SISA’s Top 5 Forensic-driven Learnings for 2022 to Secure Against Evolving Threats

SISA has been observing that the use of custom malware and genuine tools by intruders, as a defence evasion technique for lateral movement is becoming widespread, necessitating enterprises to invest in robust endpoint response solutions.
Top 5 Forensic-driven Learnings for 2022 to Secure Against Evolving Threats

The ever-increasing interconnected and perimeter-less networks, the accelerated migration to the cloud, and the distributed remote working model induced by the Covid-19 pandemic, have added more complexity to the rapidly evolving cyber threat landscape. The statistics related to the rapid rise of cyberattacks are staggering. 80% of organizations experienced a successful email-based phishing attack in 2021 – a startling 45% increase over 20201. That’s not all. The total number of ransomware attacks have seen a 105% jump during 2021 compared to 20202.

SISA has observed that, intruders are able to weaponize AI/ML tools to exploit vulnerabilities across IT infrastructure and outsmart even the most sophisticated cyber defences. SISA’s findings from forensics investigations carried out over the past 1.5 years reveal interesting insights with respect to trends in breaches, factors driving them and intruder actions among others. The findings serve as key learnings that organizations must consider in crafting their cyber resilience strategy. The top 5 learnings are summarized below:

1. Secure Vulnerable Loopholes

SISA has observed that organizations in general have good patch management for production and compliance environments. However, the same does not extend to non-critical environments such as User Acceptance Test (UAT) systems, user segment and Work-from-home (WFH). Intruders exploit this vulnerability and use it as an Ingress point to make lateral movement into a critical environment. The Log4j episode wherein zero-day vulnerability was found in a commonly used logging tool that allowed hackers to launch Remote Code Execution (RCE) attacks against affected systems further underscores the importance of patching. The use of automated patch monitoring and management tools is a critical lever that organizations can use to maintain a structured patch management process in today’s complex and heterogeneous environments. It is also important to create an accurate list of IT assets and run a monthly vulnerability assessment scan.

2. Strengthen Endpoint Response

As the intruders continue to target remote/WFH systems, the ability to respond to suspicious incidents in the remote system plays a crucial role in protecting the end-users and enterprises. SISA has been observing that the use of custom malware and genuine tools by intruders as a defence evasion technique for lateral movement is becoming widespread. Most of the antivirus and EDR solutions may detect these malwares, but unfortunately, they may not delete or quarantine the same. Hence, organizations need to invest in a robust endpoint response solution, which will enable them to take action against any malicious malware which might not be removed or quarantined by the endpoint detection solution. It is also a good practice to have a team for monitoring and conducting an incident response for various antivirus/EDR use cases, such as disabling the endpoint detection solutions, re-configuring them, etc.

3. Deploy Intelligent Monitoring

Intelligent threat monitoring involves continuous analysis, evaluation, and monitoring of an organization’s networks and endpoints for evidence of malicious internal or external threats. Every action on the system generates a log, and effective monitoring of logs is critical to enable the early detection of threats. SISA’s forensic investigations reveal, on average, an intruder resides in the company network for about 180 days, which explains why organizations need to have robust threat monitoring systems. Organizations must consider deploying a proactive ML-based threat hunting solution which can help identify malwares that have evaded existing security solutions. Integrating real-time threat intelligence also offers enterprises an edge through proactive threat blocking by detecting Indicators of Compromise.

4. Set Up Diligent Access Management

Access Management plays a critical role in securing identity and profile data. With compromised passwords cited as the most common cause of data breaches, securing digital identities needs to be a combination of strengthening access control measures and authentication mechanisms. Adopting a Zero Trust security approach built on the principle of “trusting no one” can help organizations prevent identity theft, data breaches, and illegal access to sensitive information by controlling user access to critical information. Context-based step-up authentication, proper configuration of MFA and strong password management are key controls that need to be set up for a robust access management.

5. Execute Proper Incident Response and Forensics

Having robust and integrated incident response and forensics is vital to identify, remediate and investigate security incidents early on to minimize recovery time and costs. Given that the dwell time of intruders is 180 days on average, preliminary forensics becomes critical to understand the root cause, pattern of attacks, and extent of impact and thereby lower the possibility of lateral movement. A forensic and incident response retainer program can help organizations as it acts as an insurance and offers them always-on access to expert forensics team, any time they suspect any incident. Equally important is to conduct Forensic Readiness Audit to assess an organization’s preparedness to detect, manage and investigate a security incident.


To understand more about how these learnings can guide your organization’s cyber security posture and to identify best practices to implement them, download the latest SISA Top 5 Forensic Driven Learnings 2022-23 report or sign-up for a free consultative Forensics Learning Session.



SISA’s Latest
close slider