Predictable wins: designing for data breach containment
Getting your Trinity Audio player ready...
Microsoft, T-mobile, the Red Cross, Twitter, Zoom, Paypal, Uber, the Shanghai Police Department, Tokyo Olympics attendees, JPMorgan Chase Bank, Facebook, Marriott Group, ASUS, JD Sports – if we were playing Jeopardy, the prize-winning response would be ‘victims of a data breach’. But data breaches are no game. And that’s just a sample of incidents, taken from stories that have appeared on TechHQ. The true scale of compromised data is huge. Data breaches happen with such regularity that they’ve almost ceased to become news. But that predictability offers a clue on how to remedy the problem. Given how often threat actors target firms, organizations, and individuals, it makes sense for IT systems to be attack tolerant and capable of data breach containment.
A common cybersecurity strategy is to invest in products that put a boundary between the internet and the outside world. “Firms are trying to build the wall higher and higher,” Trevor Dearing – Director of Critical Infrastructure Solutions at Illumio – told TechHQ. “But we have to change our thinking; assume that you’re going to get breached and invest in how to survive it.”
At a high level, there are three areas to think about. How do attackers gain access in the first place? What can be done to secure data so that, in the event of an attack, companies can roll back to a known clean version and continue critical operations? And the piece that sits in the middle – understanding which assets on the network are talking to each other. Ransomware has a habit of targeting the highest-value assets, and firms can use this knowledge to prioritize their activity.
Data breach containment
Reassuringly, there’s plenty that can be done to make life harder for potential data thieves targeting IT networks. Defences include limiting the available attack surface and engineering data breach containment. “We know the most popular protocols,” explains Dearing. “And we don’t need those protocols everywhere.” A Palo Alto Networks blogpost sheds light on one of the most popular targets for ransomware attacks – remote desktop protocol (RDP).
Legitimate uses for RDP include allowing IT support to connect to an employee’s laptop or for remotely managing cloud assets. But leaving RDP ports open threatens to invite unwelcome interest. In fact, RDP has become so notorious that many security experts have renamed it the Ransomware Deployment Protocol! Network scans commonly reveal a large number of connection attempts to RDP’s default port of 3389. And if attackers can find their way in – using stolen credentials, by exploiting a vulnerability, or through brute force – then adversaries will be able to wander through as much of a company’s IT infrastructure as the compromised user account has access to.
The threat emphasizes why it’s important to keep track of which protocols are being used on different portions of the network and make sure, as Dearing recommends, to limit any unnecessary activity. RDP exposures can be reduced through a number of steps, such as setting time limits on disconnected sessions, limiting the number of allowable login attempts, and monitoring for any unintended exposures.
Cycling back to the change in mindset from building a higher wall to making sure that systems are attack tolerant and capable of data breach containment, it’s no surprise to witness the rise of ‘zero trust’ – granting users the bare minimum of permissions and only for the duration of the tasks that need to be carried out. Also, the widespread roll out of multifactor authentication (MFA) points to the threat posed by phishing emails – a staple in the suite of tactics, techniques, and procedures (TTPs) used by bad actors to steal data and launch ransomware campaigns.
Cyber resilience planning
Inevitably there will be gaps in the wall and some phishing emails will get through and convince recipients to click on rogue links. Attackers can pore over numerous social media feeds and even use AI writing tools such as ChatGPT to craft plausible and compelling content. Making IT systems impenetrable is a tall order, but attack resilience is achievable – for example, by asking for more than just usernames and passwords during the sign in process. Preparations also include having a well-rehearsed drill for when things do go wrong.
“Organizations need to understand their plan when they are attacked,” said Dearing. Cybersecurity frameworks such as the widely used NIST Special Publication 800-39 [PDF] are being re-written with increased emphasis on cybersecurity risk management governance. In Europe, NIS2 broadens the range of sectors that need to consider cybersecurity best practices. And responsibilities will rest with company leadership to ensure that everything is done to keep data loss to a minimum and reduce the damage done when systems are breached.
Another side of the coin is regulation. GDPR has made it clear that negligence on data protection will be punished. Companies are required to be able to detect, investigate, risk-assess, and record any breaches. And firms must report any data losses as appropriate. The UK’s Information Commissioner’s Office spells out the repercussions for failing to notify a data breach when required, highlighting that fines can reach up to 2% of global turnover.
But organizations aren’t on their own, and security providers such as Illumio, and others, have shown how solutions such as zero trust segmentation can be effective in containing data breaches. Ransomware and data theft attempts may be here to stay, but investing in IT systems that are attack tolerant and capable of containing data breaches will diminish the damage done.
26 February 2024
22 February 2024