0333 880 0000
Find an Office
Remote Support
Service Status
Service Status
There have been an unprecedented number of cyber-attacks affecting large UK brands over the last few weeks, and this is understandably causing concern.
At this point, the information available to us about these attacks is vague. This is normal in these circumstances because the organisations affected by these attacks will not want to compromise their recovery by airing technical details about their security posture, or compromise a potential future legal claim or regulatory fine by the ICO if personal data has been accessed.
What we do know is that these attacks were hallmarks of a hacking group known as Scattered Spider, and that the initial entry point for all of these attacks was social engineering. We also know that some of these attacks have been ongoing for quite some time – many months – before being discovered.
So how does a user’s e-mail being phished – for example – potentially lead to a complete compromise of a business like Marks & Spencer? This is a very good question: organisations the size of M&S undoubtedly have a dedicated cyber security team, a SIEM tool which is performing security event monitoring and alerting – monitored by a 24/7 SOC. They will have carried out red-teaming exercises where a group of hackers try to take control of their network, among many other things. Of course we don’t know for sure, but it’s very unlikely these organisations were “asleep at the wheel”.
Social engineering is very powerful. If you manage to compromise the Office 365 user account of someone in an IT team, their email, SharePoint documents and Teams messages will be extremely useful – they will contain a huge trove of information and documentation about the environment which the attacker can familiarise themselves with over a period of time. They can learn communication styles and patterns, meeting cadence, and even join them with their camera off.
Empowered with that information and access to those communication tools, as an attacker you are only a few messages or calls away from asking people with IT privileges to use them for you – reset credentials, install software, modify firewall rules – things that don’t require suspicious or malicious activity.
The risks are exacerbated in retail and hospitality type businesses too – these organisations like their staff to have an email and Teams account so they can communicate with them, but because they largely work on the shop floor – there’s an expectation they will log into these services from their personal devices such as phones and tablets. This means that authentication policies – such as those applied by Microsoft’s Conditional Access – have to be more relaxed.
We have long been aware of the risks of social engineering and have a framework of policies and approval processes. We obviously can’t share the specifics of those, but our clients should be assured that we take this very seriously and have reviewed our own processes in the last few weeks.
So how should organisations react in the wake of this?
Have Social Engineering Awareness
Be hyper aware of phishing and social engineering attempts. These can be emails, phone calls, text messages, even internal Teams messages or emails from other colleagues who have already been compromised. Where any sensitive topic is being discussed or information is being shared – be absolutely sure that the person you’re speaking to is who they say they are. Insist on cameras being turned on for meetings.
Technology such as Mimecast’s suite of products can really help with this, but a human shield is needed too.
Restrict Access
It’s a lot harder for a user to be socially engineered if a corporate device is required for access to resources. If you can’t log in to Office 365 or establish a VPN connection from an unmanaged device, that makes a huge difference. Restricting access and then monitoring failed access attempts can protect you, and help identify where a user’s account has been compromised – but before any damage has been done.
Segment
If your environment does get breached, you want to limit the damage. By segmenting parts of your infrastructure with network boundaries, such as firewalls, you can reduce the impact of an attack on operations and reduce potential recovery time. Whilst this attack has no doubt been massively disruptive to those retailers who are affected, they clearly did have this in place – as their store networks have been able to continue operating.
Monitor
Capturing an actual or potential breach early is key. Attackers often spend weeks and months familiarising themselves before they take action. When suspicious behaviour is captured early, a compromise can be cleaned up before real damage is done.
A 24/7/365 Security Operations Centre (SOC) service, such as our Detect product, provides this capability.
Clients who take our Managed Security services benefit from proactive advice on all of these topics.
