Malicious attackers never sleep, but there can be certain times of year they seek out opportunities to sneak in under the radar. This is one of those times, due to the prevalence of vacation time over the holidays and historically reduced coverage.
While many organizations have come up with plans to keep their attack surfaces covered, it’s not always enough, and there are other things attackers could have in mind. We connected with experts in the Hunters network to come up with some key recommendations for keeping companies secure for the holidays.
If you leave your house for the holidays to travel and visit family, you won’t just lock the bottom lock on the front door. You’ll also lock the deadbolt, turn on the alarm, make sure the camera batteries are replaced, put lights on timers, and the like. MFA provides one more barrier to entry that makes it more difficult for attackers to get in and cause trouble.
One commonplace attack method is credential stuffing, where hackers try out various username / password combinations obtained through breached lists in order to get into networks. Inbar Raz, Hunters’ VP of Research explains: “Credential stuffing crossed with people reusing passwords that appeared in breached and published databases pretty much guarantees that attackers will try to take advantage of people not logging in and try to hack in.” MFA can block those attempts, if a password is gained through the process.
It’s not just networks that can be more vulnerable this time of year -- people regularly fall prey to holiday scams. Take time to remind employees about the risks involved with phishing and inform employees about the latest scams in the news. “Phishing remains a major successful attack vector and humans – when they take a moment – can spot many of the malicious emails,” instructed one expert in the Hunters network.
Diving deeper, Evin Hernandez, Director of Technical Product Marketing explained: “Employees are using multiple devices to do their holiday shopping. They should practice good cyber hygiene and not click on any suspicious links or attachments in emails, websites and or on social media. Phishing scams lure you to give up personal information. In some cases, you may unknowingly download malware to your device. With the pandemic still in effect and everyone working from home at some capacity, the blast radius of being infected is exponential. You will not only infect a corporate machine, but also your other devices within your home that may not be as secure as a corporate machine.” Remind employees never to shop from an unsecured device, to check each URL they access to make sure it’s legitimate, and check website URLs to ensure they are legitimate and secure.
Yes, this one is important all year around, but teams can get backed up from requests, updates, and other priorities. “Patch your servers before the holidays, and in general ensure that your patching policy is comprehensive and is being applied and enforced across the entire organization (on workstations and servers),” says Ofir Har-Chen, Hunters’ VP of Operations.
Make sure you are up to date with the latest vendor patches – for desktop, network, and cloud. Most successful attacks leverage old vulnerabilities. “Couple the fact that you have an external-facing vulnerable server alongside the fact that your team is on a holiday, and you end up with a lucrative opportunity for attackers to take advantage,” shares Har-Chen.
Restrict your privileged Domain accounts (Domain Admins or DAs) from connecting to workstations. “This can easily be achieved with a simple GPO configuration and will do wonders to your security posture and greatly reduce an attacker's path inside your network, hence allowing you for more time to detect that attacker,” Har-Chen notes.
“We continuously run into organizations that do not harden the logon policies or DAs or DA-equivalent users, and as a result DAs are used to login to workstations, leaving the credentials in memory. This in effect results in an imminent risk to an organization, since once an attacker lands on such workstation, the path to utter and complete compromise of the entire Active Directory domain is a matter of minutes,” he explains.
This is an easy one to remind all employees. “If malware exists on your computer, attackers can use the session cookie and connect in your name, but if you log out, it's a lot harder, ” Raz says.
“Monitoring remote log-in attempts and looking for anomalies can go a long way towards realizing something is wrong. The same can be said about CPU usage of servers, outgoing traffic volumes and anything else indicating user or server activity where it's not expected to be. Logging out, BTW, really helps when crossed by monitoring new login attempts.”
A lot can go wrong in this department, especially in the case where system installations happened quickly in the past. Use whatever tools you have to scan your environments for misconfigurations. List potential problems, and go through the list until you become satisfied that the environment has been locked down.
Scan for anything public but shouldn’t be: files, directories, ports that are open. Search for default passwords that were never changed in production. Run a scan over your code repositories for ‘secrets’ that are readable, i.e. hard coded passwords, tokens etc.. This should be done on a regular basis, but is extra important at high risk times of year.
With the increased amount of business being done digitally, there’s really no easy time of year for security operations. An attack that resulted in an interruption anywhere in the supply chain could be devastating.
On the bright side… “If employees are expected to be offline during the holidays, then the amount of traffic involving company assets should decrease significantly, meaning an illicit session is going to be in plain sight, rather than surrounded by noise,” points out Raz.
...
Hunters recommends getting back to the basics when it comes to security for the holidays. “Most attacks begin with human error. Providing awareness training ensures your organization is up to speed and can provide guidance to any employees that may have been susceptible to internal testing,” says Hernandez.
Har-Chen reminds us: “While attackers are coming up with innovative ways of infiltrating organizations, whether it is through novel techniques using advanced malware or exploiting recently discovered vulnerabilities, they can only get so far inside your network to the extent of your security hygiene and posture.”