Cybersecurity
Learn from our experts on what causes cybersecurity breaches, how they affect businesses, and how you can stop them.
Webinar
3 minute read
Aug 16, 2023
Before a breach breaks down your business, learn how to break down a breach. In this previously recorded webinar, our experts show you how data breaches happen and how to prevent data breaches. See all the ways that cybercriminals are getting access to your business, how to spot a breach, and what to do next.
A data breach can mean a lot of things and be the result of many unique vulnerabilities. From stolen credentials to unsecured devices, anything can be a vulnerability because cyber attackers have become smarter, faster, and more creative over time. This means businesses have to do everything they can to protect themselves from evolving threats.
Watch as our panel of security experts from both Impact and our cybersecurity partner, DOT Security—including Kristina Caselli, Senior Service Desk Manager at Impact; Jeremy Haberkorn, vCISO at DOT Security; and Cameron McCarty, Cybersecurity Manager from the SOC at DOT Security—discuss how breaches occur, what they look like, and how businesses can stop them.
One reason an MSSP is so effective at building and maintaining high-level security for businesses is that they have red teams and blue teams that tackle vulnerabilities from both sides.
The red team works to penetration test security systems to find vulnerabilities. Think of them as ethical hackers.
The blue team actively responds to boost security using the findings from the red team’s faux attacks and applying new tools, technologies, and controls to make sure real cybercriminals can’t take advantage of the same exploits.
Without these competing teams working for your business, you’ll oftentimes simply not know about potential vulnerabilities until it’s too late. You don’t want to unearth new exploits because a cybercriminal found them first!
In this video, we brought a member from each team to show how they think and how their teams could help businesses avoid major breaches.
Though many businesses think they are too small or too unimportant to be attacked, they could not be more wrong. It’s critical that businesses of all sizes take the appropriate strides to secure their people, technology, and data.
In modern business, this means implementing key security controls like:
Watch the video above to hear it all straight from our experts or learn more about cybersecurity with Impact.
KRISTINA CASELLI
Good morning everyone and welcome to Dissecting Cybersecurity Breaches How They Happen and How to Stop Them. My name is Christina Caselli and I will be the moderator throughout the webinar. In today's episode, we'll be covering breaches from both the attacker side and the defender side and giving you real world examples of business breaches. We are very excited to bring you our experts to walk you through it, but before we get started, there are a couple of housekeeping items I'd like to review. First, all attendees are on mute.
KRISTINA CASELLI
If you're having any audio or video issues, please let us know using the ask questions section on your screen. You can also use the questions section to ask our panelists a question about today's topic. We'll be answering questions at the end of today, so feel free to ask questions at any time. Also, can find related content on the console if you want to explore more about today's topic. Lastly, the session is being recorded.
KRISTINA CASELLI
Everyone who signed up for today's webinar will receive a link to view on demand. So first I'd like to introduce two of our cybersecurity experts from DOT Security, Jeremy Haberkorn and Cameron McCarty. Jeremy's role within the red team is to simulate real-world cyberattacks to identify vulnerabilities and weaknesses in an organization's security defenses. And Cameron's role within the blue team is to defend against cyber threats, monitor for potential attacks, and respond to incidents to maintain the security of the organization's systems and data. So as I mentioned, today we'll be covering breaches from the attacker and defender side and giving you some real-world examples.
KRISTINA CASELLI
So, Jeremy or Cameron, can you explain what exactly is a breach?
JEREMY HABERKORN
Okay, yes. Thank you, Christina. For me, a breach is basically an unauthorized event, whether it be from a person or a program that jeopardizes the confidentiality, integrity and availability of information systems or data.
KRISTINA CASELLI
And, what is the number one way that most breaches happen?
JEREMY HABERKORN
Most breaches are conducted through social engineering. Hackers or malicious actors still take advantage of people's good nature, and they do this through phishing, vishing, or even smishing attacks. And the reason why it's so popular is that the simple reason, it works. Malicious actors like going through social engineering and using, social engineering, through most popular media, which is email, because it can bypass all of the security mechanism that an organization has in place, from the firewall to the email areas that are that are set up to kinda keep these the malicious actors out. It could bypass all that, and it usually arrives at the victim's computer inside the target network.
JEREMY HABERKORN
So there'd be, like, live right on the network, and that's the reason why email is the preferred attack mechanism.
KRISTINA CASELLI
Alright. Cameron, did you wanna add on to that at all?
CAMERON MCCARTY
Yeah. I mean, it basically that's the best place for them. That's the easiest way for them to get past pretty much any of the defenses, any of the infrastructure that you have in place. It's one of the reasons why these attacks are becoming more common because with more and more people working in a lot of different environments, sometimes they may not have the training, sometimes they may not have the know how. It's the path of least resistance to get to break into anybody's infrastructure.
KRISTINA CASELLI
And what are attackers after and why are attacks becoming more frequent and more damaging?
JEREMY HABERKORN
So malicious actors, are basically looking for, you know, sensitive information, critical information. There's different type of reasons for cyberattacks. They could be going after top secret, national security secrets such as military things. They could be attacking an organization to cause harm before a political reason or for an environmental reason. But most of the reasons why they do it is just for just for money.
JEREMY HABERKORN
They're they're looking to go after, an organization to hold something near and dear to them as ransom and make money off it. Why are these becoming more frequent and more damaging? Well, it's a combination a combination of everything that's going on. You have increased connectivity to the Internet. So you got more devices that are connected to the Internet, which means there's more areas and more and more targets that could be that can be looked at, that could be taking into account to compromise an environment cameras, whatever the case might be.
JEREMY HABERKORN
Another reason is that more and more companies in an attempt to become, to offer more services to their customers are moving data in the cloud. So if you're not in the cloud, then you are potentially not able to, do all the things that you wanna do with your customers, give them all the services that they want, be able to interact, and be able to be an effective business in today's market. So data being in the cloud and and more things being connected. I also think that there's a lack of international regulations, so there's a lot of inconsistencies in regulations and agreements upon among countries as far as what cyber norms are, and that that kind of makes it hard to stop a lot of a lot of organizations and groups from sitting there and launching attacks within these countries, and because of that, there's also issues with cybersecurity awareness and IT resources. As as Cameron had mentioned before, a lot of the IT departments are being stressed and strained, having to do a lot more having to do a lot more responsibilities and functionalities and not having all the staff there to be able to help.
JEREMY HABERKORN
And also not as a result of that, not being able to train users on identifying what, cybers cyber threats are and being able to identify them to not fall fall victim to them and to just basically be, more savvy when it comes to things coming in emails or even on text on your phones or on your text messages. So it's a combination of all these things working together that's making them more frequent and more damaging.
CAMERON MCCARTY
And just to build on that as well, the concept of protecting your perimeter has also kind of gone away with companies trying to be more available and more agile, you know, allowing their employees and such to work from multiple different locations. It's no longer about just protecting one location and hardening that network. Now you have to consider the aspect of other networks, other locations that your more employees may come in contact with, may come and log into your infrastructure or your network or your applications through. And as a result of that, you know, not everybody's infrastructure, not everybody's network is up to the same standards as everyone else's. So it opens up more avenues of attack for, threat actors to compromise, your environment, whether it be through directly through your, network firewall coming into your company or through, you know, that employee over in finance who works remote, who work or who works from an Internet cafe or something and is on a network that isn't properly secured.
CAMERON MCCARTY
It's multiple different entry points now that need to be considered. Because this expanded the avenues, the opportunities are out there, and these attacks are starting to become more and more frequent because of a culmination of all of these reasons.
KRISTINA CASELLI
Alright. Now let's discuss some recent breaches through the lens of the red and the blue teams. How the hacker got in, what vulnerabilities were exploited versus what could have been done to stop it and what be done now to correct it. Recently, both Oregon and Louisiana were victims of a DMV breach. The Louisiana DMV had 6,000,000 records stolen.
KRISTINA CASELLI
The Oregon DMV had point 5,000,000 stolen. This included driver's license information, social security information, vehicle registration information, and more. This was done by a ransomware gang hacking their Move It File Transfer system, the same used in many recent ransomware cases. Jeremy, can you explain from the attacker side what was the motivation for the attack?
JEREMY HABERKORN
Well, like I mentioned earlier, money. It's always money. The malicious actors basically discovered an exploitable vulnerability, and that gave them the potential to, you know, be able to gather sensitive information from an organization. And, basically, they were able to find this, they're then, you know, obviously hold the hold the information as being ransom. In this case, they were looking at not necessarily for encrypting the actual information, but more holding it and, you know, as They're basically going through extortion.
JEREMY HABERKORN
Like, they were saying that they were gonna go public with this information if they didn't pay a certain amount of money. And a lot a lot of these ransomware groups are pivoting away more from encrypting information locally on a host and going more for extortion and saying that if you don't pay a sum at a certain amount of time, we're gonna publicly disclose all the information. And there's a there's a real reason why they're starting to pivot away from that is because there's a lot of time, energy, and engineering that's gotta go in with these ransomware groups to come up with ways to bypass all the security measures and and products that are out there on the market that are basically designed to thwart this type of activity within an organization. So it's a lot of times just easier to basically extract all the information and then hold it hold it ransom in that way saying that if you don't pay, we're gonna release it. So, from a technical perspective, it's a lot easier to do that type of attack as opposed to, encrypting everything.
KRISTINA CASELLI
And how did they infiltrate the system?
JEREMY HABERKORN
So the group that was most associated with the Move It vulnerability, they are a Russian cyber group known as CLAP. It was actually kind of funny when I found the name of it. But anyways, how were they able identify this? Well, there's a lot of resources on the Internet that you can go and you can access that gives you a wealth of information that you don't really even have to do any scans yourself. I imagine that this group, used a utility very similar to Shodan IO, which is a web crawling, service that basically, if if it has a point of contact on the Internet and it can be reached, this this crawler is gonna find out every information it can, what's associated with the IP address, what's running on it, what vulnerabilities, what certificates.
JEREMY HABERKORN
It's anything it can it can gather from its its queries, it's gonna find that. And that's probably how they use this. They use Shodan to identify the secure the certificates that had MoveIt labeled on it, and then they were just to get they were able to get a whole entire list of IP addresses that looks like they were using software. And then they can do some of their additional research and find out what companies and organizations the IPs belong to. And they can start testing to see if the zero day attack would work with these companies, and then they can go from there.
JEREMY HABERKORN
I will say that this group does have some boundaries as far as the information that they would gather. They basically have said that they were not gonna go and target any government entities or any type of military installations or anything like that. And schools and hospitals are gonna not necessarily target. My guess is that they didn't want to deal with any potential repercussions from attacking these entities. And as of what I could see on, doing some research, although Oregon and Louisiana were breached, it doesn't look like they actually posted the information.
JEREMY HABERKORN
They just made them aware that they had it, but they didn't post it. But, you know, if the money isn't flowing and they're looking for things, they might change their tune and they might start going after money. Sure.
KRISTINA CASELLI
And how did it spread?
JEREMY HABERKORN
Basically, that's
CAMERON MCCARTY
that
JEREMY HABERKORN
in a nutshell is basically, I think, how they were going about it. They just used the, they just used the, SHODAN IO, they grabbed the information, they did their homework, then they figured out who it belonged to, and then they went from there.
KRISTINA CASELLI
Okay. And, Cameron, can you explain from the defender's position why was the exploit so vulnerable?
CAMERON MCCARTY
Sure. So this exploit was extremely vulnerable because for one, it was a zero day. And for those I don't know, zero days are basically, vulnerabilities that are inside of applications or code that the developers may not even themselves be aware of. It's one of those things that has never been seen in a while. It's not been documented, but the attackers have found a way to exploit some type of vulnerability in it in order to access something that they shouldn't or get to data or force the application to behave in a way that it shouldn't to further their causes.
CAMERON MCCARTY
And in this particular case, MoveIt software was a is a very common software used by a number of different organizations. It's very, very widely used for file transfer and data transfer to kind of help simplify the process on, you know, the people who have used that application. So as a result, this being the zero day, once this got, you know, discovered, it there are potential targets out there were vast at this point. So all they had to do, like Jeremy said, was use a lot of open source tools or openly available tools that are out there to kinda pick who they wanted and narrow down their targets and then go for it.
KRISTINA CASELLI
And what should the business have done to secure itself?
CAMERON MCCARTY
So in this particular case, because it was a zero day, it's more of an emergency situation. There wasn't much that could have been done prior to the incident, prior to the attack, but once the attack was disclosed, once the information started to flow, this is more of an all hands on deck kind of a scenario, in which organization, would have immediately needed to follow, a lot of the mitigation methods that were put in place by Progressive, which is the company who Progress, sorry, developed, MoveIt software. And that is basically to update to the latest patch version once it I felt that wasn't feasible for the environment, then disabling HTTP traffic to ports eighty and four forty three for the movie transfer software entirely. And while this would effectively render the software useless, you couldn't utilize it to transfer data anymore, it would also prevent the attackers from exploiting it further in order to get access to, you know, comp compromising or important or secure data.
KRISTINA CASELLI
Okay. And next, I'd like to discuss the Okta breach. They were breached via third party access. Over 350 corporate customer records were stolen when the hackers got access to the company's internal network. They got access by using credentials stolen from third party customer service company Okta uses.
KRISTINA CASELLI
Customer service customers often have a large amount of access records to help them perform their duties. Jeremy, can you explain from the attacker side what was the motivation for this attack?
JEREMY HABERKORN
So a recent trend, I shouldn't say recent, but yeah, I guess recent is probably better. They, instead of actually focusing on single companies, they shifted more towards MSPs and MSSPs. For the main reason is that, when you go after these companies, the jackpot's gonna be a lot bigger. If you can compromise them, you can get access to, a lot of other companies that they provide services for, and they have credentials to get in there. And, so the payout's gonna be a lot bigger for so all the the effort and everything that you do, the reward is gonna be a lot more than going after individual companies, and having to put a lot more work and effort to get to be able to get there and get everything that you want.
KRISTINA CASELLI
And how did they infiltrate the system?
JEREMY HABERKORN
So, as they also noticed too, that a lot of times some of these MSPs and MSPs are very, very well locked down, especially if they're if they're companies that are providing security services and everything for their clients. So they're gonna be a very hard nut to crack to be able to go in there and get something. But what they started to realize is that every company has, some services that they usually farm out and they have a and they give access into. People that work on the HVAC systems. You have, support for printers or for ERP systems, stuff where you you've you actually contract that out for experts much like them to be able to do the work in there.
JEREMY HABERKORN
So a lot of the malicious actors start targeting these, these supply what basically, they do a supply chain attack. They start targeting these companies that provide services for the big MSPs or the big companies with the with the hope that these smaller companies, being, you know, not as secure as the company that they're working for and that those IDs that, have been given to those companies, potentially have, more access than they should because of the work that they're doing or the systems that they're accessing that the parent company will give the contractors some, more rights than they normally would have. But the fact is is that the smaller company, the subcontractors, the HVACs, the ERP, the printers, they are going to potentially not have as secure stand not gonna have as many good, security standards in place, that they're gonna be sharing passwords possibly. The passwords are not gonna be that difficult. And the idea of going after them and cracking it and getting access to the bigger prize is, is gonna be an easier path than trying to go head on.
KRISTINA CASELLI
And how did it spread?
JEREMY HABERKORN
So, like anything, if you were to actually get into the network using some stolen credentials and you had access systems. The malicious actors would start surveying the landscape, seeing what they have access to, seeing what they can do, just just observing traffic as it's going around, capturing packets, seeing what's what SMB signing is enabled, doing little sprays here and there, testing out the security policy, just trying to get a lay of the land and identify where stuff might be. You know, look for login scripts, maybe look for shares, see if you have access, taking advantage of some misconfigurations in the environment. And, if you have enough access and it goes unnoticed, eventually, you're going to find something that's gonna give you some really good information. And I imagine that's what actually happened is that they were able to find some shares or or or whatnot or got or found some credentials that they can use to access a system that actually gave them all the information that they were looking for.
KRISTINA CASELLI
And, Cameron, can you explain, how this could have been stopped from the defender's position and why the exploit was so vulnerable?
CAMERON MCCARTY
Sure. In this particular case, there's a number of different reasons why it would why it was so vulnerable. Incidents like this tend to occur because as Jeremy stated, a lot of threat actors will tend to go through, instead of going directly after their main target, they'll go through the targets that are affiliated with them, the smaller companies, the HVAC, the maintenance companies, the smaller organizations that just help the business run that people don't really think about within the course of the day because of the simple fact that they have access to this particular organization. So the downside is that the most companies don't take into consideration the actual security posture of the organization that they're working with, that they're starting to interact with. They don't perform something what's known as a vendor security assessment, which is basically sitting down and analyzing and going back and forth to kind of determine how that third party organization handles their data, how they're going to be connecting to your enterprise environment, how they're going to be utilizing those connections, when when they're gonna be utilizing the data they're gonna be moving across, etcetera, etcetera.
CAMERON MCCARTY
And in cases like this, if that's not properly done, then a threat actor can compromise an environment of, say, you know, your HVAC maintenance company who connects remotely over SSH to, your network in order to survey and perform maintenance on, you know, your HVAC system. But if it's never if enough thought is not properly put into it in this particular case, then attackers are able to, compromise that company, the account used to form that SSH connection. And then as Jeremy stated, start to root around into there, see what they can get access to. Because another thing that needs to be done in this case is that your network needs to be audited as well. You need to do regular maintenance and the regular auditing on your network to identify and ensure that these service accounts or these third party accounts that have access to your network don't have access to anything that they shouldn't.
CAMERON MCCARTY
So they shouldn't have access if the only thing that they're logging in to do is survey the maintenance and the HVAC equipment, they shouldn't have access or shouldn't be able to see anything related to finance. They shouldn't be able to jump VLANs and access any data in HR's chair folder or be able to connect to any of the servers or even see them. They should only be able to see the things that they absolutely need to have access to through, you know, a method known as least privilege. So in this particular case, the attackers were able to exploit that very thing. They were able to, compromise the subprocessor used by Okta for customer support.
CAMERON MCCARTY
And from there, we're able to kind of root around inside of Okta systems and get access to so things like this is one of the things that like companies need to take into consideration, need to be conscious of when they're, you know, forming these partnerships and these arrangements and these agreements with third party companies, especially when it comes to the data that gets exchanged between the two. And another way that they can also help and mitigate these types of attacks is segmenting their networks so that the devices in question don't have access to anything else, but also properly securing the entry point that this third party vendor has has to their environment. Implementing something as simple as say a jump box, which is just a device that's stationed on the perimeter of the network that this third party vendor exclusively has access to, and this is how they remote in and connect to your infrastructure, how they get to your environment. And then also implementing a lot of tools and to gather telemetry and watch these connections to watch the behavior around this, such as a SIEM solution that's looking at the network traffic such as, endpoint detection and response solutions to look at the behavior that's happening on this jump box.
CAMERON MCCARTY
So that way, you know, as the IT person or your your organization, you're able to kinda safely you're able to monitor and be aware of the connections that are being made from this third party vendor into your environment when they're making these connections, how long they're making these connections, are they transferring data through these connections, what type of data are they transferring, how much data are they transferring. And then even when they're in that jump box, you're watching what the connections to and from that device to the other resources on your network, such as are they only connecting to that HVAC system? How long are they connecting? Are they trying to access other things? Are they trying to make connections to other devices on the network that they technically shouldn't have?
CAMERON MCCARTY
Are they doing this at a time that they technically shouldn't have? You know, if they're have this stood up at if normal behavior is they're doing this between the hours of two and 4PM and suddenly at about four in the morning, you have queer connections being made with this jump box, that's an immediate red flag. These are the things that should be done to properly secure your network because at that point, you're able to spot those malicious attacks, those things that should be investigated, your your your security teams should be able to identify these things to make sure that nothing bad is happening and the data is being properly secured. And if something is happening, the steps are being taken to keep them locked out.
KRISTINA CASELLI
Alright. Thank you, Jeremy. And the last breach that I'd like to discuss briefly is the recent Microsoft breach. Microsoft Azure AD accounts were breached using an inactive Microsoft account, and Microsoft still has no idea how this happened. A Chinese hacker stole an inactive account signing key and used it to breach the Exchange Online and Azure AD accounts of 24 organizations, including some government agencies.
KRISTINA CASELLI
Jeremy, can you explain from the attacker side what was the motivation for this attack?
JEREMY HABERKORN
Well, to be able to grab a signing key, an an inactive signing key, that's like gold. If a malicious actor can grab that, that can they can get big money from the black market by being able to sell that, or they could actually use that signing key to create malware that is gonna be trusted by pretty much everything that's Microsoft and Microsoft security related, as well as probably a lot of other, applications and software and security tools out there that have like a white list where the signing key is part of that. So it's gonna trust this and say that this is a legitimate, program that is running. So grabbing this was huge, especially since it's a Chinese hacker that was able to compromise some government agencies. Again, what are some of the reasons why, breaches happen?
JEREMY HABERKORN
A lot of times they're trying to get, secrets, government secrets. I'm pretty sure the Chinese were targeting a lot of these government agencies in the hope that they can get some more state sensitive information that they could use going forward.
KRISTINA CASELLI
And Cameron, can you explain from the defenders position how this could have been stopped?
CAMERON MCCARTY
So in this case, there's a few things that they could have done to stop this. Like Jeremy said, obtaining something like a signing key from Microsoft is one of those things that's critical because our devices are at that point, you may effectively have an ID badge from Microsoft, a legitimate badge that allows you to get to where you need to go. You walk into an organization, flash it, it's legit. By all intents and purposes, there's no reason to deny the authenticity of it. And to get something like this that gives the attackers access, like Jeremy said, to a lot of different avenues of attack.
CAMERON MCCARTY
So this is one of those things where it's regular auditing of, you know, the the resources that you have available that that you're using to authenticate and sign these things. Because this was, an unused key that they were in the process of getting rid of. Audits like this need to happen so that you don't have resources hanging out there like this that are valuable, that are critical like this, that no one should be using, but it's still active. Meaning that someone would a hold of this, even though it's not in use, even though it's on the use of in the process of being decommissioned, it's still viable. And so resources like this need to be properly maintained, need to be properly, secured and properly, dealt with when they're no longer needed.
CAMERON MCCARTY
You know, removed, deleted, access revoked completely to what it's able to be utilized by all of these steps should have been taken to ensure something like this wouldn't happen. So that's kind of the bad thing about this is that there wasn't much. Once they got access to it, there wasn't much on anybody's side that could have been done because if they use this key to sign any of their malicious software packages or anything along those lines, Like I mentioned before, it's a certified badge from Microsoft. It's gonna work. Our devices are gonna accept it because it's signed legitimate saying this is Microsoft.
CAMERON MCCARTY
We're gonna trust it. So
KRISTINA CASELLI
And Cameron Cameron and Jeremy, what should businesses know about the future of cybersecurity?
JEREMY HABERKORN
Well, cybersecurity is here to stay. As companies embrace the Internet and provide more and provide customers with more convenient options, and there's more things connected to the Internet, so there's a lot more pathways to actually get to data. Companies need to embrace security and implement implement more security measures within their infrastructure. As Cameron had mentioned earlier in this conversation, the the perimeter has changed as far as the Internet goes. Before, the perimeter was, you know, your point of presence on the Internet.
JEREMY HABERKORN
You put the firewall in place, and that keeps all the bad people out and keeps all the good people in. Cybersecurity is changing now. Now you gotta put, you gotta put you gotta make your perimeter be around the data. That which is important to the company, and it's the company's ability to continue to function. So that should be the new perimeter.
JEREMY HABERKORN
So a lot of the old ideas of just putting a firewall in place and just going with desktop virus scan and saying, that's it. I should be a 100% safe and secure. That's really no longer the case. Companies need to embrace, security and implement all of the security measures in their infrastructure, especially if they continue to go down the path of using the Internet to expand a company's capabilities with its customers and giving them everything that they need as far as a customer experience.
KRISTINA CASELLI
And what threats are becoming the most prominent?
JEREMY HABERKORN
Well, obviously, malicious actors and phishing are the first and foremost that comes to everybody's mind when they think of threats that are most prominent. But like we had mentioned before, you gotta reimagine the perimeter and what is what sense what is critical for the company. You have, in addition to phishing, you have disgruntled employees. You have employees that accidentally expose something, misconfigurations of some new solutions that are out there, company espionage. Every all these things factor in that everything is now becoming a threat as far as a company's ability to function in in this cyber age.
KRISTINA CASELLI
And what areas of security do you think businesses need to start focusing on that they probably ignore now?
JEREMY HABERKORN
Cameron, I'll let you Yeah. Take
CAMERON MCCARTY
one of the key areas here, one of the critical areas here that, businesses need to start focusing on honestly is training, training your people. At the end of the day, all these different attacks, all these different breaches, all these threat actors that are out here, at the end of the day, your people are their biggest asset. They're the ease your people are the are the weakest link, unfortunately. And if they aren't trained, if they aren't properly, you know, taught and introduced to these concepts on how to properly defend against these things. If they aren't taught how to, properly detect and take action against these attackers and how to, better defend defend your against these attackers, they're the the things are only gonna get worse.
CAMERON MCCARTY
The attackers, the threat actors that are out there, they're constantly working to get better. They're constantly building their skills. They're constantly cutting their teeth on, you know, new organizations and new methods of bypassing the security that we have. And in this case, you need, you absolutely need to have trained people who are here to spot this, trained security professionals who this is what they do. They wake up, they live and breathe and eat security.
CAMERON MCCARTY
This is they're working to again build their skills up as a new attack comes down the pipeline. They're working to understand that attack, how it was executed, how it was built, how it can be utilized in multiple different environments, and then how to build detection logic and automation to be able to detect defend against those things. That if an attacker were to come knocking at your door, they already have the tools in place and they already have the the logic in place to be able to stop these attackers or be able to stop this exploit from work. And then not only that, through regular everyday users, like from Jill in finance or Joe over in HR or anything along those lines. Train these people on how to identify these things.
CAMERON MCCARTY
One, like Jeremy mentioned, one of the most common methods now are phishing and vishing, which is basically sending an email to someone and saying, hey, you know, I am from this legitimate company one two three and I'm sending you this invoice for some services that you know we probably what we pay for. Click on this link so that you can see that invoice and Joe from finance has been waiting on this invoice, some type of invoice all day, clicks on that link and bam, there's a breach. She enters her credentials, her account is stolen, her credentials are stolen. The attacker has a way to download something on the environment, they're in the network. And training like that from your average everyday user, it's not something that's, you know, takes millions of dollars.
CAMERON MCCARTY
It's something simple as taking fifteen minutes to show someone, hey, this is how you spot a phishing email. Pay a little bit more attention to the email address that this is coming from. Know, be able to spot that I instead of an l or a zero instead of an o. Just being able to see something as simple as that and being a bit cautious on just clicking links and attachments that are in that come that gets sent to them is one of those things that'll change the game phenomenally.
KRISTINA CASELLI
And would you say that there's specific industries that should be more aware?
CAMERON MCCARTY
Honestly, there are some industries who should be a bit more cautious than most, but in the grand scheme of things, every industry is affected by this. With a lot of with cybersecurity, with becoming more and more on the forefront of our world on our our our the internet and everything. Every industry should be conscious of this. This is something that should be incorporated from top level down. Like get the buy in from everyone.
CAMERON MCCARTY
Like whether you work in healthcare, whether you work in energy, whether you work in the school systems, it's something that should be taught regularly, something that should be more and more prevalent because again, as we mentioned in some of the previous topics throughout this, it's multiple different ways that a factor will try to exploit or compromise an environment. And while you may not necessarily be the main target because you're small, you're a small mom and pop shop, What people sometimes don't really think about is you have connections to other people just like everyone else does. You may not be the target, but you could be the entry way to someone else. So in this case, better defending and better learning how to spot these things and defend your mom and pop shop will only not only protect your infrastructure, but it'll also protect your clients, your friends, your family, anybody else who is connected to you that they can use you as an entry point to.
KRISTINA CASELLI
Why do so many businesses think that they're immune to an attack?
CAMERON MCCARTY
One of the most prevalent one, one of the most prevalent ideas that tend to be out there is that, hey, I've spent, you know, this large amount of money on this new antivirus solution. It's gonna protect me, or I spent all this money on this firewall solution. It's gonna keep me safe. Once I spend the money, put it up, stand it up, I'm safe. There's nothing that's gonna breach it.
CAMERON MCCARTY
And honestly, that couldn't be more wrong. You can spend all the money in the world on the finest and fanciest tools, but if you don't have a person who knows how to use that tool, it's effectively useless. So this goes back to an earlier point that I made where training, like investing in your people, making sure that you have this new fangled fancy antivirus solution, but you also have trained security personnel who know how to use the solution, who know how to use it to the fullest extent. That means they know how it runs, they know how it operates, they know how to stand it up, and then they know how to tune it and utilize and configure it to be able to detect those and to do and changing things that are out there in the cybersecurity landscape. This new exploit that comes out so, like, from clock.
CAMERON MCCARTY
If one of these ransomware gangs decides to develop a new exploit or a new method of deploying the ransomware, these trained security personnel know how to spot, break down, and configure detection logic based off of the IOCs that are relating to it, the incidents of compromise, and be able to build detection logic around this to better protect against it and be able to stop it if it ever occurs in in a while. That way, you're not working with just your out of the box rules. You're not working with just your out of the box settings and configurations. This team has come in or your trained team has come in and enhance the solution and allow it to actually shine to better protect
KRISTINA CASELLI
What can businesses do to strengthen their security posture?
CAMERON MCCARTY
So there's a number of different things. A lot of lot of those ideas we touched on throughout this talk. Those are some of the more common methods, but of course, training your people, taking the putting cybersecurity in the forefront or getting buy in from the top one from your c suite all the way down to your everyday janitor. Like, if cybersecurity is encouraged from the top down and encouraged, and I don't mean just, you know, idly saying, hey, go take the cybersecurity quiz and you're trained. It's like no.
CAMERON MCCARTY
Actually teaching them and bringing people and immersing them in so that they can put security first as their mindset is only going to enhance their security posture. Because again, end of the day, you can spend all your money on the latest next gen antivirus or the next gen firewall. You can spend all your money on, you know, the fanciest SIM solution to aggregate all your logs together. But you need to be able to have people who are trained and understand and know how to actually properly utilize these things. You need to have your staff actively keeping an eye out and reporting, hey, I got this weird phishing email.
CAMERON MCCARTY
I got this email from the bank saying that they wanted me to go in and change some settings. Is this legitimate? Being you know, training them so that they know how to identify and report these things so that they can be, properly handled and properly mitigated. Is these are the critical things that you can do. And then just of course, making sure that your IT team are taking the necessary steps to not only secure the infrastructure but patch the infrastructure.
CAMERON MCCARTY
Make sure the devices are up to date, the applications that you use, your line of business applications have the latest patches, the latest security updates, that the network is secured from firewall level, that the firewall isn't allowing any excess traffic out, or in, that the only thing that needs to go in or out of that network is the things that need to go in or out of that network. Just little housekeeping steps and such and just regularly auditing to make sure that the accounts that are present on this network or in your infrastructure have access to the things that they should and don't have access to the things that they shouldn't.
KRISTINA CASELLI
And can you explain oh, sorry, Jim. I'm sorry, Jeremy. Go ahead.
JEREMY HABERKORN
Okay. In addition to that, to what Cameron was saying, security awareness is very important, and most companies should embrace, a security culture, encouraging other users to ask questions and stuff like that. But where companies really, in addition to the security awareness, which is first and foremost a very important aspect, they also need to address, the security tools that they have in place. Like we said before, a lot of companies just get a firewall in place and they have antivirus on their desktops, and they think that they're golden, and that everything is is great. And so companies are very good at identifying and protecting what they think is critical and what is and what is near and dear to them.
JEREMY HABERKORN
But where a lot of companies fail that, have an adverse effect on their security posture is their ability to detect, respond, and recover. And what I mean by detect is that and respond and recover is that most organizations, when something happens, they usually get an alert from their virus scan, an email alert saying, hey, we noticed something running active and kind of funny on a computer. So when security awareness does fail and a user does click on it, you need to you need to have a mechanism in place that's gonna allow you to detect what's going on. So that's where a lot of companies fail in that regard is that you have individual systems that you have to log in individually to see what's going on. You don't have a way to aggregate everything together and be able to see the big picture and see, potential other areas of compromise, just not the one machine that kinda sent out a a message indicating that there was some issue like that.
JEREMY HABERKORN
So the detection is key. And with the detection also comes with the responding. So that's where sim solutions come into play where they aggregate everything together and give you a big picture of what's going on. That allows you to be able to respond that you obviously, you go after the one machine that has an alert, but you also see some strangeness on the firewall with outbound traffic from this other machine. So it allows you to go in there and investigate those incidences from that have been appearing on the screen.
JEREMY HABERKORN
And then, obviously, you need to have a means to recover. Every organization should be doing backups. They should have a a means to be able to recover systems, any data that potentially could get lost, get compromised, or anything like that. So that means that there should be some frequent testing of backup plans as well. So that's where companies need to start strengthening in is their ability to detect, respond, recover.
JEREMY HABERKORN
So those are my thoughts.
KRISTINA CASELLI
Anne, thank you. Anne, can you explain, our approach and why it works to help businesses avoid disasters like we just discussed today? Maybe let's start with our assessment process.
JEREMY HABERKORN
So when we do an assessment, we go into an organization and we look at it from multiple perspectives. We look at it from an external perspective, we look at it from an internal perspective. And then we also look at, social I mean, security awareness as far as phishing campaigns that we like to do. So we take it from both aspects and see what misconfigurations, what vulnerabilities we can find, what we can take advantage of, and what we can leverage to allow us to get access. So we're looking at it from a perspective of what someone on the Internet might be able to find and might be able to take advantage of, as well as a malicious actor on the inside.
JEREMY HABERKORN
Not necessarily a hacker getting through all your security measures and it's on the network, although we do test that. But we're also looking from a disgruntled employee, a company espionage, someone, even an HVAC person that comes in that's dabbling in the dark art of of hacking because he watched, you know, mister Robot and got interested in that. So we look at it from all perspectives, and we give you a good idea of where your vulnerabilities are, what you need to strengthen up, and what you need to shore up. And then, once once you get done with the assessment, then you can take a look at what security tools you need to put in place. And I can let Cameron talk a little bit more about that.
CAMERON MCCARTY
Thank you, Jeremy. So at that point, that's usually when we come in and we'll start to put a lot of our tooling in place to give us as much telemetry as possible. We're putting in our SIM solution that we can then use to sit there and analyze network traffic as well as aggregate logs from a lot of your different, applications and endpoints. We're putting our antivirus solution in that allows us to monitor the behavior and, activities that are taking place on your various endpoints and servers to make sure that there's nothing irregular happening, to make sure that, you know, something abnormal isn't happening like a calculator on your computer starting to call out to the internet for some reason or something weird like that. We also have solutions that are looking for a persistence that we're looking for ways that attackers will compromise the device and then try to set up ways that they can kinda maintain connections to that device.
CAMERON MCCARTY
So that if you reboot your computer or something, they're able to immediately reconnect to that device and continue their attack. We are looking to get as much visibility into your environment as possible. So at that point, we can then set a baseline. So we know what's normal for your business. So we know what's normal for, the various users in your environment.
CAMERON MCCARTY
So at that point, if anything deviates from that, if anything stands out, are able to identify that and respond to it, in a timely fashion. We're able to take action and then notify and said, hey, we saw this, this activity right here and able to paint the full picture of what's going on. And then in worst case scenario, a breach happens, we're able to take action to protect, you know, your networks and environments, by quarantining affected devices, analyzing the traffic, pulling the logs from those devices, and actually analyzing to see exactly what the attackers were doing. What methods they may have used to compromise the endpoint? What activities, what commands that they send over the network to the endpoints, what commands were they trying to send from the endpoint, what were they accessing on the endpoint.
CAMERON MCCARTY
And from that point, we're taking the necessary steps to try and lock down and block them out and advising on how to actually do that from your side as well. And then at that point, we're going through the final phases of things. Worst case scenario, we're doing lessons learned and we're trying to figure out better ways to better protect your network. We're learning the new, the ways that they found a way in. We're figuring out and building detection logic and taking the necessary steps to prevent that same attack from happening again.
CAMERON MCCARTY
They used this application and it left these signatures on the device. These little things, these little notes, these little hints, we're building detection logic to spot those very things early on. At that point, if they manage to get back in there or somebody else tries it, we've already got solutions in place that are trained and tuned that can stop these types of things.
KRISTINA CASELLI
Thank you, Cameron and Jeremy. Now we're gonna take some questions from the audience. The first question is, what is smishing?
JEREMY HABERKORN
What is smishing? Yeah. Smishing is SMS, texting. So when you get your phone and you get an SMS message saying, hey, your, Netflix subscription is about to expire. Click on this link and give us your critical information, and, we'll prevent your your, your Netflix subscription from expiring.
JEREMY HABERKORN
That's what smishing is.
KRISTINA CASELLI
Okay. Thank you. And, what are the effects of inadequate FMA on breaches?
CAMERON MCCARTY
So I'll take that one. So MFA, for those not in the know, that's multifactor authentication. And that's basically whenever you try to log into, say, your email or something and you get a text message that says, hey, was this you? That's to allow or, here's a code that you can use to log in. That's multi factor authentication.
CAMERON MCCARTY
It's something beyond just your username and password. And what people unfortunately, a lot of breaches have happened as a result of inadequate MFA, meaning that MFA was set up, but it wasn't properly set up. So ideally in an enterprise environment, if you connect to if you log into your endpoint or you log into the VPN to get into your company's network, there should be some type of MFA in place. And if that's not properly set up, say it's partially set up and there's a select group of users who, for whatever reason, aren't challenged by MFA, then all you need is one of those users who aren't properly set up with the MFA or don't have MFA set up at all to get their account compromised some type of way. At that point, then the attacker only needs to compromise their their username and password, and it's a direct shot into your your infrastructure or an environment.
CAMERON MCCARTY
And bad things tend to happen once MFA needs to be set up, make sure it's properly secured, and make sure it's set up more than anything like MFA everything if possible.
KRISTINA CASELLI
Okay. Thank you. And the next question is, is there a replay to watch this event? Yes. Everyone that's registered for this event, it is being recorded so you'll receive a link so you can go back and rewatch it.
KRISTINA CASELLI
Another question, can you run through sort of what a post breach situation looks like for a recently attacked business?
CAMERON MCCARTY
Sure. So post breach for a recently attacked business, and this is assuming the breach has happened, the attack has been executed, the defenders have come through, they've blocked them out, the emergency has passed. At this point, this is where you go into the recovery and lessons learned phase. So this is where you make sure you start to take the steps to stand up clean and uncompromised infrastructure. If they compromise the server, depending on how they compromised it, start to set up, you know, clean devices, things that haven't been untouched.
CAMERON MCCARTY
Make sure that your backups at this point are in place. If they were if they weren't compromised, double check those backups. But this is where you're taking a lot of the steps to make sure that this attack doesn't happen again. You are, like I said, standing up clean infrastructure, your patching devices that, were missing vulnerable critical patches, your security team are taking the steps and they're analyzing a lot of what the attack ers did and how they got in there. As I mentioned before, this is where they're building detection logic to make sure that this doesn't happen again.
CAMERON MCCARTY
They're ensuring the the the network is being ordered to make sure that, you know, they're they're it's properly locked down and it's secure, as well as, plans and policies are being updated to accommodate the changes as well. If they manage to compromise some server or some part of the infrastructure because a policy or procedure either wasn't in place or wasn't followed properly, this is where the steps gets this is where the next step is to tighten those things up. Make sure that there is a clearly defined policy that everyone is aware of on how to properly handle this particular type of data or how to access this particular device or server. Make sure the procedures are in place as well to accommodate that and make sure everyone is aware and trained up on this. Making sure things like an incident response plan is properly defined and fleshed out to accommodate this as well.
CAMERON MCCARTY
So it's it's like I mentioned, it's basically this is where a lot of critical, absolutely critical, things happen post breach. And these are some of just a few of the things that need to happen.
KRISTINA CASELLI
Thank you. And we did have one more another question just come in. What are your thoughts on the CMMC changes recently submitted? How will that impact businesses?
JEREMY HABERKORN
Well, the CMMC requirements that have been passed down, primarily are government based and usually have to do a lot with, military and the and the companies that are supplying, that are supplying the military organization. This is, how this is gonna impact businesses. It's gonna force a lot of companies to become or to embrace and start, using, cybersecurity implementing it into their infrastructure to ensure that not only their infrastructure is safe, but because their supply chains to the government, that they will obviously, be another layer of protection for government agencies because a lot of times they're looked at as supply chain issues that can possibly breach a government facility because they don't implement proper security. And it's important that they're gonna have to regulations because the government is very serious about this. And if you don't meet the regulations, then you're not going to unfortunately, you're not gonna qualify to be able to provide services to the government if you can't guarantee that your own infrastructure is not secure and that you go through all the security, security checkpoints and implementations to ensure that your network is secure.
JEREMY HABERKORN
So, yeah, it's gonna, it's gonna force a lot of change within the organ within a lot of companies to unfortunately start investing or actually fortunately investing into cybersecurity, but there's gonna be a cost.
KRISTINA CASELLI
Right. Well, thank you to our experts, Jeremy and Cameron, for answering our questions today and to the audience for joining us. If you are committed to upping your cybersecurity game, check out the CMMC checklist in the bottom right. It's a great compliance framework for any business. But we also have other resource links in the console and you can visit impactmybiz.com to stay updated on future webinar episodes as well.
KRISTINA CASELLI
Thank you.
JEREMY HABERKORN
Thank you everyone.
CAMERON MCCARTY
Thank you.
User training, network monitoring, password management, a security tech stack; it takes a lot to protect a business, and it’s easier to keep it all straight when you have an expert by your side.
Talk to a cybersecurity expert at Impact today and prepare your business to withstand breaches. Get started today.
Sign up for The Edge newsletter to receive our latest insights, articles, and videos delivered straight to your inbox.