October 10, 2024

Author: Aaron Walton, Threat Intelligence Analyst, Expel

Another October. Another Cybersecurity Awareness Month. And, in the thick of the mundane online training courses and the collective sighing from the employee base, it can be easy to lose sight of its value. It’s true—when this important month isn’t fairly framed, it can seem like a grueling box-check exercise. A bunch of reminders to be, once again, tucked away in your subconscious. 

However, when accurately framed, this month can be seen for what it actually is—a reminder that cybersecurity is an all-hands-on-deck, high-stakes operation. 

For security practitioners like me, Cybersecurity Awareness Month is all-day-every-day-24×7. So, I sat down with four other SOC analysts from the Expel Managed Detection & Response (MDR) team to discuss the areas of cybersecurity that teams should prioritize in October as they plan for 2025 and beyond.

Arm your people to protect their identities

This first area is a reminder for security teams. If you’re not doing everything possible to secure your identities, you’re exposed.

“Everyone says identity is the new perimeter,” says Zach Zeid, Principal Detection & Response Engineer at Expel. “But, you know, ever since you had to log into VPNs, identity has always been the perimeter.”

In Expel’s last Quarterly Threat Report (QTR), we discovered that 65.4% of all incidents our SOC identified were identity-based attacks. These attacks include things like failed attempts to abuse compromised credentials and business email compromise (BEC). And we have no reason to doubt those trends will continue or even increase when our new QTR drops in mid-October.

“A practical lesson I’ve learned is how impactful a password manager can be,” explains Zach. “Things like 1Password or Apple’s native password manager can quickly increase personal security posture. And then, you combine that with multi-factor authentication (MFA) and a hardware-based security token like a Yubikey. It’s an incredible combination.”

In the past, our intelligence team has also seen a high degree of business application compromise (BAC), which often involves an attacker obtaining OAUTH access and wreaking havoc. In many cases, bad actors can get past MFA via tactics like MFA push fatigue attacks. Employees grow annoyed at receiving repeated push notifications from an application like Duo or Okta and eventually give in. This is exactly what happened during the notorious Uber hack of 2022, which Zach helped investigate.

These attacks can be avoided by limiting how many push notifications can be sent in a certain time. This can usually be changed in the OAUTH application settings.  And, to Zach’s point, adding hardware tokens into the mix can truly take your identity security to 11. 

“I’ve been in red team engagements where, when using hardware tokens, they just couldn’t get in. They had to use an insider threat approach.”

So, to recap, here’s your crawl, walk, run. First, get MFA in place. Second, roll out password managers. Third, limit MFA push notifications. And fourth, consider hardware.

Each of these is relatively simple to adopt and will make a huge impact on your security posture.

Refine skills and rethink education

This one is for both the security practitioner and the non-security team member. In order to make security central to an organization, a security team must make continuous education a centerpiece of their strategy—and, frankly, needs to find new ways to deliver these valuable learnings to non-security personnel.

Learn now or learn the hard way

Since attackers are always finding new ways to do their work, we always have to stay ahead by learning new skills.

“Security, to me, starts with continuous learning and an open mindset,” says Brandon Overstreet, Senior Detection & Response Analyst at Expel. “I’ve found the most valuable way to learn is being hands-on and collaborative. You can read all the books, do all the trainings, and learn all the theory—but once you’re in the real world, you’re likely to run into things you don’t understand. And, at that point, you lean into your teammates’ knowledge to determine what’s going on.”

As I looked around the table, all of my SOC analyst colleagues seemed to agree. Zach added, “You simply can’t replace on-keyboard experience. Theory only takes you so far.”

Myles Satterfield, Manager of Global Response at Expel, mentioned that this is why he loves working within the Expel SOC. “We hold an advantage when it comes to learning. Our customers aren’t boxed into one specific tech or area of security. We let our customers bring their own tech. So, I’m personally able to learn endpoint, network, and cloud. And we see tons of different incidents across the attack lifecycle. It’s a great opportunity to learn.”

The team also emphasized the importance of collaborative, hands-on exercises like pen tests and tabletop exercises. Specifically, with the latter, security teams have an opportunity to invite other non-security parties to the table (pun intended) to gameplan different scenarios where cybersecurity incidents could impact different areas of the business. For example, what’s the role of the PR team in a cybersecurity crisis? It’s important to lay out these things and roleplay them before an actual event occurs.

Don’t let mistakes go to waste

Speaking of learning the hard way. Security teams should remind themselves and their companies that cybersecurity mistakes can be redeemed only if the parties involved learn from their mistakes.

Matt Jastram, Senior Managed VM Analyst at Expel, shared a story about a vulnerability scan that went south. “In a previous role at a company, we engaged a pen tester who was tasked to test our industrial control systems. At one site, we requested permission to run a vulnerability scan on an operational system that we were told was properly segmented. The basic port scans were too much for the unsegmented network, causing devices to have communication issues that accidentally knocked down multiple assets, and all the dominoes fell. Basically, we knocked down the whole system, which caused major operational impacts.”

He added, “My VP was on site that day, and I saw him after the incident. He just smiled, laughed, and shook his head. It turns out that leaders are also susceptible to mistakes—and in some companies, leadership often earns their high-ranking positions based on how they reacted and learned from these sorts of incidents. So, in learning from your mistakes, you ultimately have the opportunity to become a better leader.”

Because of that incident, Matt saw failure, when handled correctly, as a rite of passage. He also encouraged security and non-security personnel to adopt the same mentality.

Consider out-of-the-box education

At this point, most companies understand the risks introduced by threat actors and apply some form of mandatory cybersecurity awareness education. As time allows this October, perhaps it’d be worth brainstorming some new ways to deliver these messages to complement your existing program. 

“Cybersecurity Awareness Month is only as strong as your security education program,” says Zach. “In a previous role I had, we would do engaging things to educate non-security personnel, like setting up security escape rooms. This way, we’d educate our people while making sure we’re not talking down to them.”

I know, security teams don’t have much spare time, so this “reframe your education” ask is easier said than done. But consider this. 

Famed communications guru Marshall McLuhan once said, “The medium is the message.” And, if that’s true, wouldn’t lending some extra brain power towards rethinking some aspects of your cyber education program double down on the idea that the material is important?

Just something to think about.

Create a judgment-free culture

Now, I’m going to state the hard truth that every practitioner knows. The undeniable fact that keeps even the most seasoned cybersecurity professional up at night.

Here you go: people are people. And people make mistakes.

The harsh reality is this. You could put in the best cybersecurity program imaginable. You could build iron-clad policies and sponsor cybersecurity escape rooms. You could have full buy-in from the CEO to the intern. Your company could eat, sleep, and breathe cybersecurity. But, ultimately, you’ll never be 100% rid of risk. Why? Because humans make mistakes.

So what happens in your company when the rubber hits the road? When suspicious things start to happen because of an errant click on a seemingly innocuous email?

At the end of the day, people need to feel comfortable calling stuff out when it looks weird—even if they were the cause of it. This is a tip for everyone, both practitioners and the general public. The greatest stories and wins in cybersecurity come from when someone was willing to call out something weird and track it down. 

And the biggest failures? Well, they often come when people ignore suspicious indicators. Or when someone shoots down another person’s hunch that something is amiss.

As cliché as it sounds, it all boils down to creating an open, judgment-free cybersecurity culture with policies and processes that are simple and easy to understand. “When we talk about cybersecurity, we always talk about ‘people, process, and tools.’ But, often, security teams are so focused on the processes and tools that we forget it’s the people that run them,” says Zach Zeid. 

“The people are the most important component. So if you have a tool or process that’s difficult to use or follow, people will always find ways to use it insecurely.”

But, again, even when employees use your processes insecurely, they should know where to go in case of an emergency. And their response should be met with grace.

Good security is a life skill

Cybersecurity Awareness Month isn’t just about protecting your employer’s interest; it’s about protecting your own interests, too. 

Security itself is a life skill. Many of us working professionally in cybersecurity understand security to be a matter of balancing risk, which is just another part of being human. Zach Zeid echoed this in our conversation.

“The biggest lesson I’ve learned in my career is that security is really about managing risk,” said Zach. “Managing risk is an inherently human instinct. We do it every day in our personal lives, whether we’re deciding to cross the street or not. The same principle applies to cybersecurity.”

Learning about threats and good security practices helps individuals evaluate risk more effectively, both at work and at home. Recognizing a phishing email, being skeptical about unsolicited messages, or avoiding sketchy websites can protect your personal information, too.

Our hope is that this year, we’re all reminded that Cybersecurity Awareness Month is important—a month to instill and reinforce good practices that extend far beyond the physical or virtual walls of your workplace.

*** This is a Security Bloggers Network syndicated blog from The Guiding Point | GuidePoint Security authored by Ben MartinMooney. Read the original post at: https://www.guidepointsecurity.com/blog/the-noble-work-of-repeated-reminders/