Page 187 - Cyber Defense eMagazine RSAC Special Edition 2025
P. 187

2.  Mitigate the Risk from Third-Party Exposure

            Threat actors leverage a range of strategies to gain the upper hand in the ransomware  landscape. Still,
            nothing presents as ample an opportunity as malware-infected third-party and unmanaged devices used
            to access corporate applications.

            Whether these devices belong to employees or third parties, a single device  infected with infostealer
            malware can open the doors for threat actors to move laterally beyond the initial endpoint, gaining access
            to potentially hundreds of applications and stealing thousands of third-party credentials. This can quickly
            escalate to a ransomware attack, especially if persistent access credentials like API keys, long-lived
            authentication cookies, or administrative credentials are compromised.

            Security researchers found that as many as 90% of security compromises originate from unmanaged
            devices, and third-party access is only second to phishing as a common entry point for ransomware.
            Many exposures result from enterprise data siphoned out of a managed network as a result of ease-of-
            access systems that sync credentials and other information between connected devices.

            Outside of traditional IT control and without visibility into these exposures, it’s difficult for an organization
            to fully understand its risk and properly defend itself.

            To negate the opportunities for third-party exposure, security teams need to work proactively to illuminate
            the full attack surface. This includes continuously monitoring for exposed identities on the dark web so
            they can identify compromised accounts before they are exploited. By improving visibility into malware-
            exfiltrated data, they can quickly discover exposed applications and execute a rapid response, such as
            remediating  credentials  associated  with  third-party  applications  like  Single  Sign-On  (SSO),  code
            repositories, payroll systems, VPNs, or remote access portals.

            Educating employees about the risks associated with using personal devices for work can also help
            reduce the likelihood of infections occurring.

               3.  Use Automation to Speed Up Detection and Mitigation

            We know cybercriminals leverage automation, but as they get faster, so can we. By leveraging automated
            remediation from alerts and incident notifications for new breaches and malware infections, SOC teams
            can more quickly operationalize data and feed it into automated remediation workflows to negate its
            impact.

            Enterprises should consider the following strategies:

               •  Set up automated alerts for when the organization’s credentials appear in data leaks and integrate
                   findings with a SIEM for proactive monitoring, ticket generation, and resets.
               •  Create automated workflows to notify users when their credentials are compromised and guide
                   them through remediation actions.
               •  Schedule automated scans of the dark web to compare user credentials against compromised
                   accounts.
               •  Develop  automated  playbooks  for  incident  response,  including  a  more  robust  post-infection
                   remediation that outlines the comprehensive steps needed to take when credentials are found.






                                                                                                            187
   182   183   184   185   186   187   188   189   190   191   192