How to Manage Cyber Incidents in the Evolving Threat Landscape

Threatactors are evolving their techniques and tactics to evade detection byautomatic tools, steal data and target organizations of all sizes. Using acombination of freely available tools and utilities, plus some commercialsoftware, attackers start by choosing their target. Users who are active onsocial media, or those with a higher likelihood of access to sensitive data orIT administrative functions, are just as likely to be targeted as poorlyprotected systems exposed directly to the Internet.

Onceconnected to the target system(s), attackers often take advantage ofapplications already present on devices. This is known as living off the land.Tools like PowerShell, Remote Desktop and low-level system utilities likeWindows Management Instrumentation (WMI) all legitimate tools can be usedto execute commands locally and remotely, obfuscate the real objectives of theattacker and evade detection from anti-malware scanners.

The rise of ransomware

Forattackers, ransomware is often the final goal, but ransomware gangs haveevolved their objectives, too. Many are now taking the time to manually movearound a target network, discover the infrastructure, locate sensitive data andplan a mass deployment of the file-encrypting payload. Discovering a ransomnote is not the end of the incident.

Moreattackers are taking the time to steal sensitive data, and threatening theirtarget with a second ransom demand, or else the stolen data is released to thepublic. The amount of time attackers spend in the compromised networks, dwelltime, can be measured in days, if not weeks. This gives them ample time to movelaterally, carry out network reconnaissance, discover unprotected assets andstrengthen their persistence in the network.

How to catch a cyberattacker

Tocatch a human at a keyboard oftendemands a human at a keyboard. Detections by automated threat protectionproducts can mark the initial stages of an attack, such as the actor attemptingan initial breach against a device. Or even the final stages as the attackernears their objective, like testing their payload deployment mechanism or fileencryption process on a subset of machines. But often the extensive middlestages, the dwell time, goes undetected by automated systems.

Thiscan be for several reasons, including: the attacker moving very slowly, takingdays between actions to avoid detection; relying heavily on native tools,living off the land, hiding a small signal of their activity in the noise ofday-to-day operations; disabling poorly configured security tools, blinding a cybersecurityteam to their actions; or most simply, moving to unprotected machines.

Actions taken by the attackers during the dwell time and recordedin the forensic data collected are crucial to detecting the tactics, techniquesand procedures (TTPs) in use and are the key to prompt detection of theincident. This data needs continual monitoring and evaluation by a skilled SOCanalyst who knows not only when to act but when not to act. Moving tooquickly, before the full scope of an incident is understood, can be dangerous.Defenders must assume that adversaries have multiple points of access andpersistence, legitimate administrator accounts are compromised, data has beenexfiltrated and even that the attackers can monitor their communicationschannels such as email and corporate instant messaging.

Why managed detection andresponse is the easiest way to protect yourself from cybercriminals

Organizationsof all sizes and verticals are at risk from cybercriminals attempting to breachtheir networks, steal data and affect business operations to extort money.Businesses, governments and non-profit institutions must all engage withproactive threat hunting to detect activities by attackers before they reachtheir final goal, to fully understand the impact of any data theft and tocontinually adjust the security posture of the organization with the changingthreat landscape. The experience and expertise of a human-led threat huntingand remediation program is a critical part of the security infrastructure.

A manageddetection and response (MDR) service can be the most simple way fororganizations of all sizes to benefit from human-led threat detection andresponse. Providing full 24/7/365 coverage with skilled threat hunters,incident responders and malware experts, these services can respond morequickly than in-house teams. MDR providers can aggregate data across theirportfolio of clients, ensuring that threat intelligence is shared rapidly,proactive detections created more effectively and response actions arecoordinated to completely neutralize a threat without the risk of alerting theattacker.

SophosMTR (Managed Threat Response) is available as an addition to CDW customers'endpoint and server protection from Sophos, as well as Sophos Firewall andSophos Cloud Optix (cloud security posture management) products. These existingtools share their forensic data with the Sophos MTR team in real time withoutthe need for other applications or devices.

To learn more about howSophos MTR can detect and respond to threats for your organization, contactyour CDW account team or visit CDW.ca/Sophos