Stay one step ahead of cyber threats in 2024! In this mini-blog, we share 3 tips on how to make your organization more resilient against cyber attacks.
Tip 1 - Develop/test an incident response plan
Develop an incident response plan and conduct regular exercises. Why? Multiple studies have shown that an incident response plan can prevent and/or mitigate financial impact during an incident. Various aspects should be considerd when developing a plan, such as communication. Both externally and internally, how will you inform your staff about the 'disruption' when email communication is down? And how far are you willing to go regarding ransom payment in a ransomware attack? How will you deal with the threat of a DDoS attack if payment is not made? Which business processes will you prioritize for restoration after an attack, and what servers, applications, and other infrastructure are needed for that?
If all of this is preconfigured and/or clear in advance, as mentioned earlier, you can sometimes reduce financial damage by up to 30%. (1,2).
Tip 2 - Advanced and layered detection
Multiple sources, such as the recent report from the AIVD (the Dutch intelligence service), indicate that advanced attackers are becoming increasingly active. These are not typical ransomware groups, but often state-sponsored groups. While typical ransomware groups shoot in the dark and hope to hit something, state-sponsored attackers operate more selectively and will therefore infiltrate your network more carefully and quietly. To detect these attackers and intervene in a timely manner to reduce the chances of impact, it is important to configure multiple layers of detection and response.
Implementing 'smart' custom detections on multiple digital layers (account, data, application, etc.) significantly increases the likelihood of catching perpetrators. Because an attacker interacts with more than just a workstation or a server. Combining this with honeytokens reduces the chance that an (advanced) attacker can operate freely without being detected.
Of course, not everyone possesses information juicy enough for foreign governments (read: China, Russia, America), but perhaps your network is being used to gain access to your supplier or customer who does have such valuable assets or information.
The good news, which many of our clients may not realize, is that the right tools are often already in place. What is lacking is the proper integration and expertise to make a difference. A practical tip is to implement honeytokens, which incur little to no cost but are highly effective. The NCSC has written a great article about this.
Tip 3 - Use smart algoritmes
By utilizing smart algorithms, processes and repetitive tasks can be optimized, freeing up time for essential duties. For instance, automating the initial steps in response to a phishing alert, or involving automation in the initial stages of triage based on a set of Indicators of Compromise. Another example is taking a first stab at attempting to decrypt a obfuscated PowerShell script. This approach prevents overburdening analysts with repetitive tasks and assists them in the initial phases. The use of Copilot or integration with OpenAI could facilitate this, but be cautious about privacy considerations when using such services.
There is currently a lot of writing and advertising about artificial intelligence (AI) and machine learning (ML). In 2024, this will certainly bring benefits, but it is not a silver bullet. Use it to automate simple and time-consuming tasks or as assistance in the initial stages of triage. Rely especially on major players like Microsoft/OpenAI, Google, etc. These companies invest billions, something a non-AI specialized company cannot compete with. This way analysts and responders will have more time for advanced research and investigations, where, in our opinion, AI and ML are not of significant assistance.