For most people, the holidays are an opportunity for rest, relaxation, and time spent with loved ones. But for SOC teams, reduced staffing during the holiday season can mean stress, anxiety, and burnout in anticipation of inevitable attacks by malicious actors.
While many security teams have come up with plans to keep their attack surfaces covered, it’s not always enough, and there could be gaps that attackers might take advantage of.
Shahar Vaknin and Yonatan Khen of Hunters' Team Axon have gathered a few tips to make sure you have all your bases covered for the holiday season.
1. Log out of all services you won’t be using
An easy win for security teams is to remind all employees of this rule. If you’re logged into a service on a malware-infected computer, attackers can steal the session cookie and connect in your name. Logging out ends the current session, and makes it much harder for attackers to access your account remotely.
Simply training users to close unneeded sessions can go a long way, for example, in preventing browser session hijacking, where hackers can potentially access any other resources on an authenticated intranet. On the whole, monitoring remote log-in attempts and looking for anomalies can go a long way towards realizing something is wrong. The same can be said about CPU usage of servers, outgoing traffic volumes and anything else indicating user or server activity where it's not expected to be. Logging out really helps when combined with monitoring new login attempts.
2. Restrict Domain Admins.
Restrict your privileged Domain Admin accounts from connecting to workstations. This can easily be achieved with a simple GPO configuration and will do wonders to your security posture and greatly reduce an attacker's path inside your network, hence allowing you for more time to detect that attacker.
We’re constantly running into organizations that do not harden the logon policies for DAs or DA-equivalent users, and as a result DAs are used to login to workstations, leaving the credentials in memory. This in effect results in an imminent risk to an organization, since once an attacker lands on such a workstation, the path to utter and complete compromise of the entire Active Directory domain is a matter of minutes.
3. Ensure Multi-Factor Authentication is enabled.
We’ve all heard ad nauseam about the importance of MFA, and yet, almost everyone can attest to a few gaps in their organization that are missing MFA. On the individual level, it can be a pain to authenticate on multiple devices. But, especially during the holiday season when security risks are higher, this quick action could be what stands between a protected organization and a breach. You wouldn't just lock the front door - you'd also make sure to lock the deadbolt, and the back door, and turn on the alarms, and replace the camera batteries.
One common attack method is credential stuffing, where adversaries attempt various username and password combinations that they obtain through breached lists in order to compromise a single user. Millions of passwords are exposed in breached and published databases every year, and when a hacker gets a hold of a password that was used on one account, they can try it on many others. When people use the same password for multiple accounts, it’s almost inevitable that attackers will try to take advantage of people not logging in.
4. Give employees a phishing refresher.
To avoid employees falling for holiday phishing scams, take time to remind employees about the risks involved with phishing and inform employees about the latest scams in the news. Phishing remains a major successful attack vector, and humans can spot most malicious emails when they take a moment to examine them.
Train employees on how to identify signs of phishing, check website URLs to ensure they are legitimate and secure, and notify the IT department whenever they encounter any suspicious activity.
5. Stay up to date with the latest vendor patches.
This one is important all year round, but teams can get backed up from requests, updates, and other priorities. Patch your servers before the holidays, and in general ensure that your patching policy is comprehensive and is being applied and enforced across the entire organization (on workstations and servers).
Otherwise, if you couple the fact that you have an externally facing vulnerable server alongside the fact that your team is on a holiday, you end up with a lucrative opportunity for attackers to take advantage.
6. Scan your environments for secrets stored in shared places.
Organizations are particularly vulnerable when they have lots of password-related files in shared locations, like code repositories and cloud storage platforms. One of the most precious artifacts for hackers is a highly privileged plaintext password in a shared location. This is like giving a Christmas gift to the hacker, which can be used to grant access to additional services and provide lateral movement capabilities with no effort needed.
The most secure way to store passwords and other sensitive information, like tokens, is to use a secret manager service. In general, you should be scanning for anything public that shouldn’t be, such as files, directories, and open ports, as well as default passwords that were never changed in production.
7. Manage your external attack surfaces
One common tactic that hackers use is brute-forcing RDP (remote desktop protocol) and SSH (secure shell) connections in order to gain initial access to your network. Even large organizations are often not fully aware of all the servers and services that are exposed to the internet, which can create gaps that attackers can exploit.
To protect your organization from these brute force attacks, it's important to manage your external attack surfaces. This means being aware of any unknown, publicly accessible services that may not be secure, and maintaining a single source of truth for what services should be exposed to the internet. Using external scanning tools can also help you identify potential vulnerabilities in your external attack surfaces.
8. Use the quieter period to test your contingency plans
If team members are out on holiday and there’s any downtime for those remaining, the holiday season can be a great opportunity to test your contingency plans in real time. Running tests during this period allows you to see whether your plans actually hold up when there are reduced resources, and reveal any holes. This way, you have an opportunity to implement changes for the next period of increased vulnerability, such as the summer vacation season or, for example, an all-hands company offsite.
...
Of course, the most effective way to protect your organization during the holiday season is to work towards a strong security program year round. But you can’t always plan for everything, and we hope some of these tips can help keep the holiday stress to a minimum.
Happy holidays from the Hunters team!