A recent case exposes why cyber security requires multiple lines of defence

Last week, our cyber team was alerted to a problem at one of the companies we support. Our team immediately sprang into action to protect the business, its systems and its data.

Our subsequent investigations exposed exactly why any cyber-security strategy must be multi-faceted. Here’s why.

Grant McGregor supports a wide range of organisations, both commercial and public sector, throughout Scotland and the rest of the UK. One of our priority areas of focus has always been in cyber security. Today, so much of our business life is conducted in the digital arena that cyber security has only continued to grow in importance since our foundation.

The starting point: our customary cyber security recommendations

We always advocate a multi-faceted approach: if you rely on only one line of defence you leave yourself exposed if that line fails.

Instead, we follow the advice of the UK Government’s Cyber Essentials scheme – which relies on five key pillars of cyber security. Namely, firewalls, secure configuration, user access control, malware protection and security update management. Depending on your organisational risk appetite and the kind of data you’re handling, quite often our cyber security recommendations and strategies will go well beyond these five areas, but they are – as they were designed to be – a useful starting point.

Grant McGregor has also long advocated cyber security awareness training for all staff. That’s because staff are your best first line of defence.

The sticking point: where things went wrong

So, to our use case… Things started to go wrong for our client when a member of staff was waiting for an important document to arrive via email.

The user received a file to their email address. Their email security solution identified this email as suspicious before reaching Office 365. And quarantined it.

In this instance, Proof Point acted as the first line of defence.

However, the malicious actor was clever in their spoof email, by including original text that that the member of staff had previously sent to this company. Thinking this quarantined email looked legitimate and was the reply they had been waiting for, the user requested that the email be released from quarantine.

But this wasn't legitimate, and the sender had of course been hacked at their end.

It’s easy to make mistakes. Especially when we’re in a rush. Or under pressure. Which is, of course, how cyber criminals want us to be.

The user opened the email. And tried to open the attached file.

The warning point: alerting the Grant McGregor team

It was at this point that we became aware of the situation. Thankfully, as part of our service, we had recommended that the organisation deploy our Advanced Security Suite.

Thankfully, this software detected something suspicious, blocked the action and alerted our team.

We immediately reviewed the history on our cloud-based monitoring tool, examining the logs relating to the suspicious behaviour and the suspicious file. Our cyber security analysts discovered an alert about a command file that was trying to run the batch file “Fluxion.bat”. Now, Fluxion is a security auditing and social-engineering research tool – a script that attempts to retrieve the WPA/WPA2 key from a target access point.

Thankfully, the system had worked. It had blocked this attempt and generated the alert to our team. Disaster averted.

The learning point: what can we learn from this?

The first observation we make is around the caution that must be applied when considering opening anything that has made its way into your junk email box or that has been quarantined. There’s usually a good reason it has been treated as suspicious.

However, there was a more worrying element to this story. The user in question had recently undertaken cyber security awareness training. They should have known better. Or, given the fact they had passed the training, perhaps it would be more accurate to say that they did know better.

The pressure of the moment, the weight of expectation, the eagerness to open the file – whatever it was – led the user to override their training.

So while we may contend that your people are your best line of defence, we also have to acknowledge that we all have bad days. We all have little moments when we aren’t paying as much attention as we usually do. And a moment is all the cyber security criminals need…

The third line of defence was pivotal in this case. Our Advanced Security Services (XDR) and the security monitoring which prevented the action being undertaken and which sandboxed the file were the saving graces of this story.

The system worked – but only because the cyber security defences that had been put in place by this organisation were multi-faceted and in depth.

Our takeaway? We can’t rely on only one line of defence. Even your best line of defence can have a bad day occasionally. Multiple lines of defence are required.