Best Practice Assessment Executive Summary Risk Assessment

Best Practice Assessment

Executive Summary Risk Assessment

The cyber security incidents continue to increase and strengthen, big and small businesses are more vulnerable than ever to cybercrime. Average cost of a data breach reached an all time high.In order for any business to make an informed decision about its technology and services investments they need to know about the risk that they might be exposed to by analyzing risks. The risk assessment is the process of identifying, analyzing, and evaluating cybersecurity risks. Nearly all organizations are at risk of a cyber attack. To understand how great this risk is and to be able to manage it, organizations need to know their cybersecurity risk assessment. This identifies which assets are most vulnerable to the risks the organization might face.

In this document we have listed three types of attacks which are as follows.

• Business Email Compromise (BEC) attacks
• DNS Attacks
• Ransomware attacks

(Note: The dollar amount shown under each of the attack types is static and refers as the average cost associated with recovering from the breach)

The report will dynamically show the types of attacks based on the adoption calculation done in the BPA.

Business Email Compromise (BEC)

Business Email Compromise (BEC) is a category of threat activity involving sophisticated scams which target legitimate business email accounts through social engineering (e.g., phishing) or other computer intrusion activities. Once businesses are compromised, cybercriminals leverage their access to initiate or redirect the transfer of business funds for personal gain. Cybercriminals used a variety of techniques in business email compromise wire-fraud schemes. Forms of social engineering, such as phishing, offer an easy and cost-effective way to gain covert access while maintaining a low risk of discovery. According to the report, in many cases cybercriminals are simply asking their unwitting targets to hand over their credentials and getting them. The U.S. Federal Bureau of Investigation calls BEC the “$43 billion scam,” referring to statistics for incidents reported to the Internet Crime Complaint Center from 2016-2021. Techniques for business email compromise can vary. Some threat groups gain access to targeted accounts through brute-force credential attacks, for example. However, social engineering, including phishing, is often an easy and cost-effective way to gain clandestine access while maintaining a low risk of discovery. In many cases, cybercriminals are simply asking their unwitting targets to hand over their credentials—and getting them.

Disclaimer About Breach Cost:

BEC Attack Report

Cite: IC3 latest 2022 report on Business Email Compromise - https://www.ic3.gov/Media/Y2022/PSA220504

Recommendation:

It is recommended to follow best practices to configure following capabilities to mitigate BEC attacks.

Advanced Threat Prevention

WildFire Advanced

Advanced URL Filtering

DNS Security

How BEC Attack is calculated

If the adoption percentage for any one of the adoption highlighted below (WildFire, Threat Prevention, URL Filtering, and DNS Security) or any of their sub adoption category is less than equal to 50% than BEC attack will be displayed under Risk Assessment.

Domain Name Server (DNS) Attacks

Being one of the core foundations of the internet, the Domain Name System (DNS) is fundamental to all organizations. Most of the organizations have solutions in place to protect areas in their network like web and email, but do nothing to secure their DNS traffic, leading to an alarming rise in DNS-layer threats. A proper utilization of a DNS security service could lead to enhanced DNS security. A DNS attack targets the DNS infrastructure. Attacks can be tailored to either recursive or authoritative servers. The two most common types of DNS attacks are Denial-of-service (DoS) attacks and Distributed-denial-of-service (DDoS) attacks. In both cases, attackers flood internet servers with many requests that they simply can’t answer them all, and the system crashes as a result. A simple DoS attack uses one computer and one internet connection to flood a remote server. They aren’t terribly effective at overwhelming today’s high-capacity systems. 

Disclaimer About Breach Cost:

IDC 2021 Global DNS Threat Report

Cite:https://www.efficientip.com/resources/idc-dns-threat-report-2021/

Recommendation

The DNS Security subscription offers limitless protection against tens of millions of malicious domains, identifying them with real-time analysis and continuously growing global threat intelligence. Our cloud database scales with data from a large and ever-expanding threat intelligence sharing community, adding to Palo Alto Networks sources that include:

• WildFire malware prevention service to find new C2 domains, file download source domains, and domains in malicious email links.
• URL Filtering to continuously crawl newfound or uncategorized sites for threat indicators.
• Passive DNS and device telemetry to understand domain resolution history seen from thousands of deployed NGFWs, generating petabytes of data per day.
• Unit 42 threat research to provide human-driven adversary tracking and malware reverse engineering, including insight from globally deployed honeypots.

How DNS Attack is calculated

If the % adoption for DNS Security is less than equal to 50% than DNS attack will be displayed under Risk Assessment.

Ransomware Attacks

Ransomware is a family of malware that attempts to encrypt files on end-user computers and then demands some form of e-payment to recover the encrypted files. A proper configuration of URL Filtering and WildFire could drastically help to mitigate such attacks. A URL Filtering will limit access by comparing web traffic against a database to prevent employees from accessing harmful sites. And,  WildFire utilizes near real-time analysis to detect previously unseen, targeted malware and advanced persistent threats, keeping your organization protected. Ransomware is one of the most common threats in the modern threat landscape; there are many different variants, an infection can cost a lot of money to recover from, and the actors responsible for the infections are driven to generate as much revenue as possible by extorting their victims. Ransomware in particular has been a focus area for many in the cybersecurity industry because of the impact on targeted organizations and those who depend on them. Threat actors gain control over critical data and resources and then leverage this control to coerce high-dollar payments from their victims. Unfortunately, these attacks have been made even easier with the rise of ransomware-as-a-service (RaaS) offerings. Ransomware as a service (RaaS) is a business for criminals, by criminals, with agreements that set the terms for providing ransomware to affiliates, often in exchange for monthly fees or a percentage of ransoms paid. RaaS makes carrying out attacks that much easier, lowering the barrier to entry for would-be threat actors and expanding the reach of ransomware.

Disclaimer About Breach Cost:

2022 Unit 42 Ransomware Threat Report 

Reduce the Attack Surface

• Gain full visibility and block unknown traffic. Identify all traffic on the network and block unknown, potentially high-risk traffic. 
• Enforce application- and user-based controls. Restrict access to SaaS-based tools for employees who have no business need for them. 
• Block all dangerous file types. Not all file types are malicious, but those known to present higher risk, or associated with recent attacks, can be controlled. 
• Implement an endpoint policy aligned to risk. Enforce policies that restrict noncompliant endpoints from connecting to critical network resources. 

Prevent Known Threats 

• Stop known exploits, malware, and command-and-control traffic. Blocking known threats raises the cost of an attack and ultimately reduces the likelihood of an attacker attempting a breach. 
• Block access to malicious and phishing URLs. Prevent users from inadvertently downloading a payload or having their credentials stolen by blocking known malicious and phishing URLs. Scan for known malware on SaaS-based applications. SaaS-based applications represent a new path for malware delivery and must be properly secured. 
• Block known malware and exploits on the endpoint. Endpoints are common targets for attacks. Ensure you are keeping your endpoints secure by blocking any known malware or exploits. 

Identify and Prevent Unknown Threats

• Detects and analyzes unknown threats in files and URLs. As new files are submitted, detonate, analyze and look for malicious behavior.
• Update protections across the organization to prevent previously unknown threats. Automatically push protections to different parts of your organization’s security infrastructure. 
• Add context to threats, and create proactive protections and mitigation. Developing protections requires context to better understand the attacker, malware and indicators of compromise. Block unknown malware and exploits on the endpoint. Once unknown threats or trends of suspicious behavior have been identified and blocked, block unknown malware and exploits on the endpoint.

Recommendation:

It is recommended to follow best practices to configure following capabilities to mitigate ransomware attacks.

WildFire

URL Filtering 

How Ransomware Attack is calculated

If the adoption percentage for either WildFire or URL Filtering is less than equal to 50% than Risk Assessment will show Ransomware Attack. 

The text displayed under Ransomware attack will dynamically change based on cases listed as below.

Case# 1: If the adoption percentage of WildFire is less than equal to 50% then below text will show up.

Description - Ransomware is a family of malware that attempts to encrypt files on end-user computers and then demands some form of e-payment to recover the encrypted files. A proper configuration of WildFire could drastically help to mitigate such an attack. WildFire utilizes near real-time analysis to detect previously unseen, targeted malware and advanced persistent threats, keeping your organization protected. 

Case# 2: If the adoption percentage of either URL Filtering Adoption or Credential Theft Adoption (or both of them) is less than equal to 50% then below text will show up. 

Description - Ransomware is a family of malware that attempts to encrypt files on end-user computers and then demands some form of e-payment to recover the encrypted files. A proper configuration of URL Filtering could drastically help to mitigate such attacks. A URL Filtering will limit access by comparing web traffic against a database to prevent employees from accessing harmful sites. 

Case# 3: If the adoption percentage for both WildFire and URL Filtering adoption [URL Filtering Adoption or Credential Theft Adoption (or both of them)] is less than equal to 50% then below text will show up.

Description - Ransomware is a family of malware that attempts to encrypt files on end-user computers and then demands some form of e-payment to recover the encrypted files. A proper configuration of WildFire and URL Filtering could drastically help to mitigate such attacks. WildFire utilizes near real-time analysis to detect previously unseen, targeted malware and advanced persistent threats, keeping your organization protected. A URL Filtering will limit access by comparing web traffic against a database to prevent employees from accessing harmful sites.

Contact BPA team at bpa@paloaltonetworks.com

Visit us at www.paloaltonetworks.com/