Access brokers — the threat actors who gain and sell access to organisations and simplify eCrime for other cybercriminals — are especially active during this time of year. They capitalise on seasonal shifts to craft holiday social engineering campaigns, steal more information and make more money by selling their findings to threat actors on underground forums.
To make matters worse, many access brokers have relationships with big game hunting (BGH) ransomware operators, meaning the peak trading season is a prime opportunity for ransomware operators to launch campaigns and extort victims.
Here are 5 ways your business can defend against Access Brokers during Black Friday, Christmas and beyond:
1. Understand your environment: The age-old adage “You can’t protect what you can’t see” has never been so true. Over the past few years, organisations have accelerated their use of cloud infrastructure, resulting in a larger digital footprint. Security teams must gain an outside-in view of their full enterprise attack surface in order to identify areas of exposure and close security gaps. Don’t wait for the adversary to strike. Map your assets, visualise attack paths and address them.
2. Prioritise identity protection: The rise in malware-free attacks, social engineering and similar attempts to steal and use credentials drives the need for strong identity protection. CISA’s Shields Up initiative urges organisations to enforce MFA and identify and quickly assess unusual network behavior. Conditional risk-based access policies are advised to reduce the burden of MFA for legitimate users.
- Social media training is crucial: Don’t announce department shutdowns or IT service changes on social media, and instruct employees to refrain from sharing personal data on social channels. Train staff to avoid sharing credentials in support calls, emails or tickets. And finally, don’t publish executive or IT contact details on the company website — it may aid adversaries in impersonation efforts.
3. Strengthen cloud protection: The number of observed cloud exploitation cases grew by 95% year-over-year in 2022. Adversaries are aggressively targeting cloud infrastructure and using a broad array of tactics, techniques and procedures to compromise critical business data and applications in the cloud. Stopping cloud breaches requires agentless capabilities to protect against misconfigurations, control-plane and identity-based attacks, and also runtime security to protect cloud workloads.
4. Know your adversary: Organisations spend vast amounts of time and money fighting ghosts and noisy alerts, never knowing the “who, why and how” behind cyberattacks. If you don’t understand your adversary, you are poorly prepared to face them. Invest in threat intelligence that exposes the humans behind the attack, as well as their motivation, capabilities and tools. Use threat intelligence that continuously scans underground forums for exposed identities and leaked data, and notifies the security team when company credentials are detected. Monitor for websites or newly created domains that mimic your organisation. If you don’t have time or resources, work with a third party to mitigate the risk of these look-alike websites.
5. Practice makes perfect: Encourage an environment that routinely performs tabletop exercises and red/blue teaming to identify gaps and eliminate weaknesses in your cybersecurity practices and response. Prepare how to outpace the adversary with comprehensive visibility into what’s happening on your endpoints. Hunt for hidden intruders by looking for web shells and remote monitoring tools that may be active in your environment. Seek support from expert teams that know access brokers and their tools to help mitigate hidden threats.
