Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

Why Every Cybersecurity Leader Should 'Assume Breach'

Published 06/09/2022

Why Every Cybersecurity Leader Should 'Assume Breach'

This blog was also published by Varonis here.

Written by Yaki Faitelson, Co-Founder and CEO, Varonis.

In February, information about the highly successful Conti ransomware group leaked after it declared its full support of the Russian government—vowing to respond to any attack, cyber or otherwise, against Russia with "all possible resources to strike back at the critical infrastructures of an enemy."

Radical circumstances create radical change. Think about how the world and our behaviors changed almost overnight with Covid-19.

I'd like to highlight a few points from the leaked Conti chats.

What the Leaked Hacker Group Chats Reveal

You'd be hard-pressed to find an incident responder who hasn't had multiple encounters with the Conti ransomware group over the past two years.

The leaked conversations reveal an organizational structure and payroll that resembles a legitimate business. An organization with between about 65 to 100 hackers, its payroll appears to be $6 million annually. Conti has been very successful at stealing data and extorting a lot of money—the group reportedly extorted $180 million in 2021.

The chats show the group purchased databases to research their victims, craft convincing phishing attacks against employees and business partners, and deduce how much their victims would be willing to pay. It purchases security products to lab test their malware's ability to silently slip past them. Conversations show that the group considers buying exploits and back doors from third parties — all while keeping a careful watch on their balance sheet.

Conti takes a disciplined approach, with safety rules for its members that include everything from good password hygiene to best practices that preserve anonymity on and offline. Its documentation and instructions include video tutorials to help less experienced and less technical attackers become dangerous quickly. And like any business, gang members discuss their techniques with others in the group.

Conti is just one example of a cybercriminal group. Now, after the invasion of Ukraine, we must consider how radical circumstances will affect Conti and other groups.

Cyberwarfare is upon us, and state actors will become more sophisticated. Their techniques will quickly spill into the commercial space as they have before. The progress we've seen in general programming with development frameworks, automation and no-code programming is already translating to the cybercrime realm, making it easier for attackers to learn, develop and scale.

Now that Russia decreed that intellectual property rights are no longer protected for "unfriendly" nations, what consequences would dissuade someone from taking up cybercrime? With many cyber-savvy people in Russia suddenly losing their jobs or suffering under sanctions, how many security professionals will join cybercrime groups or form new ones? Ransomware gangs could become recognized businesses or adjunct R&D departments. Either way, their target is your data.

Why You Should 'Assume Breach'

As the leaked chats from Conti show—any system, account or person at any time can be a potential attack vector. With such a vast attack surface, you need to assume attackers will breach at least one vector—if they haven't done so already.

Once you "assume breach," think about where an attacker would most likely go if they wanted to maximize their profits. If your organization is like most, that's straight toward your biggest critical data stores.

That logic bears out in our observations: Once inside your systems, attackers establish remote control, exploit any weaknesses they can find, go after accounts with high-level access and use these accounts to steal data. Unfortunately, they rarely counter much resistance once they're inside.

If you want to know how hard an attacker would need to work to access your critical data, pick a mid-level employee and examine their blast radius—all the data that an attacker could steal if one employee were compromised. Can the employee or attacker access critical data, or will they need to work harder by compromising other systems?

Attackers may not even need to work very hard—they may only need to compromise one user. In most organizations, most employees have needless access to thousands or even millions of files.

How would you know if an attacker or rogue insider accessed an unusual amount of critical data? We see very few organizations that can spot attackers early enough to avoid data loss.

Speaking of insiders, your employees are your organization. Although most employees are honest, remember that one rogue insider can have a lot of access and do massive damage. If you needed another reason to worry, ransomware gangs are actively seeking employees willing to give them insider access.

How You Can Make an Attacker's Job Harder

Your job is to make your blast radius as small as possible (users can access only what they need ), and you can detect unusual access that could indicate an attack is underway. Every extra step you force an attacker or insider to take slows them down and gives defenders an opportunity to detect and thwart an attack.

The first step is to take an inventory of your most critical data—what attackers will go after. Where are your intellectual property, source code, and customer and employee records?

The next step is to take an inventory of the controls that surround your critical data. Do the right people have access—both inside and outside the company? Are you able to spot unusual activity on this critical data? If a critical configuration was changed for the worse, what would spot it and roll it back?

Once you've inventoried your critical data and the controls that are closest to them, you can focus on concrete steps to optimize and maintain those controls. With so many possible attack vectors, it makes more sense to think about the attacker's origins after you've secured their destination—your critical data.

And always remember: After your employees, your data is your most valuable asset.

This article first appeared on Forbes.

Share this content on your favorite social network today!