El icónico cineasta John Carpenter dijo una vez esto sobre las películas de terror: “Hay dos historias diferentes en el horror: interno y externo. En las películas de terror externas, el mal viene del exterior, la otra tribu, esa cosa en la oscuridad que no entendemos. Interno es el corazón humano.»
Similarly, there are two main cybersecurity horror stories: external attacks and internal threats. Like horror movies where teenagers are stalked by maniacal killers, or families are haunted by ghosts and unwanted specters, most organizations are under continuous attack from scary cyber threats in one form or another.
Companies must be wary of both external cyber-attacks and internal threats. Like a classic horror movie, both threats come with their own elements of mystery, suspense and fear. Fortunately, it is possible to defend against each type of attack using a similar cybersecurity strategy for each.
First, let's set the scene for the current security landscape.
Ghosts float through walls
In the past, IT focused on fortifying the network perimeter against outsiders. The idea was that if you keep the villains out, then nothing bad happens. It was the classic fortress-based approach to keeping zombie hordes at bay. But there was a fatal flaw. Many organizations obsessed with perimeter security gave implicit trust to anyone already on the inside. Suffice it to say, this approach triggered a series of terrible data breaches and paved the way for the zero trust movement.
Of course, companies must continue to protect the perimeter and defend against known threats, as they always have. Known cyber threats represent a harbinger of doom that looms over every organization. But today's businesses must go beyond that and be on the lookout for unpredictable threats that scare you when you least expect it.
Like the subgenres of the horror film industry, there are classifications for different types of cyber threats. Let's look at four of the scariest cybersecurity horror stories, some coming from the outside and some from the inside.
The possessed
To conjure up their nefarious schemes, cybercriminals need access. Methods for gaining access vary, but one of the most common tactics is account compromise: hijacking an account that already has the right access.
Al igual que la película de terror «Actividad paranormal», donde una entidad malvada posee el personaje principal, un atacante se adueña de una cuenta comprometida para sus propios fines perversos. Esto significa que el intruso puede acceder a cualquiera de los sistemas y aplicaciones a los que tiene acceso esa cuenta comprometida, y nadie sabrá que algo está mal.
How does account compromise happen? It usually involves password guessing, malware, malicious ads or keystroke logging. It can also happen through Pass-the-Hash attacks and brute-force password attacks. But targeted phishing is still probably the most prevalent technique for compromising accounts.
Account compromise attacks are difficult to discover because they resemble an insider threat from a detection point of view. Conventional whitelist/blacklist type security solutions are ineffective in stopping account compromise, because to these solutions the account looks legitimate. So what is the holy water that can be sprinkled on account compromises Nemesis? Behavior-based security analysis.
Con el análisis de comportamiento, es posible detectar estas cuentas «poseídas» en función de patrones de comportamiento anómalos. Dicha actividad anormal puede incluir acceso inusual a activos sensibles o de alto riesgo, muchas solicitudes de acceso en un corto período de tiempo, actividad originada en cuentas inactivas y más. Las anomalías identificadas como incoherentes con las actividades normales de un usuario o un compañero desencadenan una alerta que permite que los equipos de seguridad que intervengan.
Peeping Tom in the shadows
Privileged access abuse is an attack that overlaps with account compromise. First, the cyber attacker breaches perimeter security through one of many ways. Once inside, they look for SSH keys, passwords, certificatesand similar assets. Their goal is to steal credentials that allow them to elevate their access, gain unrestricted movement on the network, and steal data anonymously at will. Because they use automated hacking tools, this whole process can happen surprisingly quickly.
But, like the patient predator stalking its victims, attackers often bide their time. They will silently monitor activity and then use the information they gather to expand their control of the network. Hackers lurk on the network for an average of 206 days before they are discovered. That's a long time for any malicious entity to lurk.
And it's not just strangers that are to be feared. There is also an element of insider threat. IT staff generally have anonymous access on the network through shared privileged accounts, with passwords that rarely change. This gives cyber criminals the opportunity to spy and take sensitive data without anyone knowing. So what can you do to eliminate these ghosts in your midst?
Identity analytics technology can discover who has privileged access with rights that may have increased after provisioning, or exist within applications and unstructured data. This enables IT security leaders to manage, monitor and control privileged access with optimal effectiveness.
And with user and entity behavior analysis (UEBA) it is possible to automatically analyze data to reveal suspicious activity: accessing inappropriate files, systems and applications accessed from new locations or new devices, and even stranger things that could indicate suspicious behavior.
So much for the first part of our post, if you want to continue learning how to protect yourself from cyber attacks, don't miss the second part. protect yourself from cyber attacks do not miss the second part.