Author: Candid Wüest, Vice President of Cyber Protection Research, Acronis
We live in a hyper connected world. Each day more devices are connected and more business is conducted online. Fueled by more and more workloads getting connected and the increasing complexity of systems, the attack surface grows as well. Especially during the COVID-19 crisis many people were forced to stay at home. This resulted in more people working from home, but also more online shopping being done. This in turn generates a lot of opportunities for cybercriminals to attack unexperienced online businesses and employees. Since some attackers are making millions of profits from defrauding their victims with little risks for themselves, there is no reason for them to stop soon.
The menace affects everyone in Europe. For example, Spain was the 6th most attacked country in Europe in terms of ransomware according to Acronis’ March threat telemetry data. Overtaken by Germany, Italy and France in the top ranks. It may sound alarming, but cyberattacks can affect anyone, anywhere.
Here are five tips for you on how to protect against common cyberattacks.
Malware is the classic cyber threat that every organization is facing regardless of its size. There is always something interesting for the attacker to gain. Small sized business might not be in the crosshair of sophisticated advanced persistent threat (APTs) groups, but due to the interconnected business world there is a high chance that the company could be used as a stepping stone to attack a different final target.
In April 2020, AV-Test.org recorded an average of 290,000 new malware samples each day. From password stealers, financial Trojans to data destroying ransomware, each of them does pose a risk to your organization and infrastructure. Especially ransomware attacks, where data is encrypted and held hostage can be devastating for an unprepared business. Sadly, there is no shortage of examples of such incidents. For example, there was the attack against Travelex in January, where the Sodinokibi group initially demanded $US 6 million for the data and apparently got US$ 2.3 million in the end. In April the Portuguese energy company EDP became a victim of the Ragnar Locker ransomware. The cybercriminals stole 10 TB of data, encrypted the rest and demanded around US$ 11 million ransom. Recently the IT consulting company Cognizant was hit by the Maze ransomware and thereby joined the long list of incidents at MSPs and service providers.
It should therefore be evident that you need a sophisticated endpoint protection solution to combat these threats. Modern anti-malware tools combine traditional signature based detections with behavior based analysis in conjunction with machine learning (ML) or artificial intelligence (AI) in order to efficiently and proactively cope with the flood of cyberattacks.
The important part here is to operate a defense in depth model with multiple layers, ideally of course as an integrated solution, that can correlate events across all different levels. Trying to prevent, detect and remediate any threat as early as possible in the attack kill chain. For example, you want to be able to prevent the user from visiting a malicious website, detect any downloaded malware before it is executed and block and revert any malicious behavior exhibited at runtime if a threat has been executed anyhow.
Since most SMBs are unable to cope with hundreds of alerts per week, let alone thousands, due to lack of resources, they often relay on their MSP, or use Endpoint Detection and Response (EDR) or Managed EDR solutions to solve this skill gap.
Backup and disaster recovery
Not losing any data and always having access to it when you need it is key in today’s business world. Ransomware is one big threat against your data, but also human error or natural disasters such as fire and floods can result in data loss. It is therefore vital to have a business continuity and disaster recovery plan in order to have a reliable backup of all required data and a fast and efficient way to restore it back in the case of an incident. Such a plan needs to be tested and documented, so that you can rely on it if the worst case happens. In addition, you need to ensure that your backups are protected, as one of the first things cybercriminals try is to delete any backups they can find.
A shocking 10% of IT professional users said in the global Acronis cyber protection survey from 2020 that they do not backup their data at all, even though only 48% of the surveyed said they did not suffer from a data breach last year. A clear indication that users are underestimating the risk, despite better knowledge.
Identity and Access management
Cybercriminals are often misusing weak passwords or stolen credentials in order to get access, a simple attack that we all have seen happening. Since a few years the method of credential stuffing has become very popular. Hereby attackers try all combinations of leaked usernames and passwords with all imaginable services and verify if the user utilized the same password on multiple accounts. If an email account is compromised in this way, an attacker might be able to reset passwords for additional services. This can allow them to take over the account completely and perform various attacks, such as sending personalized phishing emails, issue fraudulent invoices in the booking system, access the CRM system or connect to a remote system using the remote desktop protocol (RDP).
To remember all the different passwords, a centralized password manager can help. In addition, where ever possible a multi factor authentication (MFA) should be used to increase the account security, as this makes it a lot harder for cyber criminals to misuse stolen credentials.
Vulnerability assessment and patch management
According to a survey by Tripwire, 34% of IT professionals in Europe admitted that their organization had been breached in 2019 as a result of an unpatched vulnerability. Updating your operating system and all of the installed software applications might be cumbersome without a procedure, but it is critical to do. Of course, this means that you need to know about all your workloads to begin with, so that you can do a vulnerability assessment and scan them for any missing updates. The best option is to relay on an automated process, so that you do not need to remember it each month. Fortunately, the quality of patches has improved over the last years, but it is still a reasonable practice to take a snapshot before rolling out patches or rolling them out on a test machine first, as they could break some dependencies.
Sometimes there is no patch available yet. These so called zero-day vulnerabilities can endanger your organization, but there are ways to mitigate the risk. For example, Acronis Cyber Protect does specifically protect exposed applications, like the video conferencing software Zoom and WebEx, from any exploits. Even if the application is not patched, the product can block an exploit from dropping and executing any payload unto the system. Of course it also uses the already mentioned behavior based detection to monitor any application for suspicious behavior and block it.
Email and Awareness
Emails are an ideal vehicle for cyberattacks as they are widely used and trusted, cheap to send and easy to spoof for the attacker. According to various studies released this year, 94% of malware attacks involved email as an initial attack vector.
Therefore, it is important to reliably filter malicious emails, in order to free up time and minimize the risk of incidents. Some simple tips can be implemented without additional software packages, like for example marking all external emails in the subject line as EXTERNAL, so that they are easier to distinguish for the users. Another important point is, that users should be aware of the threats and know where to report suspicious emails to, so that the rest of the organization can be warned and protected in time.
Of course, these are only the first simple steps to get cyber protected, but having a secure fundament is important before taking the next steps. The complexity of modern attacks can easily overwhelm small businesses. They therefore require a comprehensive protection approach that is simple to deploy and efficient to manage. Most of the tasks should be automated and not require deep technical knowledge to perform. Ideally the solutions should interconnect and leverage the full correlation potential of the big picture. In the end IT has to be cost-efficient with a low total cost of ownership (TCO) in order for SMBs to survive in the competing market. They do not have the time nor the expertise to wade through thousands of alerts every day, nor should they have to, to combat cyberthreats.