Expel insider · 3 MIN READ · SCOUT SCHOLES · OCT 31, 2024 · TAGS: Malware / Managed security / SOC / Vulnerability
TL;DR
- Our SOC analysts are sharing tricks from their past cybersecurity nightmares.
- We’ve included tips on how to avoid living each nightmare yourself.
- The best tip? Thank your security team! Their work can be tedious, but it’s mission-critical.
In honor of spooky season, we sat down with some of our SOC analysts to hear their scary cybersecurity nightmare stories. While post-event these are entertaining (if you didn’t live them, that is), we’re also including tips with each so you can avoid living these horrors yourself. Consider these stories a treat that can help you avoid future tricks.
A haunting in the server room
I was working at a previous company that had physical servers with petabytes of data stored on each individual server. Due to a security exploit that could only be resolved by a physical reboot, we spent many sleepless nights manually rebooting every single server we had and confirming all its data was back online.
Tip: Sometimes physical environments are necessary, but don’t forget to test for them, too—especially in today’s cloud-focused world. And if you have a physical environment, be extra nice to your security team.
Ghostbusters: malware edition
Years ago, the WannaCry ransomware attack affected a huge number of large companies. It targeted a vulnerability that allowed the ransomware to spread between computers like a worm, without human intervention. It wreaked a lot of havoc quickly, but the curiosity of cybersecurity researchers saved the day. Marcus Hutchins registered a domain that was referenced in the malware, which was then used as a kill switch to disable the malware variant.
Tip: Being curious is a great trait to have when your work is largely investigative. If you see something weird, say something! Don’t be afraid to ask why and dig for the answer.
The haunted acquisition
My company at the time acquired a new, smaller company, and transitioned their entire tech stack to our environment with no warning. It resulted in the security team being flooded with thousands of nonstop alerts that we couldn’t identify, and we spent a full day investigating the issue, only to find out it was all because of an acquisition we weren’t told about. I was new to the job and the industry, and it was an overwhelming welcome that could have been avoided with good communication.
Tip: Mergers and acquisitions (M&As) are a time for increased vulnerabilities, gaps, and need to be approached with extreme caution. Notify your security teams of any upcoming mergers and acquisitions, and work with them to coordinate merging tech stacks. It’ll save everyone a headache.
A nightmare pen test
In a previous role at a company, we engaged a pen tester who was tasked with testing our industrial control systems. At one site, we requested permission to run a vulnerability scan on an operational system that we were told was properly segmented. The basic port scans were too much for the unsegmented network, and it caused device communication issues that accidentally knocked down multiple assets, and all the dominoes fell. Basically, we knocked down the whole system, which caused major operational impacts. My VP was on site that day, and I saw him after the incident. He just smiled, laughed, and shook his head.
Tip: Quadruple check the reach of your tests before you complete them. Cybersecurity isn’t an industry where you can ask for forgiveness instead of permission, because the effects of a misplaced action can be resounding.
The multi-factor authentication (MFA) poltergeist
When the large transportation hack happened a few years back, there was a kid who used it as a chance to access a different tech stack tool used by the targeted company. He accessed and redirected it to adult content sites. The scariest part, though, was how he did it—with a simple brute-force technique called MFA fatigue. He essentially annoyed someone into giving him access by spamming them with requests to approve authentication they weren’t requesting themselves.
Tip: Don’t fall victim to MFA fatigue. If you’re getting spammed with requests to authenticate an action you didn’t take, don’t approve it—report it.
Happy Halloween—stay secure out there!
