While once rare, cybersecurity incidents targeting Operations Technology (OT) assets have become increasingly common in the past few years. This unfortunate trend prompted Verizon (in their 2020 Data Breach Investigation Report) to examine, for the first time in its then 12 year publication history, the involvement of OT assets vs. IT assets in security incidents. This report also included a section specifically aimed at organizations in the Mining, Quarrying, and Oil & Gas Extraction business.
Norsk Hydro & Stuxnet: The Canaries in the Coal Mine
Verizon’s 2020 report was released in the wake of the devastating 2019 ransomware attack on Norsk Hydro, which forced the organization to resort to manual operations at 170 sites in 40 different countries and cost the company tens of millions of dollars in damages. While OT networks and assets weren’t the primary target in this attack, the spill-over from the IT-focused attack disrupted OT networks substantially and shone a light on how unprotected many OT systems and assets really are.
However, the Norsk Hydro attack was not the first widespread, OT-disrupting attack. In 2010, Stuxnet, a highly sophisticated computer worm that targeted computers involved in uranium enrichment, disrupted OT systems across Iran, India, and Indonesia. The program began by checking to see if an infected computer is connected to specific programmable logic controller (PLCs) models manufactured by Siemens (PLCs are devices that computers use to interact with and control complex industrial machines like uranium centrifuges).
Computers that weren’t connected were ignored (and typically left unharmed). However, computers connected to the PLCs then had their programming altered, causing the centrifuges to spin too quickly and for too long, extensively damaging and even destroying delicate and expensive equipment. While this was happening, Stuxnet directed the PLCs to report that all equipment was working normally, which, in the world of remote monitoring, made it incredibly difficult to detect and diagnose the problem before extensive damage had already been done.
OT assets bring with them unique security implications, and as an organization’s footprint expands, their security risk scales as well. This reality, partnered with broader market changes, is significantly influencing OT security environments. To keep your organization secure, businesses with significant OT assets need to take steps to secure their OT devices and improve their overall cybersecurity posture.
IT Security vs OT Security: A Brief Overview
While many organizations used to manage their IT and OT networks separately, IT and OT systems have a lot in common and rely on very similar tools. However, these tools are used in different ways: while IT tools are designed to interact with humans so they can complete their work tasks, OT tools are designed to interact with machines and ensure that the industrial control systems within your organization are operating correctly and available for the tasks your organization depends on them for.
One of the reasons OT and IT were kept apart for so long is that traditionally OT environments were “air-gapped”: kept isolated from the broader IT network and run in separate, siloed environments without internet access. However, the rise of IIoT (the industrial internet of things), which allows OT assets to be controlled and monitored remotely, has broken this isolation. While remote capabilities allow organizations to enjoy decreased costs and increased efficiency, the trade-off is that OT systems are no longer automatically protected from internet-based threats, such as cybersecurity attacks.
The Security Risks Associated with Operational Technology
IT security has been a priority for most organizations for decades, but unfortunately, OT security has not received the same amount of attention. According to the 2020 Global IoT/ICS Risk Report:
71% of IoT and Industrial Control Systems (ICS) networks are running on outdated operating systems that are no longer receiving security updates,
66% have not been updated with the latest antivirus software, and 64% of these networks rely on insecure passwords. These findings are alarming and highlight several pervasive problems.
Direct Internet Connections
Many OT reliant organizations depend on direct connections to the public internet; this is a serious problem, as even a single internet-connected device can provide a gateway for cyberattackers to introduce malware onto a network or infiltrate the network and gain access to sensitive or proprietary information.
While easy-to-remember passwords are great for providing convenient entry for authorized workers, it also makes it easy for attackers to brute-force their way onto your network. To improve password security, you should consider following the NIST password guidelines (please see section 220.127.116.11 Memorized Secret Authenticators) or investing in a secure password manager.
Misconfigured APs Are a Security Risk
A single misconfigured wireless access point (AP) can compromise the security of your entire network. To help prevent unauthorized network access, you should audit all APs regularly and ensure any new APs added to the network are correctly configured.
Outdated Operating Systems
While transitioning to a new operating system may pose a bit of a headache, outdated operating systems that no longer receive security updates are a prime target for security attacks. To help improve your security posture, you should inventory all machines and access points on your network to ensure they are able to take advantage of their manufacturers’ latest security patches and updates.
Operating systems that are no longer supported should be phased out as quickly as possible and replaced with more secure options. During the transition, your security team should monitor your currently outdated systems more closely than usual since they present a particularly tempting entry point to attackers.
Inadequate OT Employee Training
Without proper employee cybersecurity training, even the best policies, most secure systems, and the latest and greatest security products will fall short. All employees should undergo regular cybersecurity training, and you should include security training during your onboarding process.
Well-trained employees are an incredibly valuable security asset, giving you eyes and ears across your network. You should ensure employees can identify potentially suspicious activities (such as phishing scams) and know who to report potentially suspicious activities to.
You should also consider running tabletop cybersecurity exercises. Tabletop exercises are similar to fire drills: allowing your employees to put their cybersecurity skills and knowledge to the test in a no-stakes environment. Employees are presented with a hypothetical cybersecurity incident which they have to respond to. This not only allows employees to get comfortable using their cybersecurity knowledge and helps them familiarize themselves with your incident response plan but is also a great way to identify gaps in your security posture and response procedures so that they can be addressed before those deficiencies can be used against you.
As Your OT Footprint Expands, Industry Operators Need to Consider These Cyber Risks As Well
As your OT footprint expands, so do your cyber risks. However, by adopting a security-focused and proactive mindset, you can help ensure your cybersecurity posture remains robust.
Keep Third-Party Risk Management Top-of-Mind
Many OT-heavy organizations rely heavily on third parties. While oil and gas businesses looking to transition to renewable energy sources are looking to partner with third parties to ease this transition, many mining companies also rely on third parties to provide support services such as equipment assembly and maintenance. However, without proper planning and integration, partnering with a third party can increase risk and create security gaps in both parties’ systems.
To help keep your OT ecosystem remains secure, you should ensure that your new partners are able to smoothly integrate with your OT and IT networks. Linking two systems introduces risk to both, so it is important to ensure that this partnership won’t inadvertently introduce security gaps that could leave either party or both parties vulnerable. You should also carefully vet all partners to ensure they meet your rigorous cybersecurity standards and limit third-party access to only the systems they require to do their work. Should a third party require access to a critical or sensitive system, this access should be carefully monitored for suspicious activity in case your third-party partner’s network or organization becomes compromised.
Both state-sponsored attackers and corporate interest groups view mining companies as treasure troves of valuable data and may seek to use cyber espionage tactics to gain unauthorized access to geological exploration research (including details on the location and value of natural deposits), corporate strategy documents (containing pricing information), and sensitive information on proprietary extraction and processing technologies.
At the same time, insights into business strategies and mine values could be leveraged during merger and acquisition negotiations in an effort to outbid a competitor or lower the price of an acquisition target. Stolen trade secrets and IP can also be used to reduce R&D costs for the attacker, providing a long-term competitive advantage. A good example of cyber espionage in action within the mining industry came in 2011 when global mining company BHP Billiton was targeted by both state-sponsored attackers and competitors in an attack that sought to gain access to market pricing information for key commodities.
Energy Providers, Including Oil & Gas
Oil and gas companies, as well as other energy providers, are also vulnerable to cyber espionage attacks. In 2021, many large international oil and gas companies were targeted in an attack that leveraged malware called Agent Tesla and other RATs (remote access trojans) to steal sensitive data, banking information, and browser information by logging keyboard strokes. While the Agent Tesla cyber espionage campaign mainly targeted energy companies, the attackers also targeted a small number of organizations in the IT, manufacturing, and media industries.
By fortifying your current cybersecurity posture, keeping security top of mind, and investing in robust and comprehensive employee cybersecurity training, you can help ensure your OT assets and other critical systems are better able to fend off potential cyber attacks.
Phishing Attacks Target OT Assets As Well
Phishing attacks have begun to target OT assets and networks as well as IT networks. As such, all OT personnel should undergo cybersecurity training that includes how to identify potential phishing scams, what to do if they suspect they have been targeted by a phishing scam, and whom to report the potential scam to for further investigation.
Securing Your OT Devices: Steps for All Organizations
Take a Proactive Approach
As the old saying goes: the best offense is a good defense. A proactive approach to cybersecurity includes:
Developing (and periodically reviewing) your organization’s incident response plan
Investing in robust and comprehensive cybersecurity training for all employees
When it comes to cybersecurity and suspicious activities, It’s critical that your entire team knows what sort of red flags to look for. While false flags can temporarily divert personnel away from other critical tasks, underreporting can allow threats to sneak through, so it is always best to err on the side of caution.
To help identify and investigate suspicious activities, many organizations turn to managed SIEM solutions. SIEM experts have extensive experience with cybersecurity and stay up to date on the continually evolving threat landscape, which allows them to quickly assess potentially suspicious activities and attacks that could impact your OT ecosystem.
You should also seriously consider investing in a managed firewall solution. Unlike passive firewall programs, managed firewall solutions include access to a team of security experts, who will monitor and fine-tune your firewall as well as ensure all necessary security patches are downloaded and implemented as soon as they become available.
Invest in Network Mapping & Connectivity Analysis
It’s really easy to get lost without a map. Network mapping allows you to understand the physical and digital locations of all devices on your network, pinpoint issues, and isolate potentially compromised equipment quickly and effectively. This way, should an incident such as a malware or ransomware attack occur, your security team can quickly isolate infected machinery from the rest of the network, limiting or even preventing damage and disruption.
Implement a Zero-Trust Framework
Zero-trust frameworks are built on the security philosophy of “never trust, always verify”. Zero-trust systems assume that every person, device, application, and network is presumed to be a threat until they have been properly vetted and verified. As such, each entity must prove its legitimacy (essentially show its digital ID badge) before it is allowed to connect to the OT network.
Many Zero-trust systems rely on dual-factor or multi-factor authentication (MFA) tools, which require users to provide more than one form of identification. Typically, this may require a user to provide a username and password, as well as an additional piece of identification, such as a short-lived code sent to their mobile device or a fingerprint scan, or provide the correct answer to a security question. By adding an extra layer of verification, organizations can make it more difficult for an attacker to gain access to your OT systems.
Control Identity & Access Management
Not every worker needs to be able to access every part of your network, and overly-permissive access can pose a serious security risk. Controlling who is able to access what parts of your system is a critical piece of your overall cybersecurity posture, especially since every set of access credentials issued presents another potential entry vector for attackers.
If an employee falls for a phishing scam or leaves their credentials unsecured or exposed, it could allow attackers to access critical systems or gain access to sensitive information. As such, all organizations should:
Educate employees about the importance of safeguarding their access credentials
Adopt a least-privilege policy, and ensure it is maintained across your organization. This will limit access rights to those users who absolutely need them.
Revoke access privileges of former employees as soon as possible. Attackers will often look to leverage dormant accounts, and since the person the account is intended for is no longer using it, the use of these credentials is often not discovered right away.
Revoke temporarily-granted access for visitors, guests, and other third parties as soon as it is no longer required.
Create an OT Systems Management Program
An OT systems management program is a great way to ensure you are covering all of your security bases. Most programs typically include:
Asset inventory management
Lifecycle management, including:
Defining system requirements to ensure desired physical system outcomes
Establishing specifications to ensure security and reliability
Control and supply chain management over these systems
A schedule for replacing outdated components
Patch and vulnerability management
Network and system design
User and account management
Log and performance monitoring (critical for both reliability and security)
Incident and trouble response
Backup and restore functionality
A good OT systems management program offers a wide range of benefits, including:
Providing valuable insights into all hardware and software on your OT network, allowing your security team to identify vulnerabilities swiftly
Properly updating and configuring systems, which reduces attack surface areas
Providing a way for your team to update automation systems for key operational tasks in an operationally efficient manner
Providing a mechanism that handles reporting and monitoring across your OT and IT systems in a consistent manner, thereby simplifying the reporting process.
More advanced and effective security controls by offering both proper visibility and access to underlying endpoints and other network infrastructure
Segment Your Network
Network segmentation is a great way to safeguard your most valuable OT assets and systems. Segmenting your network is a physical security measure that sections off vulnerable or sensitive systems and networks from the wider network. In IT, this may take the form of segmenting the accounting department’s network (which contains both private financial information and sensitive employee information) from less-critical or sensitive areas of the network, such as the guest wifi.
Network segmentation is becoming increasingly common in organizations that deal with critical infrastructure, including oil and gas companies, power companies, utility companies, and manufacturing companies, and is a great way to improve your security posture by better isolating and safeguarding critical and sensitive systems and assets.
Consider Partnering with a Trusted MSSP
Securing your OT assets and networks against cyber attackers can be a daunting prospect, particularly for organizations without their own in-house cybersecurity teams. Fortunately, experts like VirtualArmour are here to help. Our team has extensive experience working with companies in a variety of OT-heavy industries, including the energy sector, mining, and manufacturing.
We offer a variety of security services, including:
We also offer tailored services à la carte, allowing you to select the services your organization requires so you can create a personalized premium or essential services package designed to meet your organization’s unique needs. We are also pleased to offer personalized, one-time expert consults.
With offices in both Denver, Colorado, and Middlesbrough, England, we are able to offer live, 24/7/365 monitoring and assistance, as well as industry-leading response times. Whether you are looking to assess your current OT cybersecurity posture, update or create your incident response plan, or coordinate employee training via our VirtualArmour Academy, the experts at VirtualArmour are here to help. For more information or to get your free, no-obligation quote or free cyber risk report, please contact our team today.
The goal of cybersecurity is to safeguard your organization’s digital assets, including data and systems. Both EDR and MDR work to achieve this goal in different ways, and a good strategy will rely on both approaches to create a robust, more comprehensive cybersecurity strategy.
EDR: A Software-Focused Approach to Cybersecurity
EDR (endpoint detection and response) is a software-based cybersecurity approach designed to detect and respond to endpoint threats. Endpoints refer to any remote computing devices that are able to connect with your network, including computers, smartphones, tablets, servers, and IoT devices. Endpoints act like the doorways to your network, making them key points of entry for cybercriminals. As such, these portions of your network are vulnerable and require special security considerations.
Good EDR is Reactive…
EDR is designed to safeguard these endpoints by using both tools and solutions to detect and address threats to your endpoints and hosts (such as networks). Should an endpoint or host become infected with malware or otherwise compromised, the software can also quarantine the affected systems or endpoints to help slow or stop the attack. EDR is incredibly valuable because it can detect advanced threats without relying on behavioral patterns or malware signatures like anti-virus software does. EDR can also trigger an adaptive response to a threat (much like your immune system responding to an infection), allowing your system to learn from the situation and adjust its response accordingly. This approach not only helps contain the situation at hand but also helps improve your threat responses moving forward.
… But Also Proactive
In addition to learning from past incidents, good EDR also takes a proactive approach by seeking out new potential threats before they become actual threats. EDR is also able to gather data about the overall health of your network and record network activity. Should an attacker manage to slip past your defenses, this treasure trove of data gathered before, during, and after the attack will prove invaluable for identifying the root cause of the attack so that steps can be taken to improve your security moving forward.
EDR works like a security system, setting off an alarm if a window is broken or a door is forced open in an attempt to scare off the intruder and alert the business owner that something is amiss. Unfortunately, even if the security system alerts the business owner, the owner may not immediately realize something is wrong. After all, she is a busy woman with a business to run. She is also only one person: if the break-in happens while she is asleep or in a meeting, she may not see the alert on her phone until she wakes up or the meeting has ended.
On the other hand, MDR is more like hiring a security guard: You already have an expert on-site, keeping an eye out for any suspicious activity. Should a break-in occur, the security guard can respond right away. That doesn’t mean that alarm systems aren’t useful, but they are more useful if you have a security guard keeping an eye on things as well.
MDR is one piece of the SOCaaS (security operations center as a service) ecosystem, helping create a holistic, turnkey solution to continuously monitor threats across your network.
Good MDR Incorporates EDR
MDR solutions are empowered by EDR solutions, much like how a security guard is better able to perform their job because of an alarm system. MDR analysts and other cybersecurity experts are able to use the data gathered by the EDR system, as well as the abilities it provides, to more easily assess the threat and respond swiftly and appropriately. By leveraging EDR systems, your cybersecurity team can use the data the system has collected to better prioritize threats (such as identifying which users are logged in and which systems and files are being targeted) and move quickly to shut down impacted systems or institute quarantines to contain the threat and minimize or even avoid further damage.
MDR is a particularly effective approach for small and medium-sized organizations, which are less likely to have in-house cybersecurity teams to manage and respond to threats identified by their EDR systems. Many managed security services providers offer a variety of services that can be mixed and matched to suit your needs, whether you are looking to fully outsource your cybersecurity needs or simply augment your existing in-house security team.
Looking to Improve Your Security Posture for 2022? VirtualArmour is Here to Help!
Not everyone is a cybersecurity expert, and that’s okay. No matter your cybersecurity needs, VirtualArmour’s team of experts is always here to help. In addition to MDR, we also offer:
VirtualArmour also offers tailored services on an à la carte basis, allowing you to pick and choose the services your organization requires to create your own premium services package, essential services package, or tailored one-time expert consult. With offices in both Denver, Colorado, and Middlesbrough, England, we are able to offer live, 24/7/365 monitoring as well as industry-leading response times. We have extensive experience working with a variety of highly-specialized industries, including energy, finance, healthcare, and retail, and are well-versed in the unique security and IT challenges faced by service providers.
Cybersecurity is more important than ever before: According to Government Technology, though 2020 saw an overall decline in the number of breach events, the number of breached records grew dramatically, and the number of ransomware attacks doubled between 2019 and 2020.
These troubling trends demonstrate why a robust yet adaptable cybersecurity stance is critical for all organizations, regardless of size or vertical. But how do you know if your organization has experienced a breach? In this article, we will discuss common types of cybersecurity breaches, and red flags you should look for that may indicate a breach has occurred.
A security breach is like a break-in, but instead of breaking into your house or business, they break into your digital systems to steal personal information or sensitive documents or damage your network. However, there are steps you can take to best safeguard your digital assets, which include:
Creating a cybersecurity incident response plan, reviewing it regularly, and updating it as necessary. Having a plan in place is critical because it allows you to respond quickly and lays out, in advance, who needs to do what should an incident occur.
Investing in employee cybersecurity training. Even the best cybersecurity incident response plan is effectively useless if your team doesn’t understand why security is important, what role they play in it, and how to respond should an incident occur. All new hires should undergo training, and all employees from the CEO down should receive regular refresher training.
Regularly monitoring your network for suspicious activities. These suspicious activities, called IOCs or indicators of compromise, will be discussed in depth later in this article.
Breaches Have Wide Reaching Consequences
Breaches cause more than headaches: to address the situation, you will likely need to pull critical personnel from other projects, hindering productivity and severely impacting your daily business activities. Depending on what data is stolen or what systems are compromised, you may also suffer financial damages in the form of regulatory fines or even lawsuits.
A poorly handled breach can cause permanent damage to your organization’s reputation, damaging consumer trust.
Many cybercriminals rely on malware (malicious software) to infiltrate protected networks. The malware is often delivered via email or by tricking unsuspecting employees into downloading corrupted files from compromised or malicious websites.
For example, an employee receives an email with an attachment, which infects your network when the attached file is opened or visits a compromised site and downloads the file directly. Once one computer is infected, the malware will likely spread to other areas of your network, sending sensitive data back to the attacker, laying the groundwork for a larger attack, or damaging your digital infrastructure.
Phishing attacks are designed to trick potential victims into believing they are talking with someone they trust (such as a colleague, their bank, or another trusted individual or institution) in order to hand over sensitive information (such as credit card numbers, usernames, passwords, etc.), grant the sender access to restricted areas of the network, or trick the target into downloading malware.
For example, an employee might receive an email from someone pretending to work in your IT department asking them to reset their username and password, or from “their boss” requesting confidential files, or from “your company’s bank” warning that they have detected suspicious activity on a company credit card or in a company bank account, and requesting the recipient click on a link in the email to login and review the flagged transactions.
In all three scenarios, criminals are acting as trusted individuals or individuals working on behalf of trusted institutions in order to trick unsuspecting email recipients.
DDoS attacks are designed to crash websites, preventing legitimate users from visiting them. Attackers do this by flooding websites with traffic, either by working with other attackers or by programming bots (software programs programmed to perform repetitive tasks) to hammer the server hosting the website with requests.
DDoS attacks are considered security breaches because they can overwhelm your organization’s security defenses and severely curtail your ability to conduct business. Common targets include financial institutions or government bodies, and motivations range from activism to revenge to extortion.
IOCs are pieces of forensic data, such as system log entries or files, that identify potentially malicious activity on a network or system. Like suspicious ink-stained fingers or an errant muddy footprint in a Sherlock Holmes book, IOCs are clues that help security and IT professionals detect data breaches, malware infections, or other suspicious activities.
By looking for IOCs regularly, organizations can detect breaches as soon as possible and respond swiftly, limiting or even preventing damages by stopping attacks during their earliest stages.
However, IOCs are not always obvious or easy to detect: they can be as obvious as an unexpected login or as complex as snippets of malicious code. Cybersecurity and IT analysts often look at a range of IOCs when trying to determine if a breach occurred, looking at how different IOCs fit together to reveal the whole picture.
IOCs vs IOAs
IOAs (indicators of attack) are similar to IOCS, but instead of focusing on the forensic analysis side of a compromise that has already occurred, these clues aim to identify attacker activity while the breach is in progress.
A proactive approach to security relies on both IOCs and IOAs to uncover threats or potential threats in as close to real-time as possible.
Common IOCs and IOAs
There are many IOCs and IOAs that IT and security analysts look for, but some of the most common include:
Unusual outbound network traffic. This could indicate someone is moving sensitive files off the network.
Anomalies in privileged user access accounts. A common tactic used by attackers is to either escalate privileges on accounts they have already compromised or use compromised accounts as gateways to more privileged accounts. By monitoring accounts with access to sensitive areas of your network, analysts can look out for signs of insider attacks or account takeover attacks.
Geographic irregularities. If an employee logs out of their account from an IP address in Chicago, then immediately logs back in from New York, that is a huge red flag. Analysts also look for traffic between countries that your organization doesn’t have business dealings with.
General login irregularities. Multiple failed login attempts or failed login attempts for accounts that don’t exist are both huge red flags. Analysts also look for irregular login patterns, such as employees logging in well after work hours and attempting to access files they don’t have authorization for, which likely indicate the account credentials have been compromised.
Unusually high database read volume traffic. If an employee is attempting to download and read your entire personnel or credit card database, that likely means an attacker is attempting to access those sensitive files.
A large number of requests for the same file. Breaches rely on trial and error a lot, so a large number of repeated requests for the same file (such as the credit card database we mentioned earlier) may indicate an attacker is testing out a variety of strategies in an attempt to gain access.
Suspicious configuration changes. Changing configurations on files, servers, and devices may indicate an attacker is attempting to set up a network backdoor or adding vulnerabilities to aid a later malware attack.
Flooding a specific site or location with traffic. Many attackers rely on bots for a variety of tasks and may recruit compromised devices on your network to do their dirty work. A high level of traffic from a number of devices targeting a specific IP address may indicate those devices have been compromised.
Suspiciously timed web traffic. Even the fastest typers can only type so fast, so if logs indicate that someone is trying thousands of password and username combinations a second, chances are an attacker is attempting to break into your network using a brute force attack.
These are just some of the most common IOAs and IOCs that security and IT analysts use to look for signs of suspicious activity.
To learn more about how our experienced security analysts use IOCs, or to get started improving your security posture, please contact our team today.
Identifying IOCs is just one small aspect of cybersecurity. To learn more about cybersecurity, why it’s important, and what steps your organization should be taking, please consider reviewing the educational articles listed below.
No matter how large or small your organization is, investing in your cybersecurity posture is vital for safeguarding your digital assets, your business, and your customers. To improve your cybersecurity posture, you need to get inside the mind of a cybercriminal and figure out how to stay one step ahead in this endless game of cat and mouse.
What are TTPs?
TTPs refers to the tactics (or tools), techniques, and procedures used by a specific threat actor (the bad guy) or threat actors. Essentially, TTPs refer to distinct patterns of activities or behaviors associated with a particular person or group of people and describe how threat actors orchestrate, execute, and manage their cyber attacks.
Tactics, generally speaking, refer to the vectors used by attackers. This could include accessing and using confidential information, gaining access to a website, or making lateral movements (moving sideways between devices and apps to better map your system and look for vulnerabilities in less protected areas that they can exploit).
Techniques refer to the methods attackers use to achieve their goals. For example, if the immediate goal (the tactic) is to gain unauthorized access to your system, then the technique could be using social engineering (such as a phishing scam) to trick employees into sharing their login credentials. A single tactic can involve multiple techniques.
Techniques act like stepping stones towards the attacker’s overarching goal, which could include damaging your systems, infecting your network with ransomware, or stealing sensitive files.
Procedures refer to specific, actionable, preconfigured steps used by cybercriminals to achieve their overarching goals. So, for example, if the goal is to use a phishing scam to gather login credentials from employees, the procedure could involve determining what the email should say and configuring the email to download malware when a user opens the attachment included with the email.
Why are TTPs Important for My Business?
Analyzing TTPs is vital for your cybersecurity posture since the clues threat actors leave behind can be used to help identify who is responsible for an attack or breach. By analyzing TTPs, your cybersecurity team or cybersecurity partner can:
Rapidly triage and contextualize the event taking place by comparing the TTPs of the current attack with TTPs of known threat actors or groups (such as hostile foreign governments, lone criminals, criminal groups, or rival corporations) who may have launched the attack. Based on who may be behind the attack, your cybersecurity experts can try to predict what may happen next and redeploy resources to better safeguard your most critical digital assets, such as your server.
Review probable paths for research and further exploration based on what TTPs were used in the attack. This allows your cybersecurity experts to potentially identify who was behind the attack so criminal charges can be laid.
Identify potential sources or vectors of the attack. This step involves identifying how the threat actors were able to gain unauthorized access to your systems so those vulnerabilities can be addressed as soon as possible so that other threat actors can’t exploit them in the future.
Identify and investigate all systems that may have been compromised. This step is part of your incident response process and is critical for preventing further damage and rooting out potential back doors left by the attackers.
Create threat modeling exercises and improve your cybersecurity training so that your team won’t be caught unaware again should a similar or related event occur in the future.
How Can VirtualArmour Help?
Security experts like the VirtualArmour team use TTPs to help identify potentially suspicious activities. When a company like VirtualArmour is monitoring your network 24/7/365, one of the things our experts look for are TTPs. TTPs act like fingerprints: Our experts know what sort of patterns to look for and use that vast wealth of knowledge to help sift out potentially suspicious network activity from ordinary, harmless network activity.
Should an incident occur, our experts can use TTPs to narrow down the list of suspects, potentially identify third parties that may be impacted (for example, if the phishing attack came from a Gmail email address that may mean Gmail has been compromised), and allow our team to trace the route of the attack back through your network, flagging potentially compromised systems for further investigation and identifying how the attacker was able to gain access. Once we have that information, we can work with you to address your security posture’s current shortcomings and help you update your cybersecurity training so your employees are better able to identify potentially suspicious activities such as phishing emails.
To help keep organizations like yours safe, we offer a variety of managed services and consulting services, including SOCaaS (security operations center as a service). Most SMBs don’t have the budget to maintain a full, in-house security team. Virtual Armour SOC as a service offers a cost-effective solution: Our full team of cybersecurity experts and analysts act like an extension of your existing security team or can be used to supplement staff in IT light environments, managing and monitoring your network, devices, and digital assets.
VirtualArmour’s SOCaaS premium includes:
Managed Detection & Response
Enforcing Sanctioned Enterprise Applications
Endpoint Security Policies
Firewall Rule Management
Security Incident Investigations
Regular Cadence Reporting
Identification of Vulnerable
Configuration Auditing for Security Gaps
Data Enrichment and Context for Alert
For more information about TTPs and their importance, or to get started improving your cybersecurity posture, please contact our team today.
To learn more about cybersecurity and the steps your organization should be taking to improve your cybersecurity posture, please consider reading one of our other educational articles.
From a financial standpoint, it makes sense to try and hold out on upgrading your hardware until something breaks, even if the hardware in question is no longer supported by the manufacturer. After all, if it still works, why replace it?
However, using unsupported hardware brings with it a wealth of cybersecurity risks, can hinder productivity, and can hurt your bottom line.
9 Reasons You Need to Say Goodbye to Unsupported Hardware
You’re Incurring Unnecessary Expenses
Once hardware reaches its end-of-life (EOL), you’ll likely have to pay a hefty premium to keep your aging technology up and running. If extended support is available at all, it isn’t likely that many companies will offer it, leaving you less choice and hampering your ability to shop around for the best price.
Without the ability to install security patches to address known vulnerabilities or support up-to-date (and more-secure) versions of the software your organization relies on, you may no longer be able to comply with relevant regulations, leaving your organization vulnerable from a legal and compliance standpoint.
Outdated Hardware is Unreliable
Aside from the expected wear and tear on old components (which will become increasingly difficult to find or repair), outdated hardware doesn’t support new versions of the software your organization requires to function. As such, you will likely be forced to rely on outdated software, curtailing system performance and cutting you off from new features.
Outdated hardware is also more likely to crash, increasing system down-time and causing headaches and frustration for employees and customers alike.
Productivity Takes a Hit
Unsupported hardware affects employee productivity in a multitude of ways:
Employees have to invest more time and energy in keeping outdated hardware up and running, pulling them away from tasks that grow your business.
Outdated hardware isn’t able to support the newer, faster, more reliable versions of the software your organization depends on, which means employee tasks end up taking longer than they should because workers are left waiting for software to load.
Employees who are continually frustrated with the tools they need to do their jobs are less likely to be satisfied with their jobs overall, leading to higher turnover. Not only does this lead to increased costs (during the training period, trainees don’t make the company money, they cost money), but it also decreases productivity as new members learn the skills they need to do their jobs. Workers are also more likely to view employers with high turnover rates with suspicion, which may make it harder to attract the skilled workers you need to succeed.
Your Network is Left Vulnerable
Older hardware is unable to support the newest software, which means you won’t be able to take advantage of security patches or other steps software manufacturers take to address vulnerabilities in their products. Cybercriminals are well known for targeting older software with known vulnerabilities since not all users will have the latest security patches installed.
Increased Environmental Impact
Everyone knows old cars are more likely to be gas guzzlers than their sleek modern counterparts, but the same holds true for outdated hardware. Increased energy consumption leads to higher electricity bills, increasing your carbon footprint while further eroding your bottom line.
You May Experience Data Recovery Problems
Should disaster strike, outdated hardware means you may have trouble recovering lost data. Depending on your industry and the nature of your business, the impact of this lost data could range from frustrating to catastrophic.
You’ll Likely Encounter a Skills Shortage
As we mentioned in the section about unnecessary costs, finding a repair or maintenance company with the skills needed to repair and maintain your outdated equipment may be difficult. Even if you are able to find a business that can help, there aren’t likely to be many of them around, which means you will likely be left with the choice of either paying exorbitant amounts for repairs and maintenance or upgrading your hardware anyway.
Also, because older hardware is only able to support older software, you may find it’s difficult to find workers who are familiar with the programs you use. For example, many financial institutions rely on software written in COBOL; a vintage programming language developed nearly 60 years ago that isn’t regularly taught in universities anymore. Unfortunately, many major financial corporations (and sections of the federal government) rely on systems that use COBOL, and as older programmers retire, they are having a hard time hiring qualified replacements.
By holding onto unsupported hardware, you may be compromising your organizations’ future as it becomes increasingly difficult to find workers and repair people who have the skills needed to maintain your outdated and aging equipment.
Frustrated Customers Are Likely to Become Former Customers
In the age of instant results, a slow website or frequently inaccessible client portal is incredibly frustrating. Customers expect to be able to access products and services quickly 24/7/365. That means organizations that experience frequent outages, slow software, and other outdated hardware-related issues are likely to see their customers abandon them for competitors who offer a better user experience.
Looking to Break Up with Your Outdated Hardware? Virtual Armour Can Help!
A system migration may seem daunting, and not every organization has the people power or the inclination to maintain and troubleshoot their IT infrastructure or keep it up to date. That’s why Virtual Armour offers managed infrastructure services.
Recent cyberattacks, including the SolarWinds attack and the Microsoft Exchange attack, have renewed focus on how critical a good cybersecurity posture is. Managed IT services and cybersecurity promise to help organizations manage their IT and keep their data safe and compliant, but not everyone is clear on what exactly a managed IT provider does, what cybersecurity is, and what the various technical terms used in the industry mean.
To help you understand what managed IT and cybersecurity are, and why they are important, we’ve created a handy little guide that explains common terms you may encounter and demonstrates how they pertain to the larger cybersecurity or managed IT picture.
What is Cybersecurity?
In the broadest sense, cybersecurity refers to techniques used by either companies or their cybersecurity services provider to protect an organization’s digital assets. Digital assets include both your digital infrastructure (networks, systems, and applications) as well as your data (such as financial records, client lists, and other records). By taking steps to protect these digital assets, organizations can better safeguard themselves against cyberattacks, where threat actors or attackers (also called hackers) attempt to gain unauthorized access to infrastructure or data for nefarious purposes.
Types of Cybersecurity Solutions
Many of these solutions overlap, creating a “swiss cheese” model approach to cybersecurity: not every program is going to be able to catch everything, but layering multiple programs and strategies together reduces the chances that someone or something malicious is able to slip through all your defenses.
Antivirus is a type of security software used by IT professionals to scan for, detect, block, and eliminate malware (malicious software). AV programs typically run in the background and rely on known malware signatures and behavior patterns. Though AV is useful, it is just one piece in the cybersecurity puzzle and isn’t enough to protect your digital assets on its own.
Endpoint Detection & Response (EDR)
Endpoint detection and response refers to a set of tools and solutions that are used to detect, investigate, and mitigate suspicious activities on endpoints (devices that can access the network, including computers and smartphones) and on hosts (such as networks). EDR is valuable because it can detect advanced threats that don’t have a known behavioral pattern or malware signature (like AV requires). EDR can also trigger an adaptive response (like your immune system springing into action) depending on the nature of the threat it has detected.
Managed Detection & Response (MDR)
Managed detection and response is a piece of the SOCaaS (Security Operations Center as a Service) model that offers a comprehensive solution for continuous threat monitoring, threat detection, and incident response and is provided by a third-party vendor. Holistic, turnkey solutions like this can help provide peace of mind, giving IT professionals the information they need to prioritize incidents and improve the overall security posture of the organization.
Network Operations Center (NOC)
A network operations center refers to a central hub that allows network administrators to manage and control their network or networks and their primary server across several geographically distributed sites (such as a head office managing and observing multiple branch locations). Because network administrators need to deal with threats and headaches such as DDoS attacks (discussed later in this article), power outages, network failures, routing black holes, and other issues, it is critical that they are able to oversee the entire network and react to threats quickly and easily.
A NOC is not a security solution, but it can help larger organizations effectively monitor their networks, endpoints, and other critical infrastructure and devices for signs of trouble and is frequently used in Managed IT.
Security Operations Center (SOC)
A security operations center is crewed by cybersecurity personnel and handles threat detection and incident response processes, all while supporting the various security technologies your security operations rely on. While larger enterprises often build and manage their SOC in-house, small and medium-sized organizations don’t typically have the personnel or bandwidth to do so. As such, SMBs (small and medium-sized businesses) frequently choose to outsource their SOC to trusted partners.
Security Information & Event Management (SIEM)
SIEM is a vital tool used to collect and aggregate security events and alerts across multiple security products. Once this information has been gathered, the SIEM software analyzes and correlates those events to look for patterns that might identify potential threats within the organization.
Vulnerability management solutions are programs that are used to identify, track, and prioritize internal and external cybersecurity vulnerabilities. This information is used to optimize cyberattack prevention activities (such as patching known vulnerabilities, upgrading software, and fixing configuration errors).
Patches refer to small programs released by software development companies to fix vulnerabilities they have discovered in their products. Keeping your software up to date allows your organization to take advantage of any security patches released, allowing you to better safeguard your digital assets. Unpatched software leaves your organization vulnerable since cybercriminals often target recently patched software in the hopes that not all organizations will have the patch installed.
Vulnerability Assessment (VA)
Vulnerability assessments are used to identify, classify, and prioritize vulnerabilities and can be used to assess internal, external, or host-based, third-party systems.
Common Types of Cyberattacks
Cyberattacks are becoming increasingly common and can be devastating. A single attack can compromise your systems and your data, ruin your reputation, and even lead to legal trouble and compliance issues if it isn’t addressed and remediated swiftly.
Brute force attacks are crude but frequently effective. During a brute-force attack, a cybercriminal attempts to gain unauthorized access to a system by trying all possible passwords until they guess the correct one. Though this could take centuries by hand, many criminals have software that allows them to try passwords quickly, making this a viable hacking option.
Phishing & Social Engineering
Phishing attacks involve a cybercriminal attempting to trick potential victims into revealing confidential information (such as your banking details, your credit card number, your SIN, or your password) or install malware by clicking a link or opening an infected file. Phishing attempts usually involve text-based communications such as email, text messages, or other messaging apps. Cybercriminals usually pretend to be someone you are already primed to trust, such as your boss or an employee from your bank.
Phishing scams are a type of attack that uses social engineering. Social engineering is when attackers use psychological manipulation to infiltrate an organization or private network by exploiting human weaknesses and tricking unsuspecting users into granting access or handing over sensitive information. This manipulation relies on the human desire to help and trust easily and may also use the fear of getting in trouble or causing an inconvenience.
Credential stuffing involves using existing databases of compromised usernames and password combinations (typically collected during a previous breach and frequently purchased on the dark web) to attempt to login to a targeted account.
The dark web refers to a part of the internet that isn’t indexed by search engines such as Google, so it can’t be accessed by simply typing in a URL (such as www.virtualarmour.com) into your browser. This secrecy has made the dark web a popular place for criminals, allowing them to buy and sell illegal items (such as credit card numbers, illegal weapons, and malware) away from the gaze of law-abiding internet users.
Cryptojacking is an attack that involves the unauthorized user of someone else’s computer to mine cryptocurrencies. Though this type of attack isn’t likely to damage data or systems, it is still concerning because it means someone has access to your digital assets without your knowledge or consent. It can also affect the performance of your system and cost you money since the attack siphons off computing power and uses electricity that your company is paying for.
A data breach, also called a hack, refers to any event where unauthorized users are able to gain access to your systems or steal sensitive information such as PII (personally identifiable information) from an organization or individual. The goal of a data breach is usually to either use this information to gain unauthorized access to other systems (such as using your Netflix username and password to try and log into your bank account) or to sell this information to other cybercriminals.
Distributed Denial of Service (DDoS)
DDoS attacks attempt to crash a web server or other online service by flooding it with more traffic than the network can handle. This can be done either by a large group of cybercriminals working together or a single cybercriminal with a large botnet (connected computers performing repetitive tasks). By overloading the server, cybercriminals can prevent legitimate users from accessing a company’s products or services.
DNS hijacking (also called DNS redirection or DNS poisoning) redirects queries from the intended Domain Name System (DNS) to a different website, often populated with malware, advertising, or other unwanted content. The DNS acts like a phone book for the internet, so DNS hijacking involves forcing the browser to dial the wrong number (or go to the wrong website).
A drive-by attack is a form of malware attack. However, unlike phishing or other forms of malware attacks, users don’t need to be tricked into downloading infected files or opening suspicious links. Instead, user devices are infected automatically when the user visits a trusted or legitimate website that has been compromised.
An exploit is a malicious script (a list of commands executed by a program) or application that exploits known vulnerabilities in endpoints or other hardware, networks, or applications. The goal of exploit attacks is usually to take control of a system or device, increase access privileges, or steal data. Exploit attacks are often used as part of a larger, multi-layered attack.
Malware refers to any form of malicious software and is often spread via email attachments or suspicious website links. The goal of malware is to infect endpoints to gain access to sensitive systems or data or collect private information such as passwords or banking details and send this information back to the attacker.
Ransomware is a type of malware that prevents end-users from accessing an organization’s data or system or an individual’s data or system. Once the files or system is encrypted, and the user is locked out, the attacker promises to restore access in exchange for money, usually in the form of cryptocurrencies.
Supply Chain Attack
Supply chain attacks occur when threat actors are able to access a target’s systems by compromising a third-party resource, which is what happened with the SolarWinds attack. The reason that attack was so devastatingly effective is that the attackers were able to gain access to a SolarWinds program called Orion, which is widely used by companies and US government departments to manage IT resources. When SolarWinds sent out a routine Orion update, they didn’t realize it contained malicious code, which allowed the attackers to access client systems.
As was the case with the SolarWinds attack, the compromised vendor is typically not the final target but instead is used as a means to an end so the attacker can gain access to their intended victim’s systems. However, the damage is not limited to the intended victim but affects any other organization that inadvertently downloaded the compromised software.
Common Cybersecurity Compliance Regulations
Compliance is a large part of cybersecurity for many verticals and industries, including healthcare, finance, energy, and retail. Which regulations you need to comply with depends on a variety of factors, such as your industry or vertical, what sort of PII or sensitive information you handle, who you do business with (such as the US Department of Defense), where your users or clients are located, and whether or not you process credit card payments. To find out which regulations apply to you, please speak to a qualified compliance professional.
Healthcare providers and related organizations need to comply with Health Insurance Portability & Accountability Act (HIPAA) regulations. HIPAA is responsible for establishing cybersecurity standards for healthcare providers, insurers, and all third-party service providers that medical organizations do business with.
General Data Protection Regulation (GDPR) is a European Union law that dictates how personal data on individuals residing in the EU and the greater European Economic Area is collected and processed and specifies the rights users have to access and control their data on the internet. Even if your organization is not based in Europe, if you have users in Europe, you must be compliant.
Organizations that Process Payment Cards or Store Payment Card Data
The retail sector isn’t federally regulated, but any organization that processes payment cards or holds payment card data is required to follow regulations laid out by the Payment Card Industry Security Council’s Data Security Standard (PCI DSS). For more information, please visit the PCI Security Standards Council’s website.
Organizations that Do Business with the US Department of Defense
Organizations that provide electricity, including electric utility companies and operators, are governed by the Federal Energy Regulatory Commission (FERC). FERC has the authority to establish cybersecurity regulations for this sector, though the standards themselves are created by the nonprofit authority called the North American Electric Reliability Corporation (NERC). The standards are referred to as the Critical Infrastructure Protection (CIP) Standards.
More information about FERC can be found here. More information about NERC can be found here, and information about the CIP Standards is located here.
Organizations with Users in California
The California Consumer Privacy Act (CCPA) of 2018 is similar to GDPR in the sense that it is designed to give consumers more control over the personal data businesses collect about them, including:
The right to know what personal information is collected as well as how it is used and shared
The right to delete personal information collected about them (with a few exceptions)
The right to refuse to allow the sale of their personal information
The right to non-discrimination for exercising their rights under CCPA
Even the best cybersecurity policy is useless if your workers and other users don’t understand it or have the necessary training to adhere to it.
Create a Plan
To begin, make sure you have a robust yet flexible cybersecurity incident response program in place. Cyberattacks typically unfold very quickly, so an ad hoc plan created in the heat of the moment isn’t going to cut it. By making all crucial decisions ahead of time (such as how evidence is gathered and handled, how resources are to be allocated in a crisis, and who needs to be alerted if an incident occurs) and determining who is responsible for what you can help ensure there are no gaps or deficiencies in your response.
You should also take this time to establish cybersecurity rules, such as password standards, so you can best safeguard your digital assets.
Cybersecurity is everyone’s responsibility, from the President of the company down to the summer intern. Cybersecurity training ensures your employees know what to do should they encounter a potential threat and explains why these actions, as well as all preventative steps, are important. It’s easier to get worker buy-in when they understand the “why” behind the “what”.
Test Your Plan
Once you have a plan and the necessary cybersecurity programs and tools in place, you need to test your response before an incident occurs.
What is Pen Testing?
Pen (Penetration) testing is a tool used to stress-test your cybersecurity defenses. This involves hiring an ethical (or “white hat”) hacker to try and break through your security defenses and simulate a cyber attack. The ethical hacker records any and all deficiencies or gaps they were able to exploit and then summarizes and shares their findings with your team.
Tabletop scenarios are like fire drills for security. Once your team has undergone cybersecurity training, a tabletop exercise lets them put their newfound skills and knowledge to the test while they test-drive your cybersecurity incident response plan.
Tabletop scenarios present your team with a hypothetical cybersecurity incident that they need to respond to, allowing them to practice what they have learned in a zero-stakes environment.
What is Managed IT?
In simplest terms, managed IT solutions, also called managed IT services allow organizations to hand off their IT operations to a trusted service provider, who then handles all IT-related work. This single point of service can free up internal IT team members for other projects, or in the case of an “IT Light” organization, allow you to access the professionals you need without having to hire internally.
Managed IT offers a variety of benefits, including:
Access to an entire team of professionals, 24/7/365.
Cost savings, since additional team members won’t need to be hired
Peace of mind, since you never need to worry about your IT or security person calling in sick or departing to pursue other opportunities and leaving you vulnerable.
Predictable and scalable spending
Common Types of Managed IT Solutions
There are many types of managed IT services. While some organizations only offer a handful of managed services, others take a holistic approach that handles everything. How much, or how little, you want to hand off when it comes to your IT is up to you, but make sure you carefully vet any MSSP you are considering to ensure they offer the services you need and have a reputation you can trust.
Opting for a managed IT solution can help with business continuity (BC) as well as backup and disaster recovery (BDR). BC refers to the necessary planning and preparation needed to ensure your critical business operations can continue to function should a pandemic, natural disaster, power outage, cyberattack, or other crisis affect your business. A key component of BC is BDR, which refers to a combination of data backup and disaster recovery solutions that are designed to get your systems restored and fully operational again as quickly as possible should disaster strike. Having dependable backups is critical for effective disaster recovery.
Two other good terms to be familiar with are RTO (Recovery Time Objective) and RPO (Recovery Point Objective). RTO refers to how quickly data needs to be recovered to ensure business continuity after unplanned downtime or a disaster strikes. The faster your RTO, the faster your organization can get back to work. Though exactly how long your RTO needs to be will depend on a variety of factors, you should aim to have an RTO of 4 hours or less.
RPO refers to what data needs to be recovered for normal business operations to resume after disaster strikes. This metric is usually based on file age (for example, all data backed up before this morning needs to be recovered). In conjunction with RTO, RPO can help your organization determine how often you should be backing up your data. For example, if your RPO is 2 hours, then you should be backing up your data at least once every 2 hours.
Strategic Business Review (SBR)
An SPR is a structured process with two goals: unearth new business opportunities and identify how your organization’s performance can be improved using technology or other means. This living document serves as a roadmap to guide future technological investments so you can ensure your managed IT services and IT infrastructure continues to meet your needs as your company grows and evolves.
Network Monitoring & Remediation
Remote monitoring management (RMM) is critical for network monitoring and remediation and refers to a platform that managed services providers like VirtualArmour use to remotely and proactively monitor your endpoints, network, applications, and systems for suspicious activity. This data is used to identify potential cybersecurity incidents or other potential problems so that they can be addressed as quickly as possible.
Most network monitoring and remediation is done out of the NOC (Network Operations Center).
What does -aaS Mean?
The term “-aaS” is a suffix that means “as a Service” and refers to any services (IT or cybersecurity) that are delivered remotely to your organization via the cloud. Examples include HaaS (hardware as a service), SaaS (software as a service), and IaaS (infrastructure as a service).
Not everyone is an IT or cybersecurity expert, and that is okay. The experts at Virtual Armour are here to help. We offer a wide selection of cybersecurity and managed IT services that can be tailored to meet your needs, as well as 24/7/365 network monitoring upon request.
For more information, or to get started with your cybersecurity or managed IT services, please contact our team today.
Supplemental Reading List
If you would like to learn more about managed IT and cybersecurity, please consider reading the articles listed below.