Over the past year, we’ve identified a growing trend in private equity and venture capital firms with respect to cybersecurity events. While not every event turns into a formal incident to trigger the firm’s incident response (IR) plan, organizations with more mature capabilities fair better. Common challenges for these organizations include a mobile workforce that leverages Office 365-based email (often without two-factor authentication [2FA]), inadequate visibility into the communications of workstations and laptops, and a lack of controls that prevent the obvious, e.g. remote/VPN connections from a single user from disparate geographical locations (e.g. how can someone be in San Francisco checking email, when an hour later the same account is used from New York or London?).
With a mobile workforce of information workers who support your firm’s efforts from any available internet connection, you need to consider how to monitor and prevent unwanted and potentially dangerous communications from occurring while systems are on the move and outside the protections afforded by your environment. Focusing your efforts on the office/cloud environment leaves a critical avenue unprotected. Furthermore, the safeguards provided should tie into your organization’s overall defenses and provide early warning of unwanted activity and traffic.
Firms need to adopt the approach, at some point, there will be unwanted activity in their environment and they will likely have a workstation hijacked by a bad actor or automated form of malware. Managed detection and response (IDS/IPS) systems do not all have equal capabilities and have varying degrees of success in identifying the indicators of malicious activity. Based on our experience with actual cybersecurity incidents, we recommend confirming your system can identify DNS tunneling, password spraying, brute-force attempts at authentication, excessive login failures, PowerShell execution, log ins from multiple countries, and internal port scanning. These patterns of activity, combined with command and control communications to known bad sites, should trigger your organization’s IR plan of action.
The IR plan should be well exercised and provide your firm a warm start toward identification, isolation, containment, eradication, and recovery. We’ve seen great success from organizations that approach IR as an ongoing effort and not as an “in case of emergency break glass” event. This is accomplished via daily log reviews; monthly system access checks; tabletop exercises at the tactical, operational, and executive levels; and “Red Team exercises” that test the people, processes, and technology in place.
The bottom line is that your organization will experience cybersecurity events regularly, and research suggests you will have a full-blown incident during the next 12 months. Do you have the appropriate level of visibility into the activities that occur in your environment at 3:00 a.m. on a Thursday? Do you have a record of the sites visited by a laptop sitting in a hotel room? And once you’ve identified suspicious activity, are you responding frantically or is your organization deliberate, methodical, and practiced? If the answer to all, or even some of these questions is “ughhhh,” it’s time to have a serious conversation so you’re not left hanging when disaster strikes.