Stop Ransomware in Its Tracks: A 5-Step Proactive Defense Plan

The most dangerous thing in a server room is often the phrase, “Don’t touch that.” It’s usually said with a half-joke and a grimace. It refers to the old box that “still works”, runs something important, and has survived so many fixes and workarounds that nobody feels confident changing it anymore. That’s legacy debt. Not just “old tech”, but old tech that’s become a dependency. It’s the kind that quietly accumulates risk until it turns into downtime, security exposure, or an emergency upgrade at the worst possible time. A legacy debt audit is the fast way to bring that risk back into the light. What Legacy Debt Really Looks Like Legacy debt isn’t “old gear”. It’s old gear that has become normal. It’s the server that runs a critical app, the edge device nobody remembers buying, the workaround that turned into a dependency. Over time, that debt stacks up quietly. Infinite Lambda describes legacy debt as something that “happens even to the best systems,” “silently accruing costs and constraints,” and it can “accumulate basically unnoticed until it is too costly to ignore.” That’s why a legacy debt audit isn’t a theoretical exercise. It’s a visibility exercise to bring the oldest, highest-leverage risks back onto the list of things you actively manage. The security problem shows up when “old” becomes “unpatchable.” The UK’s NCSC guidance on obsolete products says, “Ideally, once out of date, technology should not be used,” and “the only fully effective way to mitigate this risk is to stop using the obsolete product.” If something can’t be updated, weaknesses don’t age out. They sit there, waiting for the wrong day. Legacy debt also looks like basic server hygiene slipping. NIST SP 800-123 frames secure server operations as an ongoing process: “Maintaining the secure configuration through application of appropriate patches and upgrades, security testing, monitoring of logs, and backups…” It also calls out foundational hardening steps like “Patch and upgrade the operating system” and “Remove or disable unnecessary services, applications, and network protocols.” When those basics become inconsistent, legacy debt turns into a reliability and incident-response problem, not just a security one. Finally, legacy debt often hides at the edge. If you have end-of-support internet-facing devices, you’ve got high-leverage risk in the most exposed place. The 3 Oldest Risks to Find First These three categories are where “old” most often turns into outsized risk, because they combine age with leverage: they either sit at the front door, can’t be fixed anymore, or have quietly drifted out of a safe baseline. Risk #1: End-of-support edge devices If you’re looking for high-leverage legacy debt, start at the edge. Firewalls, VPN gateways, routers, and other internet-facing devices are the front door to your environment. When they reach end-of-support (EOS), they don’t just become outdated. They become harder to defend because security fixes stop arriving. What to check in your audit List every edge device (firewall, VPN, router) and the support status for each one Confirm which ones are internet-facing and which services are exposed Identify devices that can’t run the current firmware or no longer receive updates. Risk #2: Obsolete products that can’t be fixed anymore Obsolete products are the purest form of legacy debt: things that are still operating but no longer receive security updates. That means every new vulnerability becomes permanent. In other words, there’s no clever workaround that makes an unsupported system “safe”. There are only risk reductions until you can replace it. What to check in your audit Identify anything past support: server OS versions, appliances, old hypervisors, and line-of-business apps Flag systems that require exceptions, like the ones with old protocols, weak auth, and special firewall rules Find the “business-critical but unsupported” systems. Risk #3: “It still works” servers with neglected basics This is the sneakiest risk because it looks normal. The server is supported. The hardware runs. Nobody’s complaining. But the basics have drifted: patching is inconsistent, unnecessary services are still running, and backups haven’t been proven under pressure. SP 800-123 Guide to General Server Security frames secure server operations as an ongoing discipline, including “patches and upgrades,” “monitoring of logs,” and “backups.” It also calls out core hardening steps like “Patch and upgrade the operating system” and “Remove or disable unnecessary services, applications, and network protocols.” Those are the unglamorous fundamentals that stop small problems from turning into long outages. What to check in your audit Patch reality: what’s the current patch level and how often do updates slip? Service sprawl: what’s running that doesn’t need to be running? Admin and service accounts: where are the broad permissions and shared credentials? Backup confidence: when was the last restore test and did it succeed? Change control: who can make changes, and how are they tracked? Stop Carrying Silent Risk Legacy debt doesn’t announce itself. It sits quietly in the background until the day it becomes downtime, exposure, or an emergency upgrade you didn’t plan for. A legacy debt audit gives you control back by turning “we should deal with that someday” into a shortlist you can act on. Start with the highest-leverage risks: end-of-support edge devices, obsolete products that can’t be patched, and servers where the basics have drifted. Then assign owners, set dates, and move one item at a time from “too scary to touch” to “handled”.  Contact us for help running your next legacy debt audit.

MFA is a strong front-door lock. But it’s not the only thing that decides whether someone can get in. After you sign in, your browser keeps you logged in using a session token (often stored as a cookie). It’s the digital version of a wristband at an event: once you’ve been checked, the wristband proves you belong there. If an attacker steals that wristband, they may not need to beat your MFA prompt at all. That’s the core of session cookie hijacking. The attacker isn’t “cracking” MFA. They’re skipping it by replaying your already authenticated session. This isn’t a reason to stop using MFA. It’s a reason to stop treating MFA as the finish line. When sessions can be stolen, the practical defence shifts to layered controls: phishing-resistant sign-ins, device hygiene, tighter session policies, and detection that catches suspicious access early. Why MFA Isn’t a “Game Over” Control MFA is still one of the best upgrades most businesses can make, but it doesn’t end an attack on its own. The reason is that attackers don’t always try to beat the login step. They try to go around it. Cloudflare notes that “attackers are finding new ways to circumvent MFA” and that modern incidents are rarely one isolated technique. They’re “part of a chain of attacks.” In other words, MFA can block a lot of credential theft, but it doesn’t automatically protect what happens after a user successfully signs in. That’s where session cookie hijacking comes in. Microsoft has described adversary-in-the-middle phishing campaigns where attackers use a reverse-proxy site to “steal and intercept” a user’s password and the session cookie that proves they have an authenticated session. This is “not a vulnerability in MFA.” The attacker isn’t breaking the MFA. They’re reusing the session. What a Session Cookie Is and Why Attackers Want It When you sign into a web app, the site needs a way to remember that you’ve already proved who you are. That’s what a session is: a temporary “logged-in” state that saves you from entering your password and MFA code on every click. Kaspersky explains that session hijacking is “sometimes called cookie hijacking” because cookies are commonly used to store the session identifier that keeps you authenticated. Attackers want that session identifier because it’s the shortcut. Proofpoint describes session tokens as digital “keys” that let a user stay authenticated. It warns that stealing valid tokens lets attackers impersonate legitimate users and potentially bypass authentication measures “like MFA.” That’s why session cookie hijacking is so highly leveraged. If an attacker can steal the cookie or token that represents your active session, they’re not trying to defeat the login process. They’re attempting to reuse what you already completed, and access the same apps and data as if they were sitting at your keyboard. How Session Cookie Hijacking Actually Happens A lot of teams picture “account takeover” as someone guessing a password or tricking a user into approving an MFA prompt. Session cookie hijacking is different. The attacker’s goal is to steal the proof that you’re already logged in, then reuse it, often without triggering another sign-in challenge. 1.) AiTM phishing Adversary-in-the-middle (AiTM) phishing is the “proxy login” trap. You think you’re signing into a normal service, but you’re actually signing into a lookalike page that sits between you and the real site. The attacker relays the login in real time, so everything appears to work, including MFA. Attackers use AiTM phishing sites to “steal and intercept” a user’s password and the session cookie that proves the authenticated session. This is “not a vulnerability in MFA.” The attacker isn’t breaking the MFA. They’re capturing the session after MFA is completed and reusing it. One such campaign “ attempted to target more than 10,000 organisations ” since September 2021, which shows how scalable this approach has become. 2.) Browser-in-the-Middle session stealing Browser-in-the-middle (BitM) is similar in spirit, but it’s even more “hands-on” from the attacker’s side. Instead of stealing a password and running away, the attacker effectively places themselves in control of the browsing session. Google’s threat intelligence says, “Stealing this session token is the equivalent of stealing the authenticated session.” Once the token is stolen, “an adversary would no longer need to perform the MFA challenge.” In other words, the attacker isn’t trying to authenticate instead of you. They’re trying to ride along after you’ve authenticated. 3.) Cookie theft from the endpoint Not every session hijack starts with a fancy proxy. Sometimes the attacker simply steals session data from the device itself. Stealing valid session tokens allows attackers to impersonate legitimate users. Tokens act like digital “keys.” If an endpoint is compromised, those “keys” can be extracted and reused. Invicti explains that an attacker steals HTTP cookies and can gain access. The goal is often to obtain sensitive information stored in cookies. MFA Is a Baseline, Not a Finish Line MFA is still essential. It blocks a huge amount of credential theft and makes basic account takeover harder. But session cookie hijacking is a reminder that attackers don’t always try to defeat the login step. Sometimes they reuse what happens after it. The practical response is layered and realistic. Make phishing harder to pull off, and treat device health as part of identity. Tighten session behaviour for high-risk apps. Watch for suspicious access patterns that suggest a session is being replayed. When those controls work together, MFA stops being a comforting checkbox and becomes what it should be: a strong baseline that’s backed by protections around the session itself.  Contact us today for help protecting your login sessions from hijacking.