The current environment

High Tech Rapid Solutions Corp operates in a dynamic environment, characterized by diverse technologies and platforms. The key aspects of its current environment are as follows.

A cloud environment

Currently the company is operating in a multi-cloud environment, leveraging both Azure and AWS for its cloud infrastructure and business needs. This strategic adoption allows the company to benefit from the unique security features and capabilities offered by each cloud provider, while ensuring strong data protection across its operations.

A hybrid cloud architecture

Currently the company maintains a hybrid cloud architecture, combining on-premises infrastructure with cloud resources. This approach enables this company to maximize security controls and compliance requirements, while capitalizing on the scalability, agility, and cost-effectiveness of the cloud.

User entities

They have a hybrid identity architecture in place that allows seamless authentication and authorization for employees, granting them secure access to resources and applications across the hybrid cloud environment.

Collaboration with partners

High Tech Rapid Solutions Corp collaborates with external partners to drive business growth and innovation. To establish secure collaboration, the company extends its identity management capabilities to partners by leveraging Entra ID External ID (former Azure Active Directory) B2B collaboration and cross-tenant capabilities, enabling partners to access specific resources and collaborate within designated workflows.

End user devices

High Tech Rapid Solutions Corp operates in a diverse device landscape that supports both Windows and macOS platforms. The following aspects outline the current device environment:

• Windows devices: Windows devices form the majority of the organization’s device ecosystem. Approximately 80% of the devices within the organization run on Windows operating systems.
• macOS devices: The company recognizes the need to take care user preferences and are having macOS devices in its device catalog as well These devices, comprising approximately 20% of the overall device inventory, are equipped with security features and management tools to maintain consistent security standards across platforms.
• Mobile phones: The company operates on diverse platforms such as iOS and Android.

Server infrastructure

High Tech Rapid Solutions Corp maintains a diverse server infrastructure to support its operations. The server landscape includes a mix of Windows and Linux servers, with the majority being Windows-based.

An application landscape

High Tech Rapid Solutions Corp’s applications are distributed across both on-premises and cloud environments. While legacy applications may still reside on-premises, they prefer modern technologies and cloud-native architectures for new application development, incorporating strong security measures to protect sensitive data and protect against cyber threats.

An IoT/OT environment

In the company’s IoT/OT environment, Internet of Things (IoT) devices are integrated with traditional Operational Technology (OT) to optimize operations. Interconnected sensors and machines collect real-time data from production to supply chain, feeding into centralized analytics for quick decision-making. The main challenge with IoT/OT environment is that it is lacking proper security monitoring and visibility to the environment from monitoring point if view is limited.

Security challenges

High Tech Rapid Solutions Corp has identified the following security-related challenges for their multi-cloud environment:

• Siloed security architecture: High Tech Rapid Solutions Corp’s existing security infrastructure consists of disparate products that operate in isolation, resulting in limited visibility, missing threat intelligence, and inefficient incident response capabilities.
• Incomplete security insights: The lack of centralized security monitoring and analytics hinders the ability to correlate and analyze security events, making it difficult to identify security threats and vulnerabilities promptly.
• Inefficient threat response: The absence of a unified security platform and standardized processes undermines the effectiveness and agility of High Tech Rapid Solutions Corp’s incident response, leading to delays in containing and mitigating security incidents. Currently, they use a legacy Security and Information Management System (SIEM) and is keen to modernize SIEM with a cloud-based solution.
• Regulatory compliance: High Tech Rapid Solutions Corp must adhere to industry-specific regulations and compliance frameworks. Ensuring continuous compliance with standards presents challenges in terms of data protection, access controls, and security audits.

Management concerns

Management is especially concerned about the following specific areas and several possible attack scenarios, based on the history they have had with breaches:

• Lack of visibility and control in an IoT/OT environment: High Tech Rapid Solutions Corp’s IoT/OT environment includes a wide range of devices and systems with varying security controls. This lack of standardized visibility and control makes the environment difficult to monitor and they are lacking of managing potential security vulnerabilities and incidents effectively.
• Lack of visibility on internet-exposed digital assets: High Tech Rapid Solutions Corp doesn’t have a clear understanding of its digital assets that are reachable from the internet, as well as the possible weak configurations on them. Their digital assets includes domains, subdomains, web applications, cloud services, APIs, and IoT devices. The compliance and regulatory requirements that the organization must adhere to in different regions and industries mandate strict security standards and best practices, protecting customer data and intellectual property.
• A Threat Intelligence (TI) data (feed) does not exist: High Tech Rapid Solutions Corp’s security teams don’t have TI data available, which can lead to a situation where they don’t have full visibility of potential attack vectors, and they are incapable of prioritizing the most critical threats and vulnerabilities. In addition, the company wasting valuable time and resources on false positives and irrelevant alerts, often missing key indicators of compromise and early warning signs of breaches. As it struggles to keep up with constantly developing security threats, High Tech Rapid Solutions Corp risks losing reputation, customer trust, and revenue due to data breaches and downtime.

Challenges emphasized by security teams

High Tech Rapid Solutions Corp’s security team raised some concerns and challenges that they faced during the last year:

• The finance department noticed some suspicious activities in their mailboxes, the creation of suspicious mail rules, and a few confidential emails leaking outside their department.
• The SOC team noticed many incidents, and they are confident that handling certain vulnerabilities would fix these incidents and reduce the number of incidents/alerts, but they struggling to gain visibility on the vulnerabilities.
• The SOC team has limited resources, which leads to triage, investigation, and remediation challenges, and these delays cause escalations to senior management (i.e., lack of auto-remediation and mitigations).
• The SOC team spends long hours fulfilling management ad hoc reporting needs.
• Management is concerned about the SOC team’s inability to promptly address vulnerabilities and misconfigurations, which is attributed to the absence of a defined process and a dedicated vulnerability management team.
• The HR department raised concerns to the security team about unauthorized users accessing their apps or servers.
• Management initiated cost reduction strategies across the organization and allocated limited funds to the security team, asking them to reduce their cost, reduce the headcount, and submit Return on Investment (ROI) for any proposals, while simultaneously enhancing their security.
• The existing security team is not ready to adopt new technologies and needs training and guidance for new initiatives.
• The security team noticed too many users responding to spam messages and noticed URL clicks, and management asked the team to control these activities and train end users.
• Management asked the security team to keep an extra eye on certain assets, as well as terminate employees and contractors/vendors.
• The security team noticed too many false positives and spent a lot of time addressing these.
• The SecOps team struggles to track apps in the organization and control them.
• The SecOps team don’t have enough knowledge about the Entra ID application consent framework and on how new and existing application registrations and permissions should be evaluated.
• The SOC team doesn’t have active security monitoring for on-premises identities.
• The SecOps team doesn’t have active security posture management for their cloud or on-premises resources
• High Tech Rapid Solutions Corp operations runs in three different continents, and some employees travel between office locations, factories, and so on. For the SOC team, it’s complicated to identify false/positive and true/positive logins with the current security monitoring solutions.
• In a multi-cloud environment, High Tech Rapid Solutions Corp has been struggling to deploy agents on all servers.
• High Tech Rapid Solutions Corp’s SecOps team has been failing to identify possible attack paths to cloud resources.

Concerns raised by CISO

The following are the concerns raised by the CISO:

• Attacks on M365 collaboration workloads (BEC): As High Tech Rapid Solutions Corp extensively use various collaboration tools, such as Microsoft Teams and SharePoint Online, it needs to address potential data leaks, phishing attempts, and other security risks associated with cloud-based collaboration. Additionally, the organization is concerned about the growing threat of Business Email Compromise (BEC) attacks, where cybercriminals target employees through email communications to compromise sensitive data, initiate fraudulent financial transactions, or gain unauthorized access to company resources. Mitigating the risks posed by BEC attacks has become one of the top priorities for the company, as these attacks can lead to severe financial and reputational consequences.
• Ransomware attacks: High Tech Rapid Solutions Corp is increasingly concerned about the rising threat of ransomware attacks. The potential impact of a successful ransomware attack on its critical data and operations is a major risk. The organization seeks robust security measures and proactive incident response capabilities to prevent, detect, and respond effectively to ransomware incidents. Ransomware attacks, combined with the potential threat of BEC attacks, have emphasized the need for a comprehensive and layered security approach. High Tech Rapid Solutions Corp aims to implement advanced threat detection and prevention solutions, conduct regular security awareness training for employees, and enforce strict access controls to minimize the risk of ransomware and BEC attacks.

A recent incident response case

The company faced a targeted BEC attack six months ago that had a financial impact on business, and they want to detect and prevent similar attacks from happening in the future.

The BEC attack on High Tech Rapid Solutions Corp contained the following phases:

• Initial reconnaissance:

  The attacker gained information about the company and identified key personnel through company’s websites and LinkedIn.

• A phishing email:

  The attacker needed credentials to get access to the environment, and one of the most common ways is to do so is by some form of phishing email. On this occasion, they used a spearphishing attachment (T1566.001 in MITRE ATT&CK https://packt.link/eOJcm) that included a malicious attachment. By clicking the link, the user believed that they were logging into a Microsoft sign-in page and entered their credentials.

• Persistence and exfiltration:

  After gaining access to the target user’s mailbox, the attacker created a forwarding rule to the mailbox for data exfiltration.

• Financial fraud:

  The actual victim of this attack was a procurement manager who believed that the email (marked as Important and Confidential) urging for immediate payment came from CFO.

• Impact:

  As a result of the successful BEC attack, the following occurred:

  • The financial team transferred a significant sum of money to the attacker’s account, thinking it was a legitimate payment.
  • The real vendor who should have received this payment but did not receive it, contacted the company to inquire about the overdue invoice.
  • The financial team realized it had been scammed, but it was too late to recover the funds, as they had already been transferred to an overseas account.
  • The company suffered a financial loss, damage to its reputation, and potential legal consequences for failing to secure sensitive financial transactions.

To prevent such attacks in the future, the company is committed to strengthening its security environment security posture, focusing on implementing robust email security measures, employee training, and verification protocols for financial transactions.