimize losses, and prevent future incidents.
Pondurance delivers digital forensics and incident response (DFIR) services with an experienced team capable of guiding you and your organization every step of the way. This includes scoping and containing the incident, determining exposure through forensic analysis and helping to quickly restore your normal operations.
Security Consultancy Services
Our specialized consultancy services will help you assess systems, controls, programs and teams to uncover and manage vulnerabilities. Our suite of services ranges from penetration testing to red team exercises, along with compliance program assessments for highly regulated industries. We provide security incident response and business continuity planning to put you in the best position to defend against and respond to cyber attacks.
“Hospitals are people taking care of people. We have discovered in our relationship with Pondurance that forensic IT companies are also people taking care of people. It just happens to be through computers."
Steve Long, CEO, Hancock Health
Pondurance delivers world-class managed detection and response services to industries facing today’s most pressing and dynamic cyber security challenges including ransomware, complex compliance requirements and digital transformation accelerated by a distributed workforce.
By combining our advanced platform with our experienced team of analysts we continuously hunt, investigate, validate and contain threats so your own team can focus on what matters most.
Pondurance experts include seasoned security operations analysts, digital forensics and incident response professionals and compliance and security strategists who provide always-on services to customers seeking broader visibility, faster response and containment and more unified risk management for their organizations.
Visit www.pondurance.com for more information.
1. Cost of a Data Breach Report 2020, IBM, https://www.ibm.com/security/data-breach.
2. 2020 Guide for Managed Detection and Response Services, Gartner, https://cybersecurity.pondurance.com/gartner-2020-report-download_wgc.
3. Healthcare Breach Report 2021, Bitglass, https://pages.bitglass.com/CD-FY21Q1-HealthcareBreachReport2021_LP.html.