Proactive and Reactive Strategies for the Prevention and Containment of Cyberattacks

Prioritizing strategies to prevent and contain threats

There is no magical answer to security (despite what some vendors may claim). Even organizations with mature security programs can be vulnerable to user errors and sophisticated criminals. The goal is to be a harder target: making it more difficult for criminals to gain a foothold and have a well-defined containment strategy for a cybersecurity incident.

Small and mid-sized organizations are targeted by hackers for many reasons, the most obvious being lack of resources. Large organizations can recruit and retain larger numbers of security professionals. They are also more likely to have budgets to license and manage security solutions. On the other hand, smaller organizations face the same challenges, but without the resources to build security teams and manage cutting edge defensive technologies.

As a result, small and mid-sized businesses are viewed by cyber-criminals as softer targets. Data backs this up. The 2023 Verizon Data Breach Investigation Report (see below) found that organizations with fewer than 1,000 employees accounted for 63% of the confirmed breaches studied.

Understanding a Changing Threat Landscape

Sophisticated cyber-criminals adapt to changing defenses. They understand as cybersecurity measures and technologies evolve, older cyberattack tactics become less effective or even obsolete. For example, older malware signatures will be stopped by updated antivirus software, and improved email filters will stop phishing attacks that may have been successful a year ago.

Cyber-criminals therefore constantly evolve their attacks. This, in turn, requires organizations to evolve as well. While updating antivirus signatures is certainly part of a proactive strategy, a comprehensive cybersecurity program should strive to cover all the bases and touch each facet of an organization.

Security is a Posture, not a Project

Every modern organization needs a cybersecurity program. While it might seem that cybersecurity is only needed by large banks and the Fortune 2,000, every organization has something to protect, whether it’s financial and employee information, go-to-market strategies, customer data, intellectual property, and the like. In the event of a breach, organizations can face financial losses, operational downtime, and irreparable damage to their reputation and customer trust. Small to mid-sized organizations often cannot afford these losses, making cybersecurity all the more essential.

Building and maintaining a good cybersecurity posture is a process and should be considered an ongoing initiative. Cybersecurity must go beyond IT staff and be embraced as a business function that spans people, process, and technology. The steps required to build and mature a security program will vary between organizations based on resources, IT infrastructure, regulatory demands, and skill sets. In all cases, however, a comprehensive and resilient program will include:

• Proactive strategies to anticipate and prevent attacks
• Containment strategies for inevitable security incidents

Prepare with Proactive Strategies

Any comprehensive cybersecurity program requires organizations to identify threats and anticipate likely attacks. This starts with an evaluation of the organization’s current posture to identify weaknesses that an attacker could exploit.

A cybersecurity assessment can be performed by qualified internal teams or a trusted partner. This is a checklist exercise that compares an organization’s current security practices against an accepted security standard like ISO 27001, Center for Internet Security (CIS) Controls, or the NIST Cybersecurity Framework. It will identify areas where security is adequate and where improvements can be implemented to reduce risk. Using an outside resource can be helpful if you need help prioritizing findings and identifying controls that are appropriate for the threat and your organization’s resources.

Another proactive activity is a penetration test (“pen test”) to assess your defenses against external attackers. In a pen test, a trained “ethical hacker” acts as would an adversary to identify and exploit weaknesses in your externally facing IT infrastructure. The resulting report should include prioritized findings, risk ratings, and remediation recommendations, so you can address these vulnerabilities before threats actors get there first.

While semi-annual assessments and penetration tests can identify weaknesses in processes and technology, the threat space can change rapidly when security patches are released for commercial software, or when new vulnerabilities are disclosed in widely used open source components. Maintaining an awareness of these developing threats is made simpler by using a threat alert service. Assessing and remediating threats requires regular vulnerability scanning.

Hackers are rational actors and prefer simple attacks if possible. Rather than work to find zero-day vulnerabilities in custom code (a difficult and time-consuming task) attackers can simply use publicly available exploits to find unpatched commercial software or known vulnerabilities in open-source software as a first attempt. A recent example is Log4Shell, an exploit targeting a vulnerability in Apache Log4J, a popular open source logging utility. Once a vulnerability is disclosed, a race begins between teams charged with patching now vulnerable systems and attackers seeking to exploit these temporary weaknesses.

In addition to assessments and testing, training to support a strong security culture is an important part of a comprehensive cybersecurity program. The previously referenced 2022 Verizon Report also found that “human factors”, including stolen credentials, phishing, information misuse, and user errors, accounted for 82 percent of breaches in the prior year. A good training program will include security awareness classwork with regularly scheduled reinforcement through e-learning and phishing simulations. 

Include Containment Strategies for Cybersecurity Incidents

Security professionals ascribe to the “assume breach” paradigm. This acknowledges that an attacker will be able to gain a foothold in your organization. This could come from an unpatched vulnerability, a phishing attack, a malicious insider, or through the more than 24 billion stolen credentials available on the dark web.

The first step in containing an attack is early identification. While most organizations lack the resources to monitor their defenses around the clock, a managed detection and response (MDR) service offers trained security experts to monitor your systems and alert you to potential attacks.  A professional MDR service acts as an extension of your security team to watch for malicious activity in web-facing applications, endpoints, network and perimeter devices, and cloud environments and step in to contain incidents and minimize damage.

A good containment strategy for a cybersecurity incident will also include an incident response plan. This is a documented set of guidelines and procedures that an organization follows to effectively respond to and manage cybersecurity incidents. It outlines the actions, responsibilities, and processes to be followed when an incident occurs, with the goal of minimizing damage, restoring normal operations, and preventing future incidents.

Looking for some friendly cybersecurity expertise? Let’s talk about crafting the right balance of proactive and reactive strategies for your organization today.