CyberLabs

CyberLabs #9: Cyber Security for Business – How to Secure Your Network from Cyber-Attacks?

Michał Błaszczak,  Published on: 9 May 2024, Modified on: 10 May 2024

cyberlabs 9

In the face of dynamic technological advancements and increasingly sophisticated cyber threats, ensuring network security has become crucial. Dozen security incidents present a challenge that we cannot afford to overlook. Whether you run a small or enterprise company, you are a potential target for cybercriminals. Even individuals are not exempt from risk, as their data can become a target for hackers. In the context of business operations, we often face the necessity of meeting various requirements and standards that impose the obligation to implement effective safeguards for our IT systems.

One of the key steps in ensuring cybersecurity is awareness of threats. Educating employees and end-users about security principles can significantly reduce the risk of a successful attack on the corporate network. 

Another essential task is conducting regular penetration tests to find as many vulnerabilities and configuration errors as possible, which could impact the confidentiality, integrity, and availability of processed data. These tests ensure the cybersecurity of your networks, applications, and customer data they contain.

However, it’s important to remember that, unlike penetration tests, your company systems will be attacked much more frequently (even daily), and the time it takes to detect potential cyber-attacks and take appropriate action could be crucial for the security of the data processing at your organization.

security-breaches-in-poland

To be considered a mature and security-aware company, you should implement various security systems that will actively protect your business. Contrary to public opinion, hefty sums aren’t necessary. You can secure your network using free, open-source solutions. However, before you explore the options, you’ll need to understand what threats you’re against.

Network Security Threats that You Need to Protect Yourself From

Before delving into cyber security systems that will help you secure your business network, it’s worth knowing what we need to protect ourselves from. Understanding various cyber threats will enable you to choose the measures you’ll use to safeguard your corporate network better.

It’s important to note that the first step should be analyzing cyber threats and associated risks, as not all threats described below will apply to your organization.

Phishing / Smishing / Vishing

The topic of phishing and its types has been addressed numerous times within the CyberLabs series. Phishing is a fraudulent method where attackers impersonate trusted entities, such as banks, courier companies, or public figures, to persuade victims into performing actions like disclosing login credentials.

smishing-sms

CyberLabs #1 – Phishing being one of the most popular cyber threats

In 2023, operators of CERT Polska registered 41,423 phishing-related incidents. Compared to 2022, it represents a 61% increase. We’ll likely see a significant upgrowth in phishing incidents concerning 2024.

Ransomware 

This is one type of malicious software that, upon infecting our network, blocks various IT systems by encrypting selected files. In exchange for data recovery, a significant ransom must be paid to the attacker (it’s worth remembering that payment doesn’t always guarantee the decryption of our data).

Before encrypting the data, it’s often exfiltrated by the attackers, who then additionally threaten to publicly disclose the data if we don’t pay the ransom within a specified time frame. Recently, many articles have been written about ransomware groups, especially those related to Operation Cronos targeting the notorious LockBit group. 

ransomware-attack

Ransomware attacks will undoubtedly remain a nightmare for many companies, but with proper security measures, they don’t have to be – as discussed further in the article.

Web Applications Vulnerabilities

Many attacks are targeted at web applications. Such an application often has access to numerous components within the network. It is an ideal place for attackers to search for vulnerabilities such as SQL injection (SQLi), Cross-Site Scripting (XSS), Server-Side Template Injection (SSTI), and many others. If successful, attackers often gain access to sensitive data at this stage. Therefore, inventorying all environments and systems, especially those exposed to the internet, and subjecting them to periodic penetration testing is crucial.

Unsupported, Outdated, Legacy Software

Vulnerabilities can also exist in third-party software created by other entities. For example, this vulnerability could be associated with a CMS such as WordPress or an out-of-date version of Apache. Updating every system element is essential because one oversight can cost us dearly. It’s also worth knowing in advance whether exploits for a specific vulnerability are already being used on the internet and if our software has any vulnerabilities (answers to these questions can be found in the following part of the article).

wp-updates

Errors and Unsecure Configurations 

Simple oversights or errors can often lead to significant damages, and in the process, attackers can easily trace them. This includes all instances where we use default logins and passwords, hide backups in “deep hiding,” allow access to administrative panels, or permit login to SSH with simple passwords.

Most of these basic errors can be detected by most vulnerability scanners. Therefore, if, for example, we have a service like SSH exposed on the default port, we are more susceptible to automated scans than if we had this service on a non-standard port.

DDoS (Distributed Denial of Service) Attacks 

Another “destructive” cyber threat alongside ransomware is Distributed Denial of Service (DDoS). It generates massive network traffic to overload an application or server. The largest attacks can lead to complete infrastructure overload or disruption of scalable services.

At first glance, DDoS may not seem as threatening as ransomware. However, we must consider the financial penalties associated with breaches of agreements between the company and its clients or other financial losses resulting from downtime in corporate systems.

There are many more similar attacks, and delving into the details of each would require writing not just one book. However, one common question for these or any other attacks is:

“How can we detect attacks earlier? What systems can notify us when an attack is just beginning, giving us time to react and prevent a security incident? Can we anticipate new attacks, new types of malware?”

The answer is: Of course! 

There are several security systems that can help us with this and automate most of the actions.

The question worth considering further is: Since there are systems that can help us detect and mitigate these risks, why do many companies not have them?”

Why Many Organizations Don’t Take Cyber-security Seriously?

One reason might be the high cost of security systems, which require expensive licenses and trained staff for maintenance. This can be financially challenging for some companies. Another reason could be the complexity of choosing the right systems among many that would suit your organization’s needs.

It’s essential to recognize that having no security system in place nowadays is risky, and serious consideration should be given to implementing one as soon as possible. Even when utilizing free, open-source solutions, there are still costs associated with the servers needed to support these systems. Additionally, there may be expenses related to the staff required to manage this security infrastructure.

Given these challenges, is there an alternative solution for companies that, for various reasons, prefer to handle only some of this themselves?

Yes, there is! 

A solution to consider here is the business model known as SOC as a Service. It’s a service that acts as external, independent support for detecting and responding to threats directed against us.

Companies offering SOC as a Service operate on a 24/7/365 basis, making it a viable option if you don’t want or can’t afford your own security infrastructure. Remember, in today’s world, having such security systems also demonstrates the maturity of our company in terms of cybersecurity.

Maximize your email deliverability and security with EmailLabs!

Cybersecurity Acronyms Explained

In today’s world, it’s common to encounter a flood of security acronyms that can leave anyone’s head spinning. You’ll come across terms like SIEM, XDR, WTG, WAF, IPS, NIDS, and more in many articles and newsletters. But what do these abbreviations actually mean? 

While cybersecurity professionals may be fine deciphering them, others might find them confusing. So, let’s break down a few of these security acronyms. This knowledge will help you choose solutions for your company. Most of them are available in an open-source model so that you can use them without expensive licenses.

SIEM – Security Information and Event Management

SIEM, or Security Information and Event Management, is essentially the “heart” of security systems within our infrastructure. With SIEM, software operators have full visibility into what’s happening in their network, and most importantly, this insight is provided in real-time.

SIEM primarily collects various events generated by monitored hosts or other security systems. Within SIEM, event decoding occurs (extracting specific information from a particular log), and then the extracted information is matched against built-in or custom security rules. If the extracted information matches a policy, an appropriate alert is generated with a pre-defined threat level. Based on such alerts, SIEM can take further actions, such as requesting the blocking of a specific IP address on the firewall.

Besides typical functionalities, some SIEM systems have additional capabilities, such as conducting security scans of hosts where agents are installed or allowing active responses on those hosts in response to an attack.

In addition to SIEM, there are systems that also function as XDR (Extended Detection and Response) platforms (more about XDR in the next sub-point). An example of such a system is Wazuh, a free solution that can be installed on your own servers.

wazuh

EDR / XDR – Endpoint Detection & Response / eXtendet Detection & Response

EDR and XDR are systems that are very similar to each other, but there are slight differences between them. EDR enables security operations to monitor endpoint devices for various anomalies in real time while also logging every activity in the system. If such software detects malicious activity, it can initiate automated processes to stop the detected threat. 

These actions may include running a script or binary file and completely isolating it from the network. In the case of XDR, we’re dealing with only an extended EDR. This extension allows for detecting, collecting, and analyzing logs across networks, clouds, and other environments. XDR automates data collection and analysis, resulting in faster threat detection. When combined with various integrations, this tool significantly boosts the efficiency of security operations.

EDR
XDR
Monitors individual endpoints for cyber threats Monitors endpoints, servers, cloud environments, and network devices for cyber threats
Uses a single agent on each endpoint Collects data from multiple security products and technologies
Uses traditional methods to detect cyber threats uses advanced methods Such as machine learning and artificial intelligence to detect cyber threats
Easy to set up and manage More complex to set up and manage
Less expensive than XDR More expensive than EDR
May take time to investigate and respond to threats Aims to respond more quickly due to its ability to collect and analyze data from multiple sources

It’s essential to note that XDR isn’t an enhanced SIEM system. While XDR allows for data collection and analysis like SIEM, they are separate technologies. SIEM is more analytical, gathering logs from multiple sources, but is passive.

XDR solutions complement SIEM with dynamic analysis, real-time response capabilities, and Threat Intelligence. So, as you can see, Wazuh, mentioned earlier, isn’t just a free SIEM solution but also an XDR tool worth exploring.

AV – AntiVirus

AV  is a fundamental security system that ensures our devices aren’t infected with malicious software. You should know that modern antivirus programs are highly sophisticated systems capable of performing various tasks, from sandboxing (using artificial intelligence to analyze malicious software) to Advanced Threat Protection software functionalities.

Still, partly true is the statement that antivirus won’t detect new malicious software because, sadly, there are programs that can effectively “bypass” even that advanced antivirus software. However, most malicious software is generated using known tools or will be slightly modified, unsophisticated malware. Of course, the signature databases of various antivirus software are regularly updated, making even the mentioned malware easily “caught.”

windows-defender

An example of completely free yet highly effective antivirus software is the popular Windows Defender. Despite past opinions, it’s now a very capable antivirus, proficient at detecting various types of malware.

WAF – Web Application Firewall 

This is definitely one of those security measures worth mentioning in the context of web applications or API interfaces. If you think your company’s web application isn’t scanned or attacked, you’re mistaken. While attacks or scans may not always target your specific application, automated bots often scan websites looking for vulnerabilities. This could be the first step before a targeted attack.

Web Application Firewalls (WAFs) are effective at protecting our sites from common attacks like Cross-site Scripting, SQL Injection, Path Traversal, Client-Side Template Injection, and more. WAFs can also detect and block directory scans, header manipulations, connections from TOR networks, or other IP addresses associated with known attacks (lists of such IP addresses are publicly available, e.g., on Github Firehol). Depending on the configuration and solution, malicious traffic can be blocked outright, or users sending such requests can be presented with a captcha.

An example of a fully free WAF is the ModSecurity plugin, which can be integrated with Apache, Nginx, and IIS. This WAF comes with many policies, such as the OWASP ModSecurity Core Rule Set, which effectively detects numerous attacks.

waf-cloudflare

Interestingly, CloudFlare’s WAF is also based on these policies, so without spending a dime, we can leverage at least some of the same policies as the mentioned giant. Of course, there’s nothing stopping you from expanding the list of policies with a few custom ones of your own. 

IPS & IDS – Intrusion Prevention System and Intrusion Detection System 

IPS and IDS are security systems that detect malicious activities based on network traffic analysis and can effectively prevent them. By detecting unwanted traffic early, your security teams can proactively identify the source, type, or target of an attack. IPS/IDS solutions are often categorized based on their location and operation method, with two main types: NIPS/HIPS and NIDS/HIDS, referring to Network/Host Intrusion Prevention/Detection Systems.

These systems excel in detecting malicious activities such as port scanning, data exfiltration, malware operations, cryptocurrency mining, or DDoS attacks. Of course, the capabilities of such software are vast, and there are more detailed subdivisions. Like many other security solutions, IPS/IDS also have free counterparts that we can utilize in our organizations. Among these are Snort and Suricata.

IDS
IPS
Installed on network segments (NIDS) and hosts (HIDS) Installed on network segments (NIPS) and hosts (HIPS)
Sits on the network passively Sits inline (not passive)
Cannot parse encrypted traffic Better protecting applications
Central management control Central management control
Better at detecting hacking attacks Ideal for blocking web defacement
Alerting product (reactive) Blocking product (proactive)

TI Threat Intelligence 

To enhance your security system’s and team’s resilience against cyber threats, you require more information on new threats, malware samples, and details about IP addresses/domains linked to different attacks. This information empowers organizations to proactively enrich their systems, effectively detecting relatively new attacks or malicious activities. The system enabling such data collection is Threat Intelligence (TI).

Software of this kind is an invaluable component of security systems, allowing other security systems, such as IPS, IDS, EDR, etc., to be continuously supplied with new, useful information. It’s worth mentioning that having security systems is just the first step.  The next step should be to ensure that all these security systems have as extensive and up-to-date data as possible. Without this, they won’t fulfill their role fully.

In the case of Threat Intelligence systems, many free solutions are available. MISP and OpenCTI are the most well-knownIn the case of the MISP platform, it mainly focuses on gathering information about IoCs (Indicators of Compromise) and IoAs (Indicators of Attack), such as IP addresses, domains associated with C2 (command-and-control) attacks, as well as information about new vulnerabilities, exploits, or malicious software hashes.

Regarding OpenCTI, the platform mainly focuses on monitoring networks like TOR to track various groups or criminal forums in search of TTPs (Tactics, Techniques, and Procedures) used by these groups. Interestingly, both of these solutions can be successfully integrated with each other. Additionally, they have a vast number of integrations, enabling the collection of large amounts of data. This allows you to customize and expand these solutions according to your needs. 

IR Incident Response 

This is one of those systems that we wouldn’t necessarily use on a daily basis, but when it comes to handling confirmed or suspected incidents, it can be a highly useful tool. They are often utilized by teams like SOC, CSIRT, or CERT. An example of an Incident Response platform is TheHive, which can be effectively integrated with, for example, the mentioned SIEM, all sorts of email analysis tools, or Threat Intelligence platforms.

After integrating, the Incident Response system can create an incident that needs handling. These incidents are generated after the SIEM system triggers an alert of the appropriate level (of course, triggering actions can vary). Thanks to such systems, the security team doesn’t have to sift through masses of logs searching for events indicating the mentioned incident. They simply log into the Incident Response system and review the created tasks.

 

thehive

 

After integrating, the Incident Response system can create an incident that needs handling. These incidents are generated after the SIEM system triggers an alert of the appropriate level (of course, triggering actions can vary). Thanks to such systems, the security team doesn’t have to sift through masses of logs searching for events indicating the mentioned incident. They simply log into the Incident Response system and review the created tasks.

How to Build Security Infrastructure?

A crucial starting point in constructing your security systems infrastructure is conducting a threat analysis and clearly defining the needs and capabilities of your organization. Although each of the systems mentioned in this article has free solutions, maintaining them will require hardware and personnel resources. Focus on securing only the systems exposed to the internet may be a good solution for some companies, while others may prioritize securing and monitoring employee computers.

Regardless of your needs, having at least some security systems in place is valuable. Still, having too many systems or selecting them incorrectly can result in an overwhelming amount of logs your team cannot process effectively, thus limiting your ability to respond to various attacks. Also, consider that there are companies offering SOC as a Service, which might be an ideal solution.

Regardless of your choice, taking the first step towards building your security systems infrastructure is essential. This step demonstrates your organization’s maturity and cyber awareness. It also will significantly enhance the security of your business network and all the data it holds.

Good Advice From our Ethical Hacker

▪️ Regardless of the size of your company, you should consider implementing security systems in your networks. Each of us can become a target for cybercriminals, and having such systems is required by many modern standards and regulations.

▪️ If you cannot afford to deploy and maintain self-hosted security systems, consider SOC as a Service.

▪️ Conduct a threat analysis and define which access points in your networks/systems may be vulnerable. Depending on the results and needs, you’ll be able to choose appropriate security systems.

▪️ If you have too many security systems compared to your organization’s needs and staffing capabilities, you will need more than an excess of logs. Therefore, remember the need to extract useful information from these systems, which will help in detecting various attacks.

▪️ Regularly monitor cyber threats exploited by cybercriminals. Awareness of risks is our greatest weapon against hackers.

Stay Secure! 👾

Create an account with EmailLabs today

Ensure the highest deliverability of your B2B email communications!

Most popular

Latest blog posts