2022 has been a record year for cyber attacks and the economic fallout from cyber crime. However, the year is far from over despite being at 93% complete. The next few weeks will see a massive surge over the holidays as organizations go into change freezes and staff numbers are dwindled. This is the perfect opportunity for threat actors to attack, and the reasons are as follows:

---

1. Change freezes mean that no patching will be done. Perfect for exploiting vulnerabilities in the wild.
2. New 0-day vulnerabilities will not be looked at or addressed until staff come back from the holidays. This gives complete unfettered access for exploitation during the rest of December.
3. No-one will be looking at alerts, unless services are down. However a DoS attack would cause unwanted attention, so threat actors will explore and exploit until such time as it makes sense to take out services.
4. Holidays are perfect for phishing scams related to shipping as last minute presents are being purchased.
5. Reduced staff means a reduced ability to identify or respond to any attack. This means that threat actors can take their time to thoroughly imbed themselves in systems, exfiltrate data and stage further attacks with impunity.

There was a recent study done with the help of 1200 security professionals globally. Here are some interesting findings:

• More than one-third of respondents who experienced a ransomware attack on a weekend or holiday said their organizations lost more money as a result, a 19% increase over 2021.
• Four-in-ten (44%) of respondents indicated they reduce security staff by as much as 70% on weekends and holidays.
• One-fifth (21%) noted that their organizations operate a skeleton crew during those times, cutting staff by as much as 90%.
• 7% of respondents indicated they were 80% to 100% staffed on weekends and holidays.

---

What can organizations do in the short term to mitigate risks?

There is not a lot of time for doing anything comprehensive, so you will be at risk no matter what. Its like driving with bald summer tyres in snowy weather. If you can’t change the tyres, then you have to change the way you drive and how you respond to conditions.

• Limit your attack surface.

If you haven’t already, close down all non-essential open ports and services. Dev clusters, lab environments, etc.

• Shut down all user desktops in an office setting that are not being used over the holidays

This can be done with a group policy across your environment, or by location, OU, etc.

• Plan for the worst.

Have an incident response plan. If there is something weird, and it don’t look good. Who you gonna call? Have an escalation plan. Who gets the first call, what is the SLA to respond, how long before you escalate to the next party, and how do you conduct a war room? If you need to recover from a catastrophic event, what is the plan? Have you tested it? What if your backups get compromised? What is the offsite DR and recovery process? How long would it take to restore? How much data is lost between backups (RPO)? How long does it take to recover (RTO)?

• Don’t get locked out.

Have a secure, fully patched, non-domain connected, non-persistent, isolated, VDI jump-box with an embedded set of tools that you can connect to for emergencies. Have more than one way to connect to it, and not just relying on existing VPNs or firewalls. There are a number of solutions out there for this that can be found for this. Cradlepoint and OpenGear make some good solutions.

https://cradlepoint.com/

https://opengear.com/

• Have a number 1, number 2 and number 3 for response.

Its always important to know who will be responsible for fielding calls over the holidays. If the 1st person cannot respond, or is MIA, then do the 2nd and 3rd people have all the same access abilities? If not, then they may not be able to assist. Also have all necessary internal docs for response in a shared repository that is secure and not on the primary infrastructure. Google Docs, Onedrive, etc, work for this at a minimum if you do not have a document management system.

• Have a canary in the coal mine.

Setup a virtual honeypot on the network with monitoring. This can act as an early warning system to the beginning of an attack. This can help limit the dwell time in a network while threat actors are probing systems. It won’t protect you but it will give you a heads up that there’s something up and the attackers are not being careful. Think of it like a motion detector in your security system. T-Mobile has open sourced their honeypot, which is called T-Pot. You can get it here.

• Patch and update.

This is very important as is will protect you more than anything else on this list so far. Don’t use deprecated versions of Windows, Linux or MacOS. Windows 8.1 gets its last update at the beginning of January 2023, so plan to get off it like a sinking ship. There have a been a lot of vulnerabilities out for the Chrome browser recently, so patching your web browser as often as possible is important. Update all your applications and uninstall the ones that you do not use. Do the same for your smartphone.

---

What can organizations do in the longer term to mitigate cyber risks?

When you have more time than a week to implement mitigation strategies, then you will get better results. The ugly truth is that there is no silver bullet and it is a process that takes time, effort, resources and money. These are the main things that you should consider when bolstering your defenses and planning your security journey.

• Get full visibility of your assets

Inventory all your physical and virtual assets, services, supply chain, SaaS services, IaaS, etc. and put that into a CMDB (Configuration Management Database). This will track config, versions of software, firmware and changes that occur.

• Perform active vulnerability scanning on all your assets

Find out what is vulnerable and plan to remediate it over time. Focus on the critical vulnerabilities to reduce your immediate risk.

• Create a Risk Register

This will be a centralized place that lists all your risks within your organization. This is not limited to vulnerabilities, but is inclusive of them.

• Monitor the performance metrics of your assets

Use a monitoring solution to keep historical performance and availability information. This will help ensure that all services are available to users and that business is able to function normally. This is essential to KTLO (keeping the lights on). A NOC (network operations center) often runs this via a tools called an NMS (Network Monitoring System).

• Aggregate all logs from all assets

Centralize all logs so that they can be ingested, archived, analyzed and parsed. This will support security investigations, audits, governance, risk and compliance. It will also support looking for IoCs (indicators of compromise) and user behavioral anomalies.

• Perform active and passive scanning of network traffic

This can be done by analyzing traffic against rules, packet capture and even isolation. Things that fall under this realm are IDS/IPS systems, DLP, and web proxies.

• Employ a Zero Trust Architecture strategy

Zero Trust Architecture, or ZTA, assumes that you are already compromised and provides a means of defense-in-depth to limit lateral movement, escalation and always verifying identity.

• Implement MFA (Multi-Factor Authentication)

There are many ways to do this nowadays, such as using Google Authenticator, Okta, Centrify, or many others. This should be done for all internal system access as well as SaaS services, VPNs, etc.

• Have a dedicated security team that can provide insight on risk and align initiatives with business objectives.

A lot of work is required to plan and orchestrate all the security initiatives that an organization needs to conduct. This would be done by a combination of a CISO, security architecture (often consultants) and operations teams (SOC), GRC (Governance, Risk, Compliance)

• Perform regular penetration testing on infrastructure and software (Red Teaming)

This helps find the weaknesses in an environment proactively, to see what was missed with other systematic measures. It also helps to defend by understanding the attacking mentality of the threat actor and the “art of the possible”.

• Obtain Cyber Insurance

Cyber Insurance is useful when all other proactive protections have been circumvented and there is immediate fiscal or regulatory impact that needs to be resolved. It will help offset the risk at a cost less than that of a self-funded response. However some organizations may have a risk-based slush fund that maps to the accepted or outstanding risks in their risk register. This could be in combination with cyber insurance, or instead of.

• Implement an Endpoint Protection solution

Active malware and threat protection on servers and endpoints is essential to protection, as it limits lateral movement and notifies on identified malicious activity. However nothing is full-proof and there are malware countermeasures and avoidance mechanisms that can bypass these.

• Provide Security Awareness Training

The weakest link in any environment is the user. Social engineering and phishing are the number one vector for compromise. They take the least amount of time and effort and can bypass millions of dollars of security equipment and protocols.

These are just a few of the many things that can be addressed to improve the overall security posture of an organization. Some other things like SASE, CASB, SD-WAN, microsegmentation, threat hunting, purple teaming, etc., I have not even started discussing. The security landscape is big and can be difficult to navigate unless you are embedded in the middle of it.

This is where an external company (MSSP) can come in and solve a lot of these problems by providing a managed service that addresses detection and response, risk analysis, security awareness and consulting guidance. They can provide the simplest path to a secure environment for organizations of any size, sophistication and security maturity.