Protecting from the cyber kill chain evolution

Protecting from the cyber kill chain evolution

As cybercriminals ramp up their approach, organisations must implement an effective incident response plan to identify, analyse and mitigate attacks. Chris Vaughan, AVP – Technical Account Management, EMEA Tanium, discusses going back to basics and putting an efficient plan in place.

Since the beginning of 2020, there has been an acceleration in cybercrime as criminals have adapted their tactics in response to the pandemic. With more employees working from home, the traditional safeguards that businesses have relied on have fallen short, such as intrusion protection and detection systems, enterprise grade firewalls, data loss protection systems, vulnerability scanning and patch management and a secure network.

The criminal cyber kill chain contains seven main links: reconnaissance, weaponisation, delivery, exploitation, installation, command and control, and finally, actions on objectives. With employees working from home devoid of the same on-premise level of security they enjoyed in the office, they are more vulnerable to hackers. Because of the new distributed workforce paradigm, cybercriminals are investing more time in cyber kill chain phases, which poses major threats to business security.

In many cases, attackers are capitalising on fear by using COVID-19 lures. For example, the sending of phishing emails linked to fake pandemic information, such as vaccination invitations. With too few organisations paying attention to this behavioural shift, cybercriminals can easily break through their defence systems – which are often both time and resource poor.

The working landscape has changed, perhaps forever, but combined with the progress being made in vaccination, we are likely to see a long-term, hybrid mix of work from home and in-office. As such, it’s time for businesses to look towards solutions that can manage this shift.

The challenges of working from home

The pandemic changed the perspective on office work for many businesses and employees in the UK. It’s clear that a flexible approach to how we work is important, as 85% of working adults want a ‘hybrid’ approach of working from home and in-office. Under this new paradigm, businesses must reconsider the security vulnerabilities this workforce model could face.

The blurring of lines between home and work is creating a myriad of cybersecurity challenges that organisations are struggling to combat. 

When working from home, there is no central guarantee that the employee’s network is secure. There are none of the deployed, on-premise safeguards and IT teams are not in possession of the same amount of visibility.

In addition to simple IT setup disconnects, there are the added distractions and pressures on employees when working in a home environment. These are causing behaviours to occur that wouldn’t typically happen in a more controlled office environment. Corporate devices are being used for non-business purposes such as home-schooling and gaming. This is a result of businesses having less control of what is being installed on the endpoint, and how it is being used.

A distracted employee is far more likely to cut corners, click on unscrupulous links and fall foul of phishing scams. Additionally, trying to establish trust online is more difficult for remote employees and the lack of human contact when working in this manner makes it easier for faceless attackers to strike.

In an office environment, people can quickly ask those around them about a recent email or link, but in a remote work environment, scams can take longer to verify. The recent EA hack has highlighted this issue, as in that instance, cybercriminals gained the login details of particular employees. They then used those credentials to send Slack messages to IT Support, impersonating staff, and used it to gain access to EA’s corporate network.

Refocusing on reconnaissance

Cybercriminals have seen the security challenges that working from home presents organisations and employees, and are now adapting their behaviours to take advantage.

The first stage of the cyber kill chain is reconnaissance, where cybercriminals observe their targets. We are now seeing more time spent in this phase than ever.

Long before they send out malware, cybercriminals spend time profiling the individuals they are targeting. By focusing their efforts on customisation and personalisation, targets are more likely to be fooled. This spying is now supported by social media activity and recent data dumps such as the LinkedIn list, which can aid in choosing victims.

But this level of personalisation isn’t just reserved for individuals. Attackers are now more intentional when targeting organisations too. Recently we have seen a number of healthcare businesses and educational institutions become the focus of ransomware attacks.

In setting their sights on an organisation, cybercriminals are more likely to target individuals in positions of power, or those close to them. For example, today’s attackers are using phishing scams to compromise people’s endpoints at home, gathering employees’ credentials. The criminals then patiently wait for them to connect back through the VPN to access the environment. This approach allows hackers to appear like a regular user. This is similar to what we’ve seen in the recent Colonial Pipeline attack, where the attacker used compromised passwords to gain access through the VPN.

Going back to basics

So, what can businesses do to protect themselves? Going back to basics and putting an effective plan in place for breaches is the first thing that comes to mind.

Ensuring full visibility of company endpoint devices, checking them for vulnerabilities and making sure that they are patched is crucial. Securing cloud networks will help to prevent unwanted access to company data and it’s important for software and antivirus programs to be updated regularly to help maintain defences.

Adopting Zero Trust models for businesses to prevent cyberthreats should also become normalised, as the approach will encourage employees to not trust anything inside or outside of the corporate system. Businesses that consider all networks hostile can gain an advantage in defending their perimeters. This will become increasingly more important when we see employees return to the office later this year.

Sectors that are repeatedly targeted, such as healthcare and education, should implement a comprehensive backup strategy to a post-attack recovery plan. This will allow organisations to reduce downtime disruptions and may prevent them from needing to pay a ransom.

Finally, businesses need to remember the importance of Two-Factor Authentication (2FA) and ensure they regularly test their security defences.

As attacks usually begin with an employee clicking on a malicious link from an email, and with hybrid working here to stay, launching training programmes that help to educate employees on phishing scams and spam emails is crucial. Cyberattacks can’t always be prevented, but having the correct measures and training in place can make it more difficult for a successful attack to be carried out. Once these steps are taken, businesses can rest assured that they will be better protected from the cyber kill chain evolution.

Click below to share this article

Browse our latest issue

Intelligent CISO

View Magazine Archive