By Nick Alevetsovitis
The bad actors perpetrating cyberattacks are a growing threat, with bolder and more sophisticated approaches. Cybersecurity attacks are often described as a linear progression, with pre-attack strategies that include planning, development, and reconnaissance on the left and the actual attack to the right.
Most organizations are focused on the right side, only reacting to an attack. As a mindset, this needs to change if organizations are to thwart attacks before they happen. When organizations can detect and prevent attackers in the reconnaissance phase, they are less likely to be victims of a full-blown attack.
When cyber-criminals conduct reconnaissance with impunity, attacks are more effective and cause more damage. A recent FortiGuard Labs Threat Landscape Report shows the risk is growing; data collected from a global array of sensors showed that the number of ransomware variants had almost doubled over the previous six months.
The commoditization of ransomware into Ransomware-as-a-Service (RaaS) drives this growth. A subscription model for ransomware makes it easy for almost anyone to target people, businesses, and other organizations. As this nefarious business grows, developers are compelled to use new technologies to differentiate their products on the dark web.
What is Reconnaissance?
Reconnaissance is one of the early phases of an attack and includes advanced persistent threats (APTs), like those perpetrated by nation-states. Reconnaissance includes testing networks for vulnerabilities, obtaining unauthorized access, and avoiding detection so attackers can observe and move through the network for an extended time.
Cybercriminals investing in reconnaissance can improve their chances of uncovering a zero-day vulnerability and executing a successful attack. After all, ransomware is still a lucrative business. Investing resources into new attack techniques can continue to generate profits for the attacker, either by selling their technology on the dark web or executing attacks themselves to collect the ransom.
What can CISOs do about it?
Organizations need to invest in scalable security that provides visibility and communication across the whole network to meet the challenge of these advanced attacks. Artificial intelligence (AI) needs to bolster security solutions to enable real-time detection and remediation. By leveraging machine learning (ML) and AI, organizations can respond more quickly to attacks.
Anti-malware with AI detection signatures is also critical, as are modern endpoint detection and response (EDR) and next-generation firewalls (NGFWs), especially in today’s more complex hybrid networks. Organizations can also benefit from network detection and response (NDR) with self-learning artificial intelligence (AI) to better detect intrusions.
Uncovering reconnaissance attempts requires organizations to invest in advanced intrusion prevention system (IPS) detection and sandbox solutions designed to quarantine anything suspicious.
Organizations can look to a Digital Risk Protection (DRP) service to counter reconnaissance and cyberattacks. Providing an outside-the-network view helps identify any unknown/known vulnerable exposed assets and public cloud misconfigurations, leaked credentials/sensitive data, and more. Simply put, anything that can be exploited.
When leaked credentials are for sale on hacker forums, there is high probability that they will be used in an attack against the organization. Therefore, by actively monitoring hackers’ forums, ransomware groups, and more for leaked data, organizations can gain early visibility into imminent threats, and can take proactive steps to prevent attacks or disrupt attacks in progress.
Organizations should consider deception techniques as well. Deception technology is a non-intrusive, easy-to-manage network of landmines that mimics an organizations’ sensitive assets (files, creds, apps, servers) where only attackers interact, making it the most accurate way to detect malicious in-network activities. Decoys and deception tokens generate zero false-positives, high-quality intelligence data to help SOC teams effectively detect, analyze, and automatically respond to stop attacks before they impact business.
Integrate for best results
Without an integrated approach to deploying these solutions, organizations risk blind spots that can enable bad actors and provide the openings needed to initiate an attack. With an integrated security platform like Fortinet Security Fabric, organizations have a consistent experience across the distributed network, including the data center, campus, branch, endpoint, multi-cloud and home office. This approach makes it easier for defenders to detect and respond to threats by integrating security and networking solutions.
As cybercriminals continue to up their game and invest in early-stage reconnaissance efforts, they will undoubtedly uncover more zero-day exploits and execute more damaging attacks. CISOs can better align their security efforts to detect an attack at the earliest stage with greater visibility, control, and the power of AI and ML – and by stopping cybercriminals at the reconnaissance stage, they can ensure a better return on security investments.
Nick Alevetsovitis is Vice President, Canada Enterprise and Commercial Business at Fortinet