It seems new malware attacks are discovered nearly every day.
Why do they keep working? What can you do to prevent them?
Computers are built for a broad audience, allowing for a diverse range of software and hardware configurations. This one-size-fits-all approach leads to the general weaknesses upon which malware preys.
But just because computers are made for everyone, doesn’t mean everyone’s needs are the same. Just because a business down the road needs particular software, doesn’t mean you do.
That’s why cyber security customization is so important. By deciding which options are right for you, you can dramatically reduce your exposure and minimize your risks.
Keep in mind that custom security measures first depend upon the basics: defense-in-depth or zero-trust access control, patching and update maintenance, and security monitoring.
Once those are taken care of, it’s time to look into what further options you can take.
Examples of Security Customization Options
Although customization doesn’t provide magic bullets to defeat attackers, it can offer early alerts or even block the basic tools attackers use.
Egress filtering, for instance, helps block malware by examining the specific needs of your business and creating security rules around them.
For example, if you use internal Domain Name Systems (DNS), you’ll want to block external DNS services. On the other hand, if you use external DNS, allow only the calls to the approved DNS servers.
Customization also compliments and enhances your existing efforts based on the behavior of your users.
Most users wouldn’t know what a Command Prompt is, let alone how to launch it. Many users haven’t heard of Net.exe or even PowerShell, either. Yet these fundamental tools exist in some form within all operating systems, and can’t be removed.
So, the average employee doesn’t sit down to work, launch PowerShell, open the Command Prompt, and deploy new software. It’s the sort of behavior that should trigger red flags – or at least a visit from an IT member.
While AI-enhanced endpoint protections use algorithms to detect strange behavior, you can also set up manual alerts.
When admins need these tools for legitimate purposes, they’ll be able to handle the alerts without problems. However, regular employees won’t be able to without triggering the alarms.
Even though only expert administrators should ever touch these tools, default configurations often leave them completely unrestricted.
These tools should be access-restricted through Windows Local Group Policy, logged, and audited.
Don’t provide easy access to these critical tools to hackers, and ensure any use triggers an alert.
"Good Enough" Isn’t Good Enough
These legitimate tools were developed for IT experts to test the security of their own organizations, or on behalf of a client. However, hackers sometimes use this same software to conduct their attacks.
While some malware tools can be customized to detect or block the use of these programs, that alone isn’t enough.
On March 31, 2021, the Conti ransomware gang gained PC access to Ireland’s Health Service Executive (HSE), which operates the nation’s public healthcare.
Though anti-malware successfully detected the use of Cobalt Strike and Mimikatz, no one responded to the warning. As a result, the Ireland’s healthcare system was under full attack two months later.
What went wrong?
The security setup failed in two fundamental ways. First, the anti-malware was set to monitor, but not interfere. Second, the alert was ignored.
The HSE understood that their users don’t use attacking tools, and properly customized alerts to warn about activity. Unfortunately, they didn’t configure their anti-malware to automatically block usage.
Though they were alerted, human negligence worsened the problem.
For customized security to work well, make sure your business follows through appropriately. Don’t settle for alerts when you can block access altogether.
And, if you really do prefer only using alerts, then don’t settle for anything less than immediate response and action.
Proper Security Customization
Only a tiny percentage of employees are inconvenienced by denied access to command prompts, PowerShell, or other dangerous programs.
As a result, one effective way to protect your organization is investing time to establish more secure Work Groups in Active Directory.
Further, Red Team attack software should be automatically quarantined or blocked by anti-malware. Both attacking software and command-line tools should generate alerts in any operating system. Alerts should be escalated for basic users.
Cybersecurity monitoring must also be in place so triggered alerts are addressed quickly and decisively.
Our experts are happy to discuss your options with a no-obligation consultation.