Defending your data: an endless game of cat and mouse

Why security never stops. 

Hitting the headlines daily, the relentless struggle between cyber security experts and threat actors persists, with increasingly higher stakes. For every technological advance or application of new security measures, cyber criminals are ready and waiting to pounce — immediately probing for and exploiting potential weaknesses. With this enduring cat-and-mouse game showing no sign of ceasing any time soon, we take a look at some current security challenges and the steps organisations can take to protect themselves.

Constantly evolving credential threats

One of the most effective defences against credential threats, such as volumetric-based attacks like password spraying or password reuse, is Multi-Factor Authentication (MFA). In 2019, Microsoft[1] boasted that MFA could block over 99.9% of account compromise attacks. But of course, as soon as MFA gained widespread adoption, cyber criminals began devising innovative ways to circumvent it.

Fast forward to 2022, and Security Week[2] reported one such technique that was proving to be very effective in some high-profile attacks, known as “MFA fatigue”. In these attacks, adversaries relentlessly bombard users with MFA requests via push notifications, SMS messages and phone calls with a view to overwhelming the user with requests until they ultimately accept one. Microsoft’s Digital Defense Report for 2022[3] confirmed approximately 30,000 instances of MFA fatigue attacks every month, suggesting attackers are yielding positive results.

As you would expect, security vendors continuously refine their defences to counter such endeavours. Features like number matching[4] (where a user must enter a number into an MFA app) have been introduced to reduce the effectiveness of MFA fatigue. However, its ongoing prevalence across 2023 reinforces the importance for businesses to continually review their security approach, at even the most tactical level.

So, can adopting the latest MFA enhancements like number matching make this challenge disappear? Well, not entirely, as every defensive measure soon seems to have an opposing countermeasure.

Consider, for example, Adversary in the Middle (AiTM) phishing[5], which typically involves a threat actor attempting to intercept and steal an individual’s password and session cookies by deploying a proxy server between the user and the website. The attacker alters the communication between these two components and any data shared by the user first flows through the adversary before reaching the intended recipient. This gives the attacker the ability to impersonate the user even with MFA, and so, the game of cat and mouse continues…

Surging ransomware attacks

To add fuel to the fire, ransomware attacks are also on the rise. In July 2023, NCC Group[6] reported a staggering 154% year-on-year increase, which marked a 16% uptick from the previous month. While a comprehensive backup strategy encompassing immutable storage can provide protection and reassurance against conventional ransomware attacks, once again, cyber criminals have simply changed tactics.

Indeed, a recent NCSC[7] report outlined how some threat groups now engage in data theft and extortion without deploying ransomware, choosing their approach based on the likelihood of obtaining payment. So, for example, they may unleash ransomware to disrupt logistics companies dependent on their data to operate, but prefer extortion-only attacks against healthcare services, where patient privacy is a priority.

A rapidly reducing window for defence

Another concerning statistic reported by Microsoft[3] last year is that the median time for attackers to access private data, once a phishing email has compromised a victim, is 1 hour and 12 minutes. This gives a very small window of opportunity to firstly, identify that you have been the victim of an attack and secondly, do something about it. Worryingly, Microsoft also stated that 92% of affected organisations failed to implement effective data loss prevention controls, resulting in critical data loss.

To maximise the likelihood of catching a threat actor and minimise the impact of any potential incident, businesses need to establish an appropriately resourced team to monitor the environment around the clock and respond to incidents as and when they occur. Most either find this too difficult or cost prohibitive and prefer to work with a Managed eXtended Detection and Response (MXDR) partner to achieve peace of mind.

Staying one step ahead

Applying a robust data protection strategy ensures that sensitive information, whether belonging to your customers, employees, or the company, is safeguarded against unauthorised access, breaches, and potential misuse. By adopting industry best practices, employing encryption, establishing access controls, and regularly monitoring data handling processes, businesses can not only maintain trust with their stakeholders but also comply with regulatory requirements that emphasise data privacy and security.

The accelerating pace of cyber threats can pose a daunting challenge for businesses. As adversaries use increasingly sophisticated tactics, organisations face mounting pressure to address a myriad of threats and vulnerabilities. Collaborating with an experienced security partner not only bolsters an organisation’s security defences but also adds substantial value by preserving its assets, reputation, and operational continuity in an era where cyber risks are ever-present.

At Bistech, we take a defence-in-depth approach to help our customers stay safe. To discuss your security needs, call our specialist team today on 03330 11 22 55.

[1] One simple action you can take to prevent 99.9 percent of attacks on your accounts | microsoft.com

[2] High-profile hacks show effectiveness of MFA fatigue attacks | SecurityWeek

[3] Microsoft Digital Defense Report 2022

[4] How number matching works in multifactor authentication push notifications for Microsoft Authenticator – Microsoft Entra | Microsoft Learn

[5] Detecting and mitigating a multi-stage AiTM phishing and BEC campaign | Microsoft Security Blog

[6] NCC Cyber Threat Intelligence Report July 2023

[7] Ransomware, extortion and the cyber crime ecosystem | ncsc.gov.uk