WatchGuard Blog

Why you need to take a deep, layered approach to IT security

In today’s highly digitised business world, cybercriminals are spoilt for choice when it comes to gaining access to a target corporate network.

One of the most popular approaches is the phishing attack where an employee is tricked into either downloading an infected file or going to a fake login portal and giving up their credentials. Once the attacker has access to the network, they can move laterally as they search for digital assets of potential value.

Aside from phishing, there are many other methods used by attackers to spread malware into the networks of victims. For example, there are a range of exploit kits spread across the internet. If a user can be tricked into visiting a malicious website under their control, their endpoint can quickly become infected.

Of all the types of malware currently being spread, one of the most popular is webshells. If an organisation has a web server exposed to the internet, a threat actor can exploit a vulnerability and drop a webshell file on that server that then opens up a backdoor. Through that backdoor they can then pivot and attack other things contained within the wider IT infrastructure.

One variant that has recently been growing in popularity is a strain called Laudanum. Initially designed as a penetration testing tool, it has now ended up in the hands of criminals.

The challenge with webshells is that they can tend to be very difficult to detect. If endpoint protection tools are not in place, they can remain in a network and out of sight for extended periods.

Defence in depth

Despite the increasing threats posed by webshells, there are key steps that organisations can take to prevent infection. The steps boil down to the concept of defence in depth.

This approach involves inspecting traffic to web servers using a man-in-the-middle approach. Traffic is decrypted, examined, and then re-encrypted before being forwarded to the user. This gives the security team visibility into what is going on but can be totally transparent to the users.

Defence in depth also involves running things like intrusion prevention services to look for exploits, malware payloads like webshells, or just straight forward malware binaries. It’s through a combination of perimeter and endpoint detection that the best protection can be achieved.

Aside from webshells, this approach also offers protection from a range of other malware types Some that have gained recent attention include botnet Trojans such as Emotet and Agent Tesla together with a newer variant dubbed RanumBot which has quietly infected tens of thousands of machines.

Cybercriminals are using RanumBot to target companies of any size as it can act as a Swiss Army knife of malware. It behaves as a traditional remote access Trojan giving threat actors control of a victim’s computers, and it can also disable endpoint protection tools such as Windows Defender or Windows Firewall, and then drop other payloads.

Threat actors appear to be able to quickly generate new variants of these threats that are able to include new evasion techniques or new infection methods that make it even easier to get past traditional lines of defence.

Taking a layered approach

Maintaining a secure IT infrastructure in the face of these constantly evolving threats requires a layered approach. From the perimeter to the endpoint, a range of different tools are required to address potential vulnerabilities and spot breaches if and when they occur.

A layered approach is particularly important when organisations have a large proportion of staff working remotely for an extended period. Part of the approach involves critically examining all the tools that are currently in place to ensure they are providing the level of protection that is required.

Check for out-of-date servers or applications that may need patches, and ensure that network traffic can be analysed with anomalous activity flagged for closer inspection. As staff slowly begin to spend more time back in the office, also check their client devices are clean before allowing them to connect to the corporate network.

The bottom line is that constant vigilance is needed to guard against the evolving cyberthreats that exist in the wild. By carefully examining and monitoring a layered security infrastructure, an organisation can be best placed to weather the attack storm.