Essential recommendations for successfully preventing a security incident
Many companies only discover after a security incident that they have neglected multiple aspects of cyber protection. It is an alarm signal raised by the experts of Safetech Innovations, who, following their interventions for advanced analysis of critical security incidents carried out in 2023, observed a set of frequent deficiencies. Based on these observations, Safetech proposes a list of measures that are necessary for preventing security incidents.Market information currently indicates a “notable escalation of cyber attacks” both in number, intensity and consequences (according to ENISA 2023 Threat Report). The situation also emerges from the Panaseer 2022 Security Leaders Peer Report data, which interviewed 1,200 information security managers, and among these, 82% admitted that their organizations had lost control of at least one cyber incident or recorded a security breach.
After carrying out in 2023 approximately 80 advanced consulting activities, which include security incident coordination, forensic analysis, advanced log analysis, consulting for applying security best practices, the Safetech’ experts involved in the delivery of these services synthesized some conclusions that we present you below.
The X-ray of a security incident
Safetech in 2023 performed interventions for advanced analysis for critical cyber security incidents for customers from financial services, hospitality, media and manufacturing industries. In most situations, the investigations took place post-attack, the objective of our works being the identification of the attack vector, the tactics, techniques and procedures (TTP) used and the affected systems, as well as the delivery of recommendations for rapid remediation of the security posture of the clients.Depending on the size of the affected networks, the visibility gained on IT systems and the number of artifacts collected, investigations lasted between 1 and 5 days. In all situations, in no more than six hours from the start of investigations, the Safetech experts communicated the first conclusions after the security incident and a set of initial recommendations.
Another conclusion is that investigating the security incidents is highly dependent on system visibility and collected data. Where all logs have been encrypted following a successful ransomware attack, identifying the hacker’s techniques and steps has been difficult or sometimes impossible.
Also, for customers who did not have advanced security solutions, Safetech experts rapidly installed their own tools to investigate compromised systems, but this process takes time and does not always provide the necessary data.
What were the main causes?
In analyzing critical incidents, the Safetech team considered the main components needed to ensure the security: people, processes and technologies. Most of the times, there was a combination of factors that allowed an attack attempt to turn into a real security breach with severe consequences. In the cases investigated by Safetech in 2023, common causes were:
- The inadequate user education regarding cyber hygiene,
- The inadequate application of security patches,
- The lack of thorough “hardening” procedures to reduce vulnerabilities at the level of IT infrastructure, systems and applications, including, in particular, the insufficient security of external access and applications,
- The lack of IT security technologies/tools,
- The absence of specialists to permanently monitor the IT security and investigate emerging alerts.
Through this accumulation of negative aspects, the analyzed organizations failed to block potential attack vectors and thus gave hackers the opportunity to complete cyber attacks with severe legal, economic and customer reputation consequences.
Recommendations for preventing incidents
After performing advanced analysis services for critical security incidents, Safetech experts recommend to you a set of measures, necessary for blocking the attempts of cyber attacks and preventing critical incidents:
- Implement a 24/7 cybersecurity monitoring process that addresses these three main pillars: people, processes, and technologies. Carrying out this process requires a specialized team for continuous monitoring of vulnerabilities and security threats, able to identify threats and respond quickly to any security incident.
- Use modern cyber security solutions such as: IDS/IPS (Intrusion Detection/Prevention System), SIEM (Security Information and Event Management), EDR (Endpoint Detection and Response) or NDR (Network Detection and Response) or XDR (Extended Detection and Response), which provide visibility and the possibility of rapid response to incidents both at the level of the network traffic and at the level of your IT systems. We also recommend installing a perimeter security solution capable of analyzing files in transit (email and download), as well as HTTPS traffic inspection capabilities, in order to detect ATP/zero-day malware by sandboxing files, locally or cloud.
- Implement a periodic backup program for critical data in the organization. Because the current trend for hackers is to target the backup as well, it is essential that the backup data is offline and encrypted.
- Carry out periodic employee awareness programs on potential cyber threats, as well as security posture testing actions.
- Apply updates with the latest security patches for all systems used within the organization.
- Apply advanced password management and strict compliance with basic password security rules. Systematically secure the access to your network, data and IT applications.
- Adopt Multi Factor Authentication (MFA) for all services, especially webmail, VPN and for accounts that access critical systems.
- Apply the principle of least privilege to all systems and services so that users have access to only the resources they need to perform their tasks.
- Apply network segmentation, for limiting lateral movements in the event of a security incident, and, implicitly, the impact of any intrusion.
- Securely collect and store logs for network devices and implement a log management system.
Why choose Safetech for cyber security incident response?
At the core of Safetech’ advanced analysis service for critical security incidents are our experts, analysts and consultants from the Computer Emergency Response Team (STI CERT), an operational team since 2015, which currently investigates, with 24/7 coverage, an average of 12,000 security alerts per month and identifies and handles approximately 150 security incidents per month.
The Advanced Security Incident Analysis (Level 3) team includes, in addition to a wide range of tools and procedures that facilitate the analysis of critical incidents, consultants with solid experience in the field of cyber security who can quickly identify security breaches and communicate promptly with the departments involved in the analysis and remediation process, for a quick and efficient resolution of the problems. Also, STI CERT analysts hold multiple personal certifications, obtained through (ISC)², ISACA and EC-Council.
Safetech’s portfolio of services and technical solutions covers all ten measures above for preventing critical incidents. If you intend to improve your security posture in any of these directions, we are at your disposal with technical and commercial information, as well as with conducting demonstrations or pilot tests.
We invite you to follow the Safetech page on Linkedin, https://www.linkedin.com/company/safetech-innovations/, where we will announce the continuation of this article with detailed presentations of our recommendations to prevent security incidents through recurrent testing and validation of systems of security and by training the staff on cyber security.