Amid a growing cyber skills gap, organizations turn to Managed Security Service Providers (MSSPs) like DirectDefense to enhance their cybersecurity posture and resource management. We spoke with Jim Broome, President and CTO, DirectDefense to talk about the challenges around application security gaps and popular attacker tactics.
What threats surrounding applications do you find the most concerning nowadays?
It’s 2023, and yet there are many applications out there that don’t come with even the most basic security controls or audit logs; for example, no lockout feature or logging account modifications to help with attack detection. This lack of security controls places a lot of reliance on web application firewalls (WAFs), which we know are only good for blocking coding attacks and limiting how many attacks can be sent to your application.
WAFs are not good at spotting attacks that occur within your application. These blind-by-design applications are leaving organizations open to attack, and closing these gaps requires application testing for function and logic vulnerabilities, authentication mechanisms, room for abuse, and logging quality.
DirectDefense offers a few application testing services specifically geared toward aiding in solving these gaps in application security and enabling an organization to obtain security monitoring for their application by a SOC.
What are the most popular tactics, techniques, and procedures that most attackers are using to target organizations?
We work with organizations of all sizes across all verticals and have identified a list of the top tactics, techniques, and procedures (TTPs) to be aware of, and avoid. These include:
Abusing MFA requirements - The threat actor is known to leverage techniques to take advantage of organizations still using SMS text messaging as a form of authentication.
Sim Swapping – The threat actor is known to do extensive recon on a target and leverage SIM swapping to take over key personnel phone accounts to abuse MFA settings. Due to the number of leaks, T-Mobile customers are highly susceptible to this now.
Social Engineering – The threat actor is known to leverage social engineering to trick help desks into resetting privileged account passwords. Highly privileged accounts require stringent password reset procedures. For example - should someone in a help desk role even have the ability to reset privileged accounts?
Attacking On-premises Cloud Environments – The threat actor is known to be highly adept at compromising VMware solutions. Since there is no EDR for these solutions, limiting access and enabling logging is a best practice to spot potential targeting or abuse of these systems.
Living off the Land – The threat actor is known to be highly adept at living off the land and rarely using “Metasploit ''-like payloads or the like. Instead, they abuse common configuration issues and shortcomings of corporate solutions, including: Abusing privileged accounts, MFA replay attacks, and SOC enabled account abuse.
How does the spate of layoffs in the tech industry impact the overall cybersecurity posture of most companies - especially given the already growing cyber skills gap?|
All of these factors - as well as the challenges most organizations face meeting their own industry’s compliance standards - have led to businesses investing in a partner to help manage the work. Investing in an MSSP assures greater security while lessening the drag on resources to effectively staff an internal SOC. When evaluating MSSPs, observe whether vendors are providing an out-of-the-box approach versus a sterile one when reviewing the service level agreement (SLA). At the bare minimum, SLAs should clearly define the time of acknowledgment of an alert, the time to review an alert, the time for the client to acknowledge the alert, and the time to resolution, but above all else, it should clearly outline the customer's infrastructure realities, how incidents are handled and escalated through your organization, and how your MSSP will deliver on those unique requirements.
###