Protecting the world’s data from cyberattacks: The Cohesity CERT (Cyber Event Response Team)

Data protection is paramount in an increasingly digital world. Sophisticated and aggressive cyber threats continue to evolve. According to recent statistics by Forrester, 78% of organizations were breached at least once in the last 12 months. According to IBM’s Cost of a Data Breach Report, the average cost of a data breach reached $4.88M in 2024.

As a leader in AI-powered data security, Cohesity is a critical defender against these cyber threats, helping organizations identify, protect, detect, respond, and recover their critical business data. Attackers, recognizing the value of backup data, often target it to cripple an organization’s ability to recover from a cybersecurity attack, thereby forcing the customers to pay a ransom.

The Cohesity CERT (Cyber Event Response Team) has been pivotal in responding to such attacks. Over the past 12 months alone, they’ve responded to 42 incidents, highlighting the persistent nature of cyber threats in today’s landscape.

• Cohesity was not the day 0 insertion point in any of these attacks.
• Customers successfully recovered from these attacks, thanks to our cyber-resilient platform and the efforts of the CERT team.

Below, we present our findings, the key attack vectors, and actions that organizations can take to protect themselves from such a scenario based on the forensic analysis of these attacks.

#1 Attack vector: Compromised federated identity provider

The most prevalent attack vectors identified (80% of the 42 incidents) involved compromised federated identity providers—specifically Active Directory (AD) in 90% of those cases. In these scenarios, attackers gained access to AD accounts within a customer’s infrastructure, often attempting to leverage them to infiltrate and destroy the data backup.

Preventive measures: Setting up the right security configurations

The best defense against such incidents lies in proactive defensive measures. Here are some key strategies to enhance data defense:

• Strengthen security configurations within identity providers to minimize the risk of unauthorized access. Here are Microsoft’s security best practices for securing AD.
• Regularly update and audit access controls to ensure only authorized personnel have administrative privileges.

Setting up multifactor authentication (MFA) for Cohesity is one critical way to defend from breaches related to identity management solutions. In our view, MFA is considered non-negotiable and mandatory inside all organizations.

When setting up MFA, the following are the methods along with their considerations:

Authenticator application: On your device, use a time-based one-time password (TOTP) authenticator app, such as Okta Verify, Google Authenticator, Microsoft Authenticator, Duo Mobile, etc., and enter the verification code generated by the app.

• Caution – Using push notifications for MFA can expose vulnerabilities. Threat actors might exploit this method if users unknowingly accept notifications on their devices without verifying the login attempt’s legitimacy.

Phone call/short message service (SMS) verification: Phone calls and SMS-based verification are susceptible to interception since they lack encryption. They are also vulnerable if a threat actor manages to transfer a user’s phone number to a SIM card under their control, redirecting MFA notifications (SIM Swap attack).

• In one of the 42 incidents CERT responded to, the admin’s SIM was cloned to obtain access to the access code.

Email-based verification: Relying on email for MFA codes or validation is risky if an attacker gains access to the user’s email account. This access could allow them to intercept MFA emails and complete the authentication process.

• This path was exploited in several of the incidents we responded to.
  • Avoid group emails and DL in MFA.
• Implement MFA on individual accounts rather than groups to reduce vulnerabilities.
• In one case, MFA was set up, but an email group was used, broadcasting the second-factor access code to many people. With one of the users’ emails compromised, the access code was more easily available to the attacker.

To mitigate these risks when using any of these MFA methods, consider the following measures:

• Educate remote users to reject or ignore login notifications if they haven’t initiated a login attempt.
• Establish procedures for users to report suspicious MFA notifications promptly, as they could indicate a compromised account.
• Implement policies that prevent the automatic forwarding of emails outside the organization to protect against unauthorized access.

By implementing these precautions, organizations can strengthen their MFA practices and reduce the likelihood of unauthorized access.

Here are the steps to set up MFA with Cohesity.

A multi-layered approach to protecting data

Protecting data from cyberattacks requires a multi-layered approach, focusing on both proactive defenses and swift incident response capabilities. Cohesity’s experience underscores the critical importance of securing backup data and implementing robust security measures across all infrastructure layers.

Vigilance and preparedness are key in the face of escalating cyber threats. By implementing these strategies and fostering a culture of cybersecurity awareness, organizations can effectively defend against cyberattacks and safeguard their most valuable asset: data.

In future blogs, we’ll discuss additional strategies and emerging trends in cybersecurity to stay ahead of evolving threats. Stay tuned for more insights on safeguarding your organization’s valuable data assets.