The Next phase of cyber protection: pre-emptively detecting attacks

Q&A with Sian John, Chief Technology Officer (CTO) at NCC Group, a global leader in cybersecurity, delves into how Online Exposure Monitoring (OXM) technology enhances an organisation’s visibility and comprehension of its digital exposure across the clear, deep, and dark web. This marks a significant stride forward in proactive cybersecurity measures, as it enables the early detection of impending cyber threats.

In today’s digital landscape, nearly all businesses face the stark reality of their sensitive digital data being exposed online, either intentionally or inadvertently. Often, organisations tend to focus on threat detection only once an attack is underway. However, the truth is that early identification of adversarial behaviour can significantly reduce the impact of such threats. Embracing a layered defence strategy that detects risks in their nascent stages can effectively mitigate the impact, risk, and cost of cyberattacks, thereby forging a more secure digital future for all.

How does Online Exposure Monitoring (OXM) work to provide visibility into the clear, deep, and dark web?

OXM offers a range of service tiers to support organisations at any point in their cybersecurity journey. It augments managed extended detection and response (MXDR) services to offer a holistic perspective of the entire attack chain. OXM provides invaluable insights into emerging and potential threats at their earliest stages, while MXDR identifies threats in the more advanced phases, ensuring comprehensive threat coverage.

Why is this a significant step forward in proactive and pre-emptive cybersecurity?

OXM empowers organisations to monitor threats right from the outset of the cyber kill chain, during the reconnaissance phase. This phase involves malicious actors seeking opportunities to compromise their target while gathering information about the organisation, its personnel, and the technologies in use. Much of this information is readily available on the internet, provided you know where to look. NCC Group and Searchlight Cyber possess the expertise to pinpoint such valuable information that could be useful to attackers. OXM enables organisations to monitor these sources of information, thereby spotting potential threats before malicious actors can exploit them, reducing the risk of misuse.

What types of attacks does this monitoring technology look out for?

OXM is capable of identifying various attacks, whether they are impending, occurring during an incident, or even in the aftermath of a breach. Before an incident, OXM can identify threats such as leaked credentials, where malicious actors exploit exposed usernames and passwords to gain unauthorised access to the corporate network. It can also detect typo-squat domains, which are domain names closely resembling those of the organisation and are often used for phishing or creating cloned versions of corporate websites. Additionally, OXM can uncover instances of sensitive data exposure, where confidential or sensitive information becomes inadvertently accessible to potential attackers. This may include sensitive documents or unpatched systems that attackers might target as entry points into the corporate environment.

During a security incident, how does OXM prove valuable?

OXM plays an indispensable role in identifying ongoing threats and potential breaches during a security incident. It can alert organisations to the sale of access on the dark web by Initial Access Brokers, a group of cybercriminals who acquire access to victims and auction it off to the highest bidder. In cases where traditional security monitoring fails to detect a breach, mentions of the organisation in criminal forums or online marketplaces can serve as early indicators of a security breach. Furthermore, OXM enables the monitoring of network traffic leaving the organisation and connecting to the dark web via TOR. This capability helps organisations uncover issues such as employees accessing the dark web for illicit activities or malware within their environment communicating with criminal infrastructure on the dark web.

How does OXM contribute to post-incident analysis?

In the aftermath of a security breach, OXM plays a critical role in post-incident analysis. It continuously monitors for any exfiltrated data, a major concern when an organisation’s security has been compromised. Whether it’s a ransomware incident or another type of breach, OXM scans the clear, deep, and dark web to identify traces of stolen information. By providing organisations with visibility into post-breach activities, OXM allows them to swiftly prioritise their efforts to minimise online risks and take necessary actions to mitigate the impact of the breach. This proactive approach is vital in efficiently containing and recovering from security incidents.

Can you walk us through how NCC Group is adopting this technology?

Powered by Searchlight Cyber’s dark web monitoring platform, DarkIQ, OXM combines NCC Group’s threat intelligence expertise and consultant-led approach with automated alerts to continuously monitor an organisation’s digital risk. It alerts organisations to incidents like breached credentials releases, exposed data on code repositories, phishing domains, and concerning threat actor discussions involving key personnel or assets. In addition to reviewing incidents and alerts identified by Searchlight’s automated monitoring, NCC Group’s Threat Intelligence team assists organisations in asset discovery, alert triage, threat hunting, and provides mitigation advice and actionable recommendations to adjust their security posture effectively, thereby minimising and reducing the total impact and cost of threats.