How to minimise the impact of a data breach using internal controls

Guest post by Rob Allen is an IT Professional with almost two decades of experience assisting small and medium enterprises embrace and utilise technology.

It’s not enough to lock the front door minimising the impact of a breach through internal controls

Stand First: A layered approach to control measures on a solid foundation gives the best chance of containing the impact of any breach or attack

Verizon Data Breach Investigations most recent report has shown that even now, 1 in 5 breaches remain undiscovered for months or more. The report also finds that the most common notifier of a breach is not even the breached organisation itself.

How to minimise the impact of a data breach using internal controls

That gives a lot of time for attackers to move around in an  organisation’s IT system, often unknown to the victim.

Additionally, the 2022 report reveals how the threat landscape is changing. The vast majority (82%) of breaches involved a human element, including social attacks, errors and misuse. There was a significant increase (13%) in ransomware breaches — more than in the last 5 years combined. Almost two thirds (62%) of incidents in the System Intrusion pattern involved threat actors compromising partners.

We often use the analogy in cyber security of the castle with a stout front door. As this threat intelligence shows, it is not enough to protect the front door. Organisations must implement internal controls and measures to ensure if a breach does occur, attackers are not able to inflict more damage and loss by remaining undetected and moving freely with malicious intent. Extending the analogy, it is now clear that with suppliers being increasingly targeted as a means to gain entry to an ecosystem or supply chain, the trusted side entrance needs acknowledgement and protection too.

Cyber security tools and services are constantly evolving in the arms race between cybercriminals, and organisations trying to protect themselves, their customers and their reputations in a hostile landscape.

A layered, combined approach that builds on practices such as Network  Control, with  application containment by way of Ringfencing and managing of local admin rights through Elevation Control, can prevent unwanted behaviour from users and applications. These tools can  stop hackers and malware in their tracks,even after a breach; minimising damage, risk of data loss, and protecting reputations and customers.

This layered approach to protection is based on the Zero Trust Model (ZTM), the operating model where users, applications and services are given the least privileged access necessary to do what they need to do. The benefit is that should something go wrong, such as in the case of stolen or compromised user credentials, a malware drop, or an application or service compromise, the least level of privilege immediately limits what can be done.

A key component of the ZTM is network segmentation, where the network is divided in subsections, often determined by sensitivity or function. This means traffic between the subsections can only take place according to need, permissions and policy. Any attacker gaining access to a system is then prevented from moving ‘east west’ within the network, and any anomalous or malicious activity is easier to see and stop. A type of Network Segmentation can also be effectively achieved through software, endpoint agents communicating together to dynamically control which devices can connect to which server resources.

Additionally, Ringfencing further prescribes allowable and acceptable interactions. It controls what applications are able to do once they are running, reducing the likelihood of an exploit being successful or an attacker weaponising legitimate tools, such as PowerShell. Ringfencing allows you to control how applications can interact with other applications, for example, by stopping Microsoft Word from being able to call PowerShell, thus preventing an attempted exploit of a known vulnerability, such as Follina, from being leveraged for living off the land attacks using tools such as PowerShell.

Another common technique of mal-actors is to elevate the privileges of compromised resources, such as users, services or applications, to allow them to move beyond their initial access level. Elevation Control enables users to run specific applications as a local administrator, even when they do not have local admin privileges. Elevation Control gives IT administrators finer control, enabling them to control exactly what applications can run as a local admin without needing to give users local admin rights. Administrators can review the applications and select which can be run as a local administrator. Once enabled, a user can run the software as a local administrator without entering any credentials. This kind of facility is vital in today’s increasingly hybrid world, where combinations of on-premises resources mix seamlessly with cloud resources and beyond.

No one technique or service is going to secure a network, its data and users, from malicious actors. However, a zero-trust approach, implemented through layered measures such as Network Control, Ringfencing, and Elevation controls combine to provide a granular level of visibility and control that not only allows anything suspicious to be identified earlier, but also provides the ability to limited, isolate and mitigate the suspicious activity.

In today’s world where a user can be almost anywhere, but still require access to the most sensitive information, network and cyber security overall, must be flexible, agile and resilient enough to provide that access safely and in a timely manner.

These techniques are evolving to simply become network control — complete visibility and control of the networks that are the fabric of the digital business.

About Rob Allen

Rob Allen is an IT Professional with almost two decades of experience assisting small and medium enterprises embrace and utilise technology. He has spent the majority of this time working for an Irish-based MSP, which has given him invaluable insights into the challenges faced by MSP’s and their customers today. Rob’s background is technical – first as a system administrator, then as a technician and an engineer. His broad technical knowledge, as well as an innate understanding of customer’s needs, made him a trusted advisor for hundreds of businesses across a wide variety of industries.

Rob has been at the coalface, assisting clients in remediating the effects of, and helping them recover from cyber and ransomware attacks. Rob joins the ThreatLocker team in 2021 excited at the prospect of building new relationships and helping deliver ThreatLocker’s enterprise-level security products to customers throughout the EMEA region.

See more breaking stories here.