Cybercriminals continuously refine their tactics to exploit weaknesses in enterprise defences. From impersonating legitimate users to bypassing detection systems with advanced techniques, their methods are becoming increasingly sophisticated, says Dan Lattimer, Area Vice President, UK and Ireland, at the cyber firm Semperis.
According to Semperisโ holiday ransomware report, timing is also a key factor in many attacks. Based on a survey of nearly 1,000 security professionals, the report found that 72 per cent of respondents โ or 86pc of those targeted by ransomwareโexperienced attacks during holidays or weekends. Similarly, 63pc of respondents were targeted during major corporate events, such as mergers, acquisitions or IPOs.
These findings highlight a critical issue: Ransomware groups often strike outside of business hours, at times when defences are weakest. While 96pc of surveyed organisations stated that they run a 24/7/365 Security Operations Centre (SOC), 85pc admitted that they reduce SOC staffing by up to half during holidays and weekends. Surprisingly, 5pc of organisations leave their SOC unstaffed.
Patience pays off
Holidays and weekends present challenges for businesses, with understaffed security operations creating opportunities for cybercriminals to launch successful attacks. Adding to the risk, attackers often lie in wait for several weeks once they are inside an organisationโs network, working to strengthen their foothold, escalate privileges and identify sensitive data or applications that they can encrypt as part of an extortion scheme.
Given the risks, why are not most businesses aligning staffing with known attack patterns? There are several reasons for this. When asked why they reduced IT and security staffing out-of-hours, 34pc of organisations said they did not think full staffing was necessary considering most employees only work weekday schedules. Thirty-four percent assumed their organisation wouldnโt be targeted, and 33pc felt it wasnโt necessary because their business hadnโt previously been attacked. Additionally, around-the-clock SOC staffing drives up the costs for hourly employees and/or requires companies to hire additional staff. To save money, many organisations reduce coverage during off-hours, believing threats are less likely. But what are companies really saving in the long run when you consider that remediation and recovery costs post breach can exceed hundreds of thousands of Euros for each incident?
Prioritising identity security
Organisations should adopt an โassumed breachโ mindset because threat actors will eventually breach every organisation. It is essential to identify your single points of failure and your most critical services. Donโt overlook your identity system, most often Microsoftโs Windows Active Directory (AD), which ends up compromised in 90pc of ransomware attacks. Given how common it is for the identity system to be compromised, it is safe to say that the identity system is the new security perimeter.
AD is a technology that is 25 years old, and to maintain operational resiliency companies need to limit outdated configurations, excessive user privileges and insufficient monitoring. These issues make the detection of malicious activity particularly challenging. Gaining access to AD is the goal of most threat actors when they attack and accessing it provides them with the “keys to the kingdom”, opening the doors to their victimโs critical systems and sensitive data.
Despite this risk, many businesses underestimate the importance of identity security. While 81pc of respondents in the holiday ransomware report claimed to have the necessary expertise to defend against identity-related threats, 83pc reported being victimised by ransomware in the past year. In addition, Semperis found that nearly one third of organisations havenโt developed an incident response plan. This plan must include backing up the identity system, so that in the event of a compromise, an organisation can return to network operational efficiency much faster. Please donโt be one of the 21pc of companies that donโt address cyberattacks in their incident response plan or the nearly 20pc that donโt regularly test for identity system vulnerabilities.
Building resilient defences
To increase operational resiliency, organisations must prioritise security as an essential component of their business resilience. Effective steps include:
โข plans: prepare for potential incidents and regularly test response protocols.
โข Optimise resources: Allocate existing tools and personnel effectively, covering the most vulnerable areas.
โข ITDR solutions: Identity Threat Detection and Response (ITDR) tools can automate key tasks such as auditing, alerting, attack pattern detection and mitigating suspicious changes in AD.
โข automation: Free skilled security staff from routine tasks, enabling them to focus on higher-value responsibilities.
By taking these actions, enterprises can effectively address risks, enhance their identity security and bridge staffing gaps. With optimised defences and an “assumed breach” mindset, they will ultimately be better prepared to respond to all attacks, including the ones that occur on holidays and weekends.
