Preventable Claims
Is your organization getting the most out of its cyber security investment? Many people don’t realize that it is possible to improve your organization’s controls simply by finetuning the ways that you use the resources you already have.
Claims example
A large organization in manufacturing received the monthly invoice for their cloud services, only to find it was $300,000 (or almost five times) their usual cost.
They notified Beazley of a compromise of their Azure cloud environment, and we helped to coordinate forensics. Investigation determined that the cybercriminals had compromised an Azure cloud account, abused lax permissions to escalate privileges, and created hundreds of new virtual servers to mine cryptocurrency.
The cybercriminals had intentionally avoided making changes to existing resources to avoid making noise and prevent detection. We provided guidance on better securing cloud accounts and implementing budget alerts to help quickly identify future budget overruns.
Harden your security configuration and limit lateral movement
To limit the impact of a successful compromise, segregate administration groups and limit their scope, which can be achieved by using an Active Directory (AD) tier model or Microsoft’s enterprise access model. Use purpose-dedicated service accounts with the least privilege principle to limit the impact of one account being compromised.
To further secure domain admin accounts, make sure they are:
- Kept at minimum (less than 5 is recommended)
- ONLY used to connect to domain controllers
- Not allowed to connect to the internet
- Configured with unique, random, long and complex passwords
- Used to connect remotely only in case of emergency (using VPN with MFA)
- Monitored, with alerts in place
Other hardening best practices are described here.
Claims example
A large healthcare organization with 150 hospitals and clinics was victim of a system infiltration. The cybercriminal entered the network through a single compromised user account at one clinic and, because there was no network filtering between sites, quickly moved laterally within the network to reach the corporate data centre.
From there, they moved to other clinics’ networks, stealing sensitive data. Once the incident was discovered, our client cut off all network connections, isolating all sites; with no baseline of acceptable network flows, it was impossible to quickly identify malicious traffic without shutting everything down.
Two specialised vendors were engaged to investigate and open each network flow one by one. Resolution took several weeks, with significant business interruption consequences.
Deprive an attacker of things that can be used against you.
There are many free tools that, if not properly leveraged, an attacker could use to their own advantage.
One example is a Windows device encryption tool called BitLocker. In situations when this was not enabled, attackers have repurposed it to essentially encrypt the drives and lock out the device owners. When enabled, BitLocker becomes one less feature for attackers to leverage.
Another example is a Microsoft LAPS (local administrator password solution), which allows users to have different local administrator passwords on each device. If LAPS is not enabled, attackers can enable it on their own, locking administrators out of local admin accounts on user devices.
Claims example
When trying to access email from home, the IT administrator of an agricultural manufacturer in the southeastern US noticed irregularities and headed into the office.
On arrival, he found blue screens or ransom notes on a number of desktops, as well as ransom notes on some printers. It turned out that 40 workstations and 3 file servers had been encrypted, and the cybercriminals had used the Windows BitLocker tool to encrypt.
A ransomware negotiator was able to provide intelligence about the ransomware group involved and their connection with a sanctioned entity, so no payment could be made.
But with the assistance of a forensics vendor, the manufacturer was able to contain the incident and restore from backups.
“70% of Solarwinds’ clients were not impacted by the 2020 attack because the servers on which Solarwinds was installed were not able to communicate with the threat actors. This could have been 100% if their remaining clients had been as proactive about filtering for outbound connections.”
“For very high-privileged users like global administrators, the best option is physical MFA tokens. Phishing-resistant MFA keys like Yubikeys ensure sensitive login information never leaves the user's device and aren't stored on a server. This is the only MFA our team has yet to see bypassed.”
“There is no one single control or tool that can completely protect your organization against the possibility of a cyberattack. Through a multi-layered approach to identifying and addressing vulnerabilities on every level, your system and assets will be far better protected.”
“Think of these tools – and others like them – like a sword. If you take it first, your opponent won't be able to take it. But if you just leave it sitting there, anyone can just take it and use it against you.”