Threat Actors are aware of the major holidays and are always aware that most organizations will typically be running on reduced staffing. They know that individuals may not be contactable and responses to their activities are slowed. For these reasons, they target these times of year – specifically New Year, Christmas, July 4th, and Thanksgiving – knowing that they will likely have increased success in their operations.
Below we’ve outlined nine activities that should be performed ahead of time to make sure you, your teams, and your organizations are prepared.
#1 Incident Response Plan Review
Review the IR SOP (incident response standard operating procedure) and ensure the details are correct and up to date. Do a test-run, can everyone be contacted and join a bridge within your required timeframe? If not, plan around this now. An escalation tree is worthless if it cannot be executed correctly.
#2 Supply Chain Review
Review vendors whose products or services operate in your environment. This extends to both hardware and service offerings. Do they match your organization’s security standards? We have seen an increasing number of attacks that target service vendors year-on-year.
#3 Penetration Test
When was your last offensive engagement? Have you reviewed these findings and completed the recommended actions? Focus on architectural changes, minimizing the attack surface can provide more breathing space before coordinating a threat response.
#4 Network Assessment
- Can you answer the following questions:
- Do you have in-depth visibility into your network?
- What does your current inventory look like?
- Can you quarantine a threat quickly and reactively?
- Do you have EDR (Endpoint Detection and Response)?
- Who can access your network? Do you have a BYOD (bring your own device) policy? If so, do you have NAC (network access controls) in place? What about mobile devices?
- Do you have failover in place in the event a critical asset is taken offline?
Attackers thrive in blind spots in your network. Be sure to include printers, VoIP, IoT devices, and cloud in this review.
#5 & #6 Vulnerability Assessment + Patch Management
This is a broad area, and requires the following to complete effectively:
- Visibility into your network
- Vulnerability Assessment of exposed assets
Where are you most vulnerable? What can you patch today? What are your most critical vulnerabilities? Are you up to date? There could be a potential chain of vulnerabilities that may lead to widespread impact.
Do you have public-facing assets, and if so – can you coordinate a patch of a 0day within 24 hours? If not, it shouldn’t be exposed. There are only two types of vulnerabilities; the ones you know about and the ones you don’t. We are operating on the attacker’s home ground here and they often have more information than the away team.
#7 Risk Assessment
Complete a risk assessment to answer the following questions:
- What are the current threats affecting you today – and leading up to the holiday season? This includes both internal and external threats.
- Who might be targeting your organization? Have they potentially targeted others in the same or similar industry vertical? Similar industries use similar software; making it easier for an attacker to rapidly target through multiple victims.
- Have you completed a vulnerability assessment? Is your patch management up to date?
#8 Awareness Training
Are the company staff aware of threats, and what to look for? Put another phishing assessment on the calendar if one hasn’t been completed in the past 90 days. How do your business partners make updates to accounting? Can it be impersonated? These are key training questions that should be reviewed regularly.
#9 Tabletop Exercise / Threat Simulation
With the above in mind, it’s time to put it all together. Create a tabletop (or work with your security vendor) to simulate a recent and relevant threat to your organization. Can the appropriate parties join a war room to respond to this threat without prior notice? How long does it take your security team to detect this threat? Simulate a response by quarantining the machine and performing threat eradication.
The goal is to work through PICERL (preparation, identification, containment, eradication, remediation, lessons learned) here, the tabletop is testing your preparedness ahead of an active incident.