We teamed up with our Cyber Security partner Mongoose Cyber to share this advice on some of the most common cyber-attack techniques and the best ways to defend against them.
Half of all UK SMEs and over a third of charities have reported experiencing a cyber-attack in the last 12 months with the average cost coming to over £10,500. With this statistic on the increase for we should all defend our IT environments in the best way possible.
So, what are Red and Blue Teams?
Red Teams 🔴 are cyber security experts who test IT systems using the same Tactics, Techniques and Procedures (TTPs) as real-world malicious threat actors. In this case, Mongoose Cyber is the Red Team by providing penetration testing and offensive cyber capabilities .
Blue Teams 🔵 are defensive cyber experts whose job it is to protect IT infrastructure and systems against threats and attacks. Greystone is the Blue Team here.
Let’s go!
Working with Mongoose, we have identified the 6 of the most common attack vectors SMEs are currently at risk from and how they are used by the Red Teamers 🔴 (and threat actors) to gain access and how Blue Teamers 🔵 can protect against them.
Web Server Compromise
Red Team 🔴 Look for public-facing web servers that are vulnerable to injection attacks, have broken access controls (allowing unauthorised users to access restricted materials or perform actions they should not be allowed to), have outdated components, or are misconfigured. If it’s possible to compromise a web server through a vulnerability, then it may be possible to move laterally (also called pivoting) to another server on the same network that could hold more important data or services.
Blue Team 🔵 Implementing web application firewalls and network segmentation, sanitising all inputs, implementing strong authentication mechanisms, logging traffic and keeping up to date with patches. These all help to protect systems that need to be exposed like web servers.
Phishing
Red Team 🔴 Leverage phishing campaigns to deceive targets into divulging sensitive information or downloading malware is a common practice. They might employ spear phishing with highly personalised messages or use social engineering tactics to manipulate their victims.
Blue Team 🔵 Security Awareness Training for staff is critical for this one. Plus, good web and email filtering and limiting users’ permission to restrict running or installing malware. Implementing email Authentication frameworks like DMARC, SPF, and DKIM can help prevent spoofed emails entering the organisation.
User and Behavior Analysis
Red Team 🔴 Whilst they will do their best to try and blend in and act like a normal user, malicious activity and the commands that a hacker uses often look unusual when compared to everyday computer use. Such as multiple concurrent logins, connections from unusual geographic locations, unusual file access, commands to dump the memory and repeated password attempts.
Blue Team 🔵 Tools like Endpoint Detection and Response (EDR), Intrusion Detection System (IDS) and Security Information and Event Management (SIEM) are key to detecting anomalies in user and system activity. These can be used for both detection and prevention, as well as analysis of past security incidents.
Common Applications Used as C2 (command and control)
Red Team 🔴 Attackers increasingly leverage seemingly innocuous applications like Dropbox, OneDrive, or OneNote for covert communication and control of compromised systems. These trusted applications often bypass traditional security measures, making them attractive for data exfiltration, remote access, or delivering additional malware payloads.
Blue Team 🔵 Defenders should consider blocking unnecessary apps with whitelisting, logging activity and reviewing logs with EDR and SIEM, using Next Gen firewalls and Data Loss Prevention (DLP) to prevent outbound malicious connections.
Privilege Escalation
Red Team 🔴 The most coveted account within any network or application is usually the “Administrator” account. Once inside a network, attackers often seek to elevate their privileges from a “regular user” to an Administrator, to gain greater control over user accounts, systems and data. This elevated access allows them to execute malicious code, disable security systems, delete logs, install persistent backdoors, and move laterally throughout the network with fewer restrictions.
Blue Team 🔵 Grant users only the minimum necessary privileges required to perform their tasks. Regularly audit and review user access rights. Employ strong password policies, multi-factor authentication, and account lockout mechanisms. Endpoint Detection and Response (EDR) solutions can help identify suspicious privilege escalation attempts and unauthorised activity. Implement application whitelisting to restrict the execution of unauthorised software.
Password spray
Red Team 🔴 Spraying hundreds or thousands of possible passwords at a system in the hope to get lucky often pays off. Password spraying attacks are usually done with a large number of previously breached or leaked usernames and passwords. The list is usually 1 or 2 passwords below the account lockout threshold, so if the max attempts is 10, the list of passwords is 9 long so that it doesn’t trigger a lockout or alert. Using this technique could give access to VPNs or online services like Office 365.
Blue Team 🔵 Always enforce Multi-Factor Authentication (MFA) for all accounts, use rate limiting to slow down password guessing attempts, Log and review authentication events.
If you are interested to know more and would like help to protect your business against cyber-attacks, please get in touch. Together we can review and test your IT security and help you put a plan in place to provide a strong security posture for your business.
