In the face of dynamic technological advancements and increasingly sophisticated cyber threats, ensuring network security has become crucial. Dozen security incidents present a challenge that we cannot afford to overlook. Whether you run a small or enterprise company, you are a potential target for cybercriminals. Even individuals are not exempt from risk, as their data can become a target for hackers. In the context of business operations, we often face the necessity of meeting various requirements and standards that impose the obligation to implement effective safeguards for our IT systems.
One of the key steps in ensuring cybersecurity is awareness of threats. Educating employees and end-users about security principles can significantly reduce the risk of a successful attack on the corporate network.
Another essential task is conducting regular penetration tests to find as many vulnerabilities and configuration errors as possible, which could impact the confidentiality, integrity, and availability of processed data. These tests ensure the cybersecurity of your networks, applications, and customer data they contain.
However, it’s important to remember that, unlike penetration tests, your company systems will be attacked much more frequently (even daily), and the time it takes to detect potential cyber-attacks and take appropriate action could be crucial for the security of the data processing at your organization.
To be considered a mature and security-aware company, you should implement various security systems that will actively protect your business. Contrary to public opinion, hefty sums aren’t necessary. You can secure your network using free, open-source solutions. However, before you explore the options, you’ll need to understand what threats you’re against.
Before delving into cyber security systems that will help you secure your business network, it’s worth knowing what we need to protect ourselves from. Understanding various cyber threats will enable you to choose the measures you’ll use to safeguard your corporate network better.
It’s important to note that the first step should be analyzing cyber threats and associated risks, as not all threats described below will apply to your organization.
The topic of phishing and its types has been addressed numerous times within the CyberLabs series. Phishing is a fraudulent method where attackers impersonate trusted entities, such as banks, courier companies, or public figures, to persuade victims into performing actions like disclosing login credentials.
CyberLabs #1 – Phishing being one of the most popular cyber threats
In 2023, operators of CERT Polska registered 41,423 phishing-related incidents. Compared to 2022, it represents a 61% increase. We’ll likely see a significant upgrowth in phishing incidents concerning 2024.
This is one type of malicious software that, upon infecting our network, blocks various IT systems by encrypting selected files. In exchange for data recovery, a significant ransom must be paid to the attacker (it’s worth remembering that payment doesn’t always guarantee the decryption of our data).
Before encrypting the data, it’s often exfiltrated by the attackers, who then additionally threaten to publicly disclose the data if we don’t pay the ransom within a specified time frame. Recently, many articles have been written about ransomware groups, especially those related to Operation Cronos targeting the notorious LockBit group.
Ransomware attacks will undoubtedly remain a nightmare for many companies, but with proper security measures, they don’t have to be – as discussed further in the article.
Many attacks are targeted at web applications. Such an application often has access to numerous components within the network. It is an ideal place for attackers to search for vulnerabilities such as SQL injection (SQLi), Cross-Site Scripting (XSS), Server-Side Template Injection (SSTI), and many others. If successful, attackers often gain access to sensitive data at this stage. Therefore, inventorying all environments and systems, especially those exposed to the internet, and subjecting them to periodic penetration testing is crucial.
Vulnerabilities can also exist in third-party software created by other entities. For example, this vulnerability could be associated with a CMS such as WordPress or an out-of-date version of Apache. Updating every system element is essential because one oversight can cost us dearly. It’s also worth knowing in advance whether exploits for a specific vulnerability are already being used on the internet and if our software has any vulnerabilities (answers to these questions can be found in the following part of the article).
Simple oversights or errors can often lead to significant damages, and in the process, attackers can easily trace them. This includes all instances where we use default logins and passwords, hide backups in “deep hiding,” allow access to administrative panels, or permit login to SSH with simple passwords.
Most of these basic errors can be detected by most vulnerability scanners. Therefore, if, for example, we have a service like SSH exposed on the default port, we are more susceptible to automated scans than if we had this service on a non-standard port.
Another “destructive” cyber threat alongside ransomware is Distributed Denial of Service (DDoS). It generates massive network traffic to overload an application or server. The largest attacks can lead to complete infrastructure overload or disruption of scalable services.
At first glance, DDoS may not seem as threatening as ransomware. However, we must consider the financial penalties associated with breaches of agreements between the company and its clients or other financial losses resulting from downtime in corporate systems.
There are many more similar attacks, and delving into the details of each would require writing not just one book. However, one common question for these or any other attacks is:
“How can we detect attacks earlier? What systems can notify us when an attack is just beginning, giving us time to react and prevent a security incident? Can we anticipate new attacks, new types of malware?”
The answer is: Of course!
There are several security systems that can help us with this and automate most of the actions.
The question worth considering further is: “Since there are systems that can help us detect and mitigate these risks, why do many companies not have them?”
One reason might be the high cost of security systems, which require expensive licenses and trained staff for maintenance. This can be financially challenging for some companies. Another reason could be the complexity of choosing the right systems among many that would suit your organization’s needs.
It’s essential to recognize that having no security system in place nowadays is risky, and serious consideration should be given to implementing one as soon as possible. Even when utilizing free, open-source solutions, there are still costs associated with the servers needed to support these systems. Additionally, there may be expenses related to the staff required to manage this security infrastructure.
Given these challenges, is there an alternative solution for companies that, for various reasons, prefer to handle only some of this themselves?
Yes, there is!
A solution to consider here is the business model known as SOC as a Service. It’s a service that acts as external, independent support for detecting and responding to threats directed against us.
Companies offering SOC as a Service operate on a 24/7/365 basis, making it a viable option if you don’t want or can’t afford your own security infrastructure. Remember, in today’s world, having such security systems also demonstrates the maturity of our company in terms of cybersecurity.
Maximize your email deliverability and security with EmailLabs!
In today’s world, it’s common to encounter a flood of security acronyms that can leave anyone’s head spinning. You’ll come across terms like SIEM, XDR, WTG, WAF, IPS, NIDS, and more in many articles and newsletters. But what do these abbreviations actually mean?
While cybersecurity professionals may be fine deciphering them, others might find them confusing. So, let’s break down a few of these security acronyms. This knowledge will help you choose solutions for your company. Most of them are available in an open-source model so that you can use them without expensive licenses.
SIEM, or Security Information and Event Management, is essentially the “heart” of security systems within our infrastructure. With SIEM, software operators have full visibility into what’s happening in their network, and most importantly, this insight is provided in real-time.
SIEM primarily collects various events generated by monitored hosts or other security systems. Within SIEM, event decoding occurs (extracting specific information from a particular log), and then the extracted information is matched against built-in or custom security rules. If the extracted information matches a policy, an appropriate alert is generated with a pre-defined threat level. Based on such alerts, SIEM can take further actions, such as requesting the blocking of a specific IP address on the firewall.
Besides typical functionalities, some SIEM systems have additional capabilities, such as conducting security scans of hosts where agents are installed or allowing active responses on those hosts in response to an attack.
In addition to SIEM, there are systems that also function as XDR (Extended Detection and Response) platforms (more about XDR in the next sub-point). An example of such a system is Wazuh, a free solution that can be installed on your own servers.
EDR and XDR are systems that are very similar to each other, but there are slight differences between them. EDR enables security operations to monitor endpoint devices for various anomalies in real time while also logging every activity in the system. If such software detects malicious activity, it can initiate automated processes to stop the detected threat.
These actions may include running a script or binary file and completely isolating it from the network. In the case of XDR, we’re dealing with only an extended EDR. This extension allows for detecting, collecting, and analyzing logs across networks, clouds, and other environments. XDR automates data collection and analysis, resulting in faster threat detection. When combined with various integrations, this tool significantly boosts the efficiency of security operations.
EDR |
XDR |
---|---|
Monitors individual endpoints for cyber threats | Monitors endpoints, servers, cloud environments, and network devices for cyber threats |
Uses a single agent on each endpoint | Collects data from multiple security products and technologies |
Uses traditional methods to detect cyber threats | uses advanced methods Such as machine learning and artificial intelligence to detect cyber threats |
Easy to set up and manage | More complex to set up and manage |
Less expensive than XDR | More expensive than EDR |
May take time to investigate and respond to threats | Aims to respond more quickly due to its ability to collect and analyze data from multiple sources |
It’s essential to note that XDR isn’t an enhanced SIEM system. While XDR allows for data collection and analysis like SIEM, they are separate technologies. SIEM is more analytical, gathering logs from multiple sources, but is passive.
XDR solutions complement SIEM with dynamic analysis, real-time response capabilities, and Threat Intelligence. So, as you can see, Wazuh, mentioned earlier, isn’t just a free SIEM solution but also an XDR tool worth exploring.
AV is a fundamental security system that ensures our devices aren’t infected with malicious software. You should know that modern antivirus programs are highly sophisticated systems capable of performing various tasks, from sandboxing (using artificial intelligence to analyze malicious software) to Advanced Threat Protection software functionalities.
Still, partly true is the statement that antivirus won’t detect new malicious software because, sadly, there are programs that can effectively “bypass” even that advanced antivirus software. However, most malicious software is generated using known tools or will be slightly modified, unsophisticated malware. Of course, the signature databases of various antivirus software are regularly updated, making even the mentioned malware easily “caught.”
An example of completely free yet highly effective antivirus software is the popular Windows Defender. Despite past opinions, it’s now a very capable antivirus, proficient at detecting various types of malware.
This is definitely one of those security measures worth mentioning in the context of web applications or API interfaces. If you think your company’s web application isn’t scanned or attacked, you’re mistaken. While attacks or scans may not always target your specific application, automated bots often scan websites looking for vulnerabilities. This could be the first step before a targeted attack.
Web Application Firewalls (WAFs) are effective at protecting our sites from common attacks like Cross-site Scripting, SQL Injection, Path Traversal, Client-Side Template Injection, and more. WAFs can also detect and block directory scans, header manipulations, connections from TOR networks, or other IP addresses associated with known attacks (lists of such IP addresses are publicly available, e.g., on Github Firehol). Depending on the configuration and solution, malicious traffic can be blocked outright, or users sending such requests can be presented with a captcha.
An example of a fully free WAF is the ModSecurity plugin, which can be integrated with Apache, Nginx, and IIS. This WAF comes with many policies, such as the OWASP ModSecurity Core Rule Set, which effectively detects numerous attacks.
Interestingly, CloudFlare’s WAF is also based on these policies, so without spending a dime, we can leverage at least some of the same policies as the mentioned giant. Of course, there’s nothing stopping you from expanding the list of policies with a few custom ones of your own.
IPS and IDS are security systems that detect malicious activities based on network traffic analysis and can effectively prevent them. By detecting unwanted traffic early, your security teams can proactively identify the source, type, or target of an attack. IPS/IDS solutions are often categorized based on their location and operation method, with two main types: NIPS/HIPS and NIDS/HIDS, referring to Network/Host Intrusion Prevention/Detection Systems.
These systems excel in detecting malicious activities such as port scanning, data exfiltration, malware operations, cryptocurrency mining, or DDoS attacks. Of course, the capabilities of such software are vast, and there are more detailed subdivisions. Like many other security solutions, IPS/IDS also have free counterparts that we can utilize in our organizations. Among these are Snort and Suricata.
IDS |
IPS |
---|---|
Installed on network segments (NIDS) and hosts (HIDS) | Installed on network segments (NIPS) and hosts (HIPS) |
Sits on the network passively | Sits inline (not passive) |
Cannot parse encrypted traffic | Better protecting applications |
Central management control | Central management control |
Better at detecting hacking attacks | Ideal for blocking web defacement |
Alerting product (reactive) | Blocking product (proactive) |
To enhance your security system’s and team’s resilience against cyber threats, you require more information on new threats, malware samples, and details about IP addresses/domains linked to different attacks. This information empowers organizations to proactively enrich their systems, effectively detecting relatively new attacks or malicious activities. The system enabling such data collection is Threat Intelligence (TI).
Software of this kind is an invaluable component of security systems, allowing other security systems, such as IPS, IDS, EDR, etc., to be continuously supplied with new, useful information. It’s worth mentioning that having security systems is just the first step. The next step should be to ensure that all these security systems have as extensive and up-to-date data as possible. Without this, they won’t fulfill their role fully.
In the case of Threat Intelligence systems, many free solutions are available. MISP and OpenCTI are the most well-known. In the case of the MISP platform, it mainly focuses on gathering information about IoCs (Indicators of Compromise) and IoAs (Indicators of Attack), such as IP addresses, domains associated with C2 (command-and-control) attacks, as well as information about new vulnerabilities, exploits, or malicious software hashes.
Regarding OpenCTI, the platform mainly focuses on monitoring networks like TOR to track various groups or criminal forums in search of TTPs (Tactics, Techniques, and Procedures) used by these groups. Interestingly, both of these solutions can be successfully integrated with each other. Additionally, they have a vast number of integrations, enabling the collection of large amounts of data. This allows you to customize and expand these solutions according to your needs.
This is one of those systems that we wouldn’t necessarily use on a daily basis, but when it comes to handling confirmed or suspected incidents, it can be a highly useful tool. They are often utilized by teams like SOC, CSIRT, or CERT. An example of an Incident Response platform is TheHive, which can be effectively integrated with, for example, the mentioned SIEM, all sorts of email analysis tools, or Threat Intelligence platforms.
After integrating, the Incident Response system can create an incident that needs handling. These incidents are generated after the SIEM system triggers an alert of the appropriate level (of course, triggering actions can vary). Thanks to such systems, the security team doesn’t have to sift through masses of logs searching for events indicating the mentioned incident. They simply log into the Incident Response system and review the created tasks.
After integrating, the Incident Response system can create an incident that needs handling. These incidents are generated after the SIEM system triggers an alert of the appropriate level (of course, triggering actions can vary). Thanks to such systems, the security team doesn’t have to sift through masses of logs searching for events indicating the mentioned incident. They simply log into the Incident Response system and review the created tasks.
A crucial starting point in constructing your security systems infrastructure is conducting a threat analysis and clearly defining the needs and capabilities of your organization. Although each of the systems mentioned in this article has free solutions, maintaining them will require hardware and personnel resources. Focus on securing only the systems exposed to the internet may be a good solution for some companies, while others may prioritize securing and monitoring employee computers.
Regardless of your needs, having at least some security systems in place is valuable. Still, having too many systems or selecting them incorrectly can result in an overwhelming amount of logs your team cannot process effectively, thus limiting your ability to respond to various attacks. Also, consider that there are companies offering SOC as a Service, which might be an ideal solution.
Regardless of your choice, taking the first step towards building your security systems infrastructure is essential. This step demonstrates your organization’s maturity and cyber awareness. It also will significantly enhance the security of your business network and all the data it holds.
▪️ Regardless of the size of your company, you should consider implementing security systems in your networks. Each of us can become a target for cybercriminals, and having such systems is required by many modern standards and regulations.
▪️ If you cannot afford to deploy and maintain self-hosted security systems, consider SOC as a Service.
▪️ Conduct a threat analysis and define which access points in your networks/systems may be vulnerable. Depending on the results and needs, you’ll be able to choose appropriate security systems.
▪️ If you have too many security systems compared to your organization’s needs and staffing capabilities, you will need more than an excess of logs. Therefore, remember the need to extract useful information from these systems, which will help in detecting various attacks.
▪️ Regularly monitor cyber threats exploited by cybercriminals. Awareness of risks is our greatest weapon against hackers.
Stay Secure! 👾
We are pleased to announce that MessageFlow, a product from the Vercom S.A. group, has received the prestigious CSA (Certified Senders Alliance) Certification. This recognition not only underscores the...
We are proud to announce that Vercom S.A., the company behind the EmailLabs project, successfully passed an audit for compliance with the latest ISO/IEC 27001:2022 and ISO/IEC 27018:2019 standards....
The increasing number of phishing attacks each year, and the projection that this trend will continue to escalate, aren’t likely to astonish anyone. This can be attributed, in part,...
Out of all the things that can go wrong when sending out marketing emails, having your emails end up in the recipient’s spam folder is arguably the most dreaded...
Email Authentication, Security
DMARC is an email authentication protocol that is designed to give domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing. Spoofing occurs...
With the emergence of the Covid-19 pandemic, many brands have been challenged to adapt in a short period to the changed reality and new consumer attitudes. That meant reorganizing...
Deliverability, Sending Reputation
Are you just starting to send emails, transitioning to dedicated infrastructure, or switching your sending domain? Don’t overlook a key step – the warm-up process! Warming up an IP...
Best practices, Email Marketing
Email marketing is a powerful tool for businesses to connect with their audience, promote products, and drive conversions. However, simply sending out an email campaign is not enough to...
Deliverability, Sending Reputation
Are you just starting to send emails, transitioning to dedicated infrastructure, or switching your sending domain? Don’t overlook a key step – the warm-up process! Warming up an IP...
We are pleased to announce that MessageFlow, a product from the Vercom S.A. group, has received the prestigious CSA (Certified Senders Alliance) Certification. This recognition not only underscores the...
Best practices, Email Marketing
Email marketing is a powerful tool for businesses to connect with their audience, promote products, and drive conversions. However, simply sending out an email campaign is not enough to...
With the release of iOS 18 on September 16, 2024, Apple has introduced a long-anticipated update to Apple Mail: tabbed inboxes. While this feature isn’t a novelty – Gmail...
Gmail users may soon benefit from a game-changing feature called Shielded Email, designed to enhance privacy and combat spam. While the feature has not yet been officially launched, recent...
Are you frustrated with the constant struggle of your emails getting blocked by Gmail? Have you ever wondered about the reasons behind this issue and, more importantly, how to...
In the ever-evolving landscape of email management, Google has announced an exciting upgrade to Gmail’s summary cards, aimed at improving user experience and streamlining inbox navigation. The latest enhancements,...
Entering the world of email communication, you’ll encounter many terms that initially seem straightforward and intuitive. However, some of these can be pretty challenging. Accurately distinguishing between them is...
Attaching a folder to an email may seem complicated at first glance, especially if you’re trying to send multiple files or an entire project’s documents to a colleague or...