Technical Expertise

October 24, 2022   •   12 minute read

Expert Interview: MFA, Continuous Monitoring, And Cybersecurity Trends in 2022 With James Ewing

While cybercriminals may constantly be changing tactics, there’s one thing that remains stubbornly predictable: periods of crisis breed cyberattacks. And with the world enveloped in multiple crises—the ongoing coronavirus pandemic, Russian invasion of Ukraine, and a looming economic crisis, for example—opportunities abound.

These aren’t just anecdotal stories, either. The FBI warned of vaccine fraud schemes in late 2020. Ransomware attacks in 2021 increased by 105%, and breaches are projected to cost the world $5.2 trillion by 2023, according to Accenture Security company’s 2021 “The State of Ransomware” report conducted by the independent research center Ponemon Institute.

In light of such trends, we sat down with Cybersafe Security Sales Engineer James Ewing to discuss these pressing topics.

Ewing talked about a handful of common mistakes people and organizations make to create vulnerabilities, from lack of patching programs to failure to implement multi-factor authentication (MFA)—making it easy for hackers to infiltrate systems and remove data.

“MFA adds an additional layer of security that an attacker has to have access to in order to get into an account,” Ewing says. “It really slows them down, and nine times out of 10, they'll just go look elsewhere.”

In addition to MFA, Ewing underscores the need for continuous monitoring services that develop a comprehensive understanding of risk posture that can thwart breaches in their tracks.

“Businesses that invest in continuous monitoring have two distinct benefits over non-monitored businesses. The first is that they are backed by an experienced team watching their network 24/7, 365 days a year,” Ewing says. “The second thing we see is that our clients can step away from ‘chasing alerts’ and focus on their business.”

With that, let’s get into our conversation with Ewing, which has been edited for clarity.

What are some common ways threat actors compromise organizations?

James Ewing: That’s a question we hear a lot from our partners and potential clients. Most of the breaches we see today come down to the lack of security in three critical areas. 

The first is the human element. Humans continue to be the weakest link in the cybersecurity equation. Common issues include weak passwords, sharing accounts, and not being educated in email attacks. We continue to see threat actors using spear phishing with lookalike websites to trick users into providing login credentials. 

Second, companies have to start enabling multi-factor authentication (MFA). While inconvenient to clients, it can stop 99.9% of all attacks from happening, according to Microsoft

Finally, lack of vulnerability and patching programs creates an environment that is easy to manipulate and remove data from. But threat actors continue to evolve. They’re developing effective attacks against MFA, including ‘prompt bombing.’ It reinforces the notion there is no silver bullet to stopping all attacks.”  

You mentioned some of those lapses or vulnerabilities come from three critical areas. Can you go into more detail about what these vulnerabilities look like?

JE: “Those are the main areas our clients continue to struggle to address. Until technology catches up and humans stop clicking on bad links we’ll continue to have these issues. Look, we want to trust what people send us. We want to believe that it's real, but at the end of the day, it only takes one threat actor to craft an email and get it into our inbox and clicked on to be breached. So this is a really huge issue we’re still seeing. You can train folks to check links and emails, but at the end of the day, threat actors are still getting through the human element, they’re exploiting vulnerabilities, and getting around MFA. Organizations that understand this risk and implement continuous monitoring operate with significantly less risk than those that don’t.” 

How do you stay ahead of trends or prepare when world events may affect cybersecurity?  

JE: “Organizations need to identify the risk in their business and specifically map their controls to that risk. Offload risk where it makes sense. If you take this approach, current events, while important, are less likely to create an emergency in the business. There will always be attacks and breaches. Creating the correct security posture and mapping it to business risk is the best way to stay ahead of the news.” 

Do you happen to see any more cybersecurity risk in these times? 

JE: “Yes, we're seeing a huge uptick from threat actors, across all sizes and verticals of businesses. I think that there are two main reasons behind it:  First, due to the war in Ukraine, Russian threat actors have been severely impacted by economic sanctions. So, these folks are trying to raise cash, and these State actors or Threat Groups are run like businesses. These “businesses” are having a tough time accessing cash and getting cash due to the economic sanctions. As a result, we see more attacks happening at faster rates in the United States and Great Britain in an attempt to raise cash. The other reason attacks are increasing is due to the economic downturn created by the pandemic, government spending, and global supply chain issues. Monetary gains are still the driving force behind most major attacks today.  

And I tell folks: ‘You don't know what's going to happen tomorrow. You need to look at what you're doing today and really figure out how to create that security, process, and mindset within your organization today around those core features that we discussed earlier,’ which are around making sure that people don't click on things that they're not supposed to. And if they do click on it, you have multi-factor authentication operating. MFA creates an additional item that an attacker must have access to in order to get into that account—whether it's a cell phone, whether it's an application that gives you a code. Now, they have a different system they must hack, or a different human, or a different attack vector that they have to also access in order to put those things together to get access to your account. 

We do see some folks who are going out and re-hosting SIM cards to get those authentication strings to come through on the phone side, and those are very sophisticated attacks. We’ve also seen realistic, phony login sites that capture and use the MFA code in real time. But most of the folks that we see are trying to get into businesses that don't have MFA, that don't have active anti-phishing measures in place. These threat actors are still picking the low-hanging fruit—the companies without good security controls, without MFA, without strong passwords—if that's possible, 20 years into the internet age. Organizations must change that paradigm, on an individual and institutional level.” 

Utilizing these safeguards doesn’t seem onerous, so why do many companies continue to rely on basic protections?

JE: “I think there are two main reasons I can think of. The first reason is just pushback from the user groups. MFA adds additional complexity to the login process. End users don’t like complexity so they either don’t enable MFA or they do, but end up disabling it after complaints from power users or executives.  Even if you use a free MFA provider like Google authenticator, there's still pushback at the end user level. Sometimes it's not convenient to do this if you have a mobile workforce. And a lesser, but just as important reason tied to the cost and price of a commercial MFA solution—like a Duo, or Okta. These providers license their software by number of SaaS applications. So, if you have 20 or 30 applications, that's a lot of money per user to turn MFA on for all of those different applications. Each additional application requires additional spending and configuration on the business side. So ultimately, it's a combination of money and user pushback. At Cybersafe, we leverage MFA on everything. We want you turning it on every time you log into Windows, a cloud application, your tools, your email, everywhere. Pretty much any time you're logging in somewhere, it should have an MFA component. If cost or pushback is a concern, we recommend clients install MFA on your critical systems, your email systems, your HR system, or any place where you have specific PII information—any of those core areas.”

Can you take us through Cybersafe’s incident response (IR) process when you receive communication from a breached business? 

JE: “The IR process is well defined in our industry. Customers can expect the following when they engage Cybersafe Solutions for IR services:

  1. Kick off with our IR Team
  2. Review the scope of the breach, what is affected, and the current situation
  3. Deploy endpoint agent to provide live “flight recorder” and active threat hunting capabilities
  4. Fingerprint the attackers and conduct Tactics, Techniques & Procedures (TTP)
  5. Identify, respond, and contain
  6. Eradicate all known threat actors
  7. Close attack vectors. Remove remote desktop protocol tools, helper applications, communication tools, etc.
  8. Forensic chain of custody: contain and control evidence
  9. Attribution, if possible
  10. Closeout and lessons learned
  11. Transition to 24/7 managed detection and response.”

From an IR perspective, what’s the benefit of being a monitoring client? 

JE: Well, the outcome is much faster. If you're a monitoring client of ours—we are unique in our industry. Cybersafe provides remote Incidence Response for any asset under our management. A lot of firms require an IR retainer or additional funding for IR services. In fact, many of our competitors will actually say, ‘Timeout, we've got a breach here. We're going to halt monitoring on this. If you want us to do the IR you need to give us a $20,000 check, or you need to call your insurance company and figure out who they want to handle the IR.’ With Cybersafe, our team responds in real time. From detection to remediation and forensic gathering, we have you covered, and it’s all included in our service offering.  

As far as the process goes, we follow the same steps that I outlined before.  The huge difference is that we already are intimately familiar with the client environment and we already have deployed an endpoint detection and response agent during the onboarding process. This allows us to rapidly engage our DFIR teams while the threat actors are engaged and actively trying to exploit the client’s environment. Our artificial intelligence, and machine learning have baselined the client network—allowing us to rapidly determine where the malicious activity is occurring, rapidly engage to mitigate the threat, and then gather any necessary forensic evidence for the after-action report. The tech we leverage is capable of creating an amazing storyline of the processes and files interacted with so that when we see something happening, we can visualize the attack and where in the system the malicious activity occurred. We can start to back out all the changes and stuff that were made and start to remediate as well as protect the rest of the environment from whatever attack vector we saw in the first place.”

What other systems or warning signs do you monitor?

JE: “Cybersafe Solutions also has an Extended Detection and Response (XDR) service which adds additional visibility into the network devices, connections, and vulnerabilities seen on the network. We monitor the dark web for potential data breaches. Additionally, we watch for domain doppelgänger activity and deploy ‘honeypot’ technologies to create a true, 360-degree view of our clients’ security stack.” 

Would you mind expanding on the concepts of honeypots and domain doppelgänger?

JE: “Honeypots have been used since early computing to discover malicious activity and to increase the dwell time of a threat actor so they can be further studied and ultimately shut down. Honeypots are used to sprinkle bits of fake data around the enterprise. The goal is to entice someone conducting malicious recon to click on the file to trigger an alarm. These can be triggered by insiders, man-in-the-middle attacks, or even tools installed on the network maliciously to search for critical data for exfiltration. 

The other technology we leverage is called domain doppelgänger. A doppelgänger is something that looks and feels like something else but is an imposter. In this case, threat actors set up doppelgänger (look alike or copycat) websites that look—by name and sight—to be identical to the victims’ websites. Threat actors then use those domains for spear phishing attacks to go after organizations with the hope that someone will click on a link and ultimately allow the threat actors to get control of the victim’s end device or their credentials. To prevent this, our team watches the domain registry services looking for lookalike domains and then provides alerts on them when seen so clients can block those domains before they ever have a chance to be used.” 

Are there any additional strategies that you've noticed hackers are employing?

JE: “Threat actor groups are extremely dynamic and in flux. So we see a lot of restructuring of threat groups almost monthly. They're taking one group and splitting it into two or four. And then, they're going right back to doing what they've always done, which is fingerprinting customers, and then attacking, and getting in, and holding data for ransom. It's just thinking of new ways that they can repackage the existing stuff that they've already used. They're splitting these bigger teams up, they're making smaller teams, they’re making new teams. A lot of the factors are the same. And a lot of the threat vectors are the same. Even the tools are the same. It's just we're interrupting them, and so they're coming to market in a different way. By and large, most of the attacks we still see with our clients are very straightforward, and unfortunately include ransomware.” 

What do you notice about businesses that invest in continuous monitoring versus those that don’t?

JE: “Businesses that invest in continuous monitoring have two distinct benefits over non-monitored businesses. The first is that they are backed by an experienced team watching their network 24/7, 365 days a year. For most companies, it’s the first time they’ve had this type of visibility into their environment and it’s eye-opening. The second thing we see is that our clients can step away from ‘chasing alerts’ and focus on their business. Organizations can take on additional security projects and help the business focus on growing instead of the daily alert fatigue and too many tools.” 

Can you expand on the benefits of continuous monitoring from a business perspective?

JE: What I see with most of our clients is that that three-to-four month period, they're really able to just kind of exhale. Sometimes they've been a one- or even a two- or three-person shop for years, and you have all these tools that you have to maintain. You have all these requests from management you have to get through as well as planning and budgeting for the next year and the next project. And it's a lot of work. We have 35 plus analysts that are 24/7 doing this all day long. We have folks who are just dedicated to triaging telemetry as it comes into the system. We're fortunate to be near Washington, D.C. We have a lot of great universities with some of the best cybersecurity programs in the country right here. We also have a large number of Federal and DoD level cybersecurity SoCs in our area. Having so many amazing talent-rich organizations in the D.C. Metro allows us to recruit the best and brightest engineers onto our team. 

Organizations know that it takes eight to 10 people on average to run a 24/7 operation, and that it’s probably $2.5 to $4 million plus tools. That kind of investment is way beyond most small- to medium-sized organizations. So the reality is that we’re able to provide a Fortune 500 level of visibility to smaller organizations for a fraction of the cost to set up and run their own SoC. As we onboard clients, they immediately see the value, but the best part for us is to see them four months into the engagement.  At that point, our clients have been able to let their guard down and know we've got their back, from that perspective.”  

What advice do you give to businesses today regarding the hacker landscape?

JE: “There will always be hackers and organizations looking to profit from American businesses, whether through theft of money, intellectual property, or data. Creating a culture of security, following a path of least privilege, and active investment into real-time 24/7 monitoring will go a long way to frustrate the threat actors and reduce the likelihood of an incident.” 

Cybersafe Solutions is a state-of-the-art managed security provider with more than 20 years of experience in the online threat landscape. Our expert team leverages cutting-edge technology to provide 24/7/365 visibility into your company’s security posture at all times, seamlessly detecting when a threat has penetrated your network, containing it, and eliminating it.

Contact us today to learn more.