Breaches happen all the time, but every so often one of those breaches breaks through into national headlines, serving as a watershed moment about where we are and where we need to be with regards to cybersecurity.One of those watershed moments occurred last December when it was revealed that Russian state-sponsored hackers breached the software developer SolarWinds, and from there managed to access some pretty tightly-sealed networks and systems across public and private sectors. But what exactly happened? Who does it effect? What can we learn to better protect our organizations?
One of the most striking aspects of the SolarWinds hack is that it was years in the making, taking a huge amount of discipline and patience to pull off and stay undetected. Forensic evidence found that the hackers gained access to Orion, the SolarWinds product that was compromised, back in late 2019. Yet, at that time, the hackers didn’t actually make any changes or launch an attack. Instead, they sat and waited in order to monitor, learn, and test SolarWind’s system to ensure they wouldn’t be caught.
Then, months later in May 2020, the hackers made their move — but not in the way most would expect. Typically, when someone wants to infect a piece of software with malware, they will modify the code behind the software. However, because security experts know to look for code modifications, these hackers decided to instead install their malware directly onto the software product itself. So, when an update for Orion was released, government agencies, and companies big and small downloaded an update that contained a backdoor for the hackers.
Between May, when malware was initially launched, and December, when the hack was discovered, the attackers were able to move throughout the networks and systems of any company using SolarWinds’ software that they wanted. And they were targeted, going after the emails of specific, high-valued individuals within affected organizations. From there, the goal was to maintain access, move around infected system, and hold onto access of specific individuals’ communications.
Much has been made about the level of sophistication involved in the attack — and it was. However, at root, this is a story about 3rd party risk. We’ve written before about the importance of vendor management, and the SolarWinds hack is an extreme case in point. Because most organization’s today depend in large part on 3rd party providers for everything from cloud storage, to product platforms, to network security, an attack like this doesn’t have a definitive end. Instead, the SolarWinds attack has the potential ripple across a web of interconnected organizations across the supply chain. According to Steven Adair, a security expert who helped with the incident response for SolarWind, the attackers “had access to numerous networks and systems that would allow them to rise and repeat [the] SolarWinds [attack] probably on numerous different scales in numerous different ways.” It’s therefore possible — and perhaps likely — that the full effects of the hack are still to be revealed.
If that doesn’t serve as a wake up call, we don’t know what will. And as it turns out, there are a number of effective and achievable steps organizations can take to mitigate 3rd party risk.
1. The Basics
It may not seem like much, but simply maintaining basic digital hygiene plays a big role in protecting against attacks. Strong password management, using multi-factored authentication, and network segmentation should be a cybersecurity baseline for all organizations. These are simple steps that serve as an organization’s first line of defense against an attack.
2. The Rule of Least Privilege
The rule of least privilege essential means providing the least amount of access for the least amount of time to systems and networks. This involves setting limits on what access you give to products and software as well as actively monitoring access privileges for employees, contractors, and vendors. Essentially, if something or someone doesn’t need access to a piece of your system, they shouldn’t be able to access it. If someone need access to a part of your network for 2 days, then their privileges should expire after 2 days. This will limit the ability for malicious users to move around systems, potentially preventing them from spreading to other, more sensitive environments.
A lot of organizations these days maintain event logs, which essentially keep a record of all network activity. While logs might not directly prevent a breach, these records are vital to asses the potentially damage and scope of an attack, allowing organizations to act swiftly and forcefully to remove the threat. However, keeping logs isn’t enough, it’s essential to also retain these logs. SolarWinds policy was to remove these logs after 90 days. The problem, of course, was that the attack was discovered far more than three months after the hackers breached the system, effectively making it impossible to gain any detailed insight into what the hackers were doing prior to August of 2020.
Combining Business and Security
We’ve said it before and we’ll say it again: it’s easy to see security needs as at best a nuisance and at worst a barrier towards optimal business performance, but this simply isn’t the case. As Steven Adair points out, a small company doesn’t need to hit the ground running with the best security products and a million code audits right out the gate. However, if businesses incorporate security concerns within business strategies, these organization can start to ask themselves: “Where are we now, what can we do now, and what can we do along the way?” Asking those questions might just make the difference down the road when the next watershed moment strikes.
Behavioral economics teaches us that we are more fearful of immediate losses than future gains. Conversely, we are also tend to choose immediate gains over protecting ourselves from future losses. Especially when the type of loss is too foreign to us or is ever changing.
We do have available to us a tool that doesn’t require a lot of tech to use but perhaps can do more to both enhance and protect our organization than any piece of software or hardware we might have: our imagination.
When things are changing, you can’t rely on static measures or processes designed to defend against what today’s threats. Because the use of technology as a business enabler is ever changing as is the nature of cyber threats, businesses need to take a dynamic approach to risk mitigation and transfer strategies and constantly imagine both the opportunities and the risks they may face tomorrow.
As a report from the UC Berkeley’s Center for Long-Term Cybersecurity and Booz Allen Hamilton states, “….failures of cyber defense in some cases — possibly the most important ones — [are] not necessarily a failure of operational rigor but equally or more so a failure of imagination.”
There are a number of tangible ways businesses can leverage the use of imagination in addressing the cyber risks that they may face. One is through an incidence response simulation. Get your team around a table. Imagine a ransomware event has occurred. What do you do? Do you pay the ransom? How long will your systems be down? How much business do you stand to lose? Brainstorm other scenarios, focusing on ones that could take you out. Risks that cause you to be shut down for an extended period of time or do irreparable harm to your ability to serve your customers or to your reputation.
Not only do these types of simulations help you be better prepared to respond if they occur, it also helps you better define what risks you might face and what defenses to build to mitigate those risks. This can therefore become the basis for your risk assessment (which, if you are simply focused on compliance you generally have to do anyway).
We often think of creativity when it comes to innovation and growth that are critical our long term success. In the ever-changing world of cyber threats, we need to be equally creative when it comes to imagining and addressing risks what are crucial for our long term viability.
If your business ever experiences a data breach, you don’t want to be caught without a plan. Being about to identify and put a stop to the attack quickly will not only stop more information from being stolen, but will also dramatically reduce the cost of the breach. Last year, the IBM report showed that businesses with an n incident response team and which tested their response saved an average of $1.23 million on the cost of the breach. This year, that number jumped up all the to $2 million saved on a breach. Given the increased cost reduction of responding quickly, there is no reason why business shouldn’t have an incident response team in place.
However, having an incident response team in place is only one piece of the puzzle. It’s also important that your team, alongside with business leadership test your plan by simulating different cyber attacks that your business is vulnerable to. According to the report, incident response testing is the single biggest factor in limiting cost of a breach. Just testing your response shaves off an average of nearly $300,000 from the cost of a breach.
When it comes to forming a response team and testing, it essential that your team includes more than just staff from the IT department. A data breach also requires the oversight of businesses leadership and legal to ensure the response is aligned with regulatory requirements such as disclosure. Of course, the having technical experts is also important to help limit further access, exfiltration and damage to your systems.
Of course, with everything today, COVID-19 has made the job of your response team even harder. While the report doesn’t have data on the exact impact COVID has had on response time, it does show that 76% of businesses expect that working remotely will increase the time it takes to respond to a breach, which, of course, will also increase the cost of the breach. It’s therefore essential that your team tests how your response differs when everyone is working remotely, then discuss possible changes to the response plan should a breach happen while everyone is working from home.
A hacker got into your system, but you spot the problem before the hacker has a chance to carry out an attack. Best case scenario, right? Well, it all depends on what you do next. The government of Florence, Alabama found themselves in this exact situation, but their response is now costing them nearly $300,000. Here’s what happened:
In late May, cybersecurity report Brian Krebs received a tip that hackers known for ransomware attacked gained access to Florence’s IT system. Krebs made numerous attempts to contact city officials before finally receiving a voicemail thanking him for the tip and telling him that the city took care of the issue. However, on June 5th the city announced that a ransomware attack shut down the city’s email system. The city plans on paying the hackers the nearly $300,000 ransom to restore their system.
So, what went wrong? According to city officials, when the attack hit, the IT department was in the middle of securing approval for funds to investigate and stop the attack. Local governments are often slow to act, to be sure, but officials knew about the hacker 10 days before the attack and they still weren’t prepared. The bottom line is, given the rise in ransomware attacks on public institutions, Florence officials needed to have a detailed plan in place before an attack took place. Instead, they scrambled. And, to add insult to injury, hackers accessed to the city’s systems by stealing the Florence IT manager’s credentials through a phishing attack.
How to Beat the Hackers
So, what should you do if you know you’ve been hacked but haven’t yet been attacked? Here are just a few steps you can take:
1. Have a Plan in Place
One of the main reasons Florence was slow to act is because they waited until after the hack to figure out a game plan. Instead, the city needed to have a detailed incident response plan in place. This involves first identifying what types of attacks you are most vulnerable to. Then, you need to create a detailed step-by-step response for each type of attack, and create a team of employees responsible for carrying out each of the steps. You also need to ensure you have contingency funds readily availble to carry out the plan quickly. Finally, it is important to simulate each type of attack so that the team can practice carrying out their response. Overall, the goal of an incident response plan is to deal with potential attacks as quickly and efficiently as possible.
2. Shut Down and Isolate Infected Systems
In order to keep the hackers from accessing other systems, it is important to shut down and isolate infected systems and any devices connected to it. Remove the system from your network. Disconnect the system’s wireless and bluetooth capabilities. Any devices previously connected to the infected systems should be shut down and removed from the network. Along with keeping the hack from spreading, this also limits the hacker’s ability to encrypt or damage the infected systems.
3. Secure Your Backups
Having updated and secure backups are especially important for ransomware attacks. If a hacker encrypts your data, having a recent backup of that data could save you from having to pay the ransom. There are two important caveats, however. First, it’s important that you regular test your backups to ensure your data isn’t corrupted in the backup or restoration process. Second, keeping the copies of your backups secure and offline is essential. Otherwise, it is possible for hackers to gain access to your backups and encrypt of remove them from your systems.
4. When in Doubt, Rebuild
The hard truth is, the most reliable way to shut down a hack before an attack is to completely remove the infected systems and rebuild them from scratch. Of course, the time, resources, and personnel required to do this makes it a difficult pill to swallow for many organizations. However, it is the only way to guarantee that a hack is removed from your systems.
The Bottom Line
Spotting a hack before the attack can give you the leg up on the hackers. But, as the ransomware attack on Florence, Alabama makes clear, knowing that someone accessed into your systems is not enough. You need to have a game plan ready to go and carry it out as fast as possible. Using your time and resources to prepare for an attack now will give you piece of mind, and potentially reduce the cost of a hack later.
At the end of February, security experts at RSA 2020, a leading cybersecurity conference, warned that an increase in targeted ransomware is likely. These concerns echo a statement released by the FBI in October that ransomware attacks are becoming “more targeted, sophisticated, and costly.”
Ransomware is a form of cyber-attack that hackers use to encrypt information on victims’ systems then demand a ransom before giving the victim back access to their files. In the past, these attacks were aimed primarily at individual consumers. However, in the past 2 years ransomware attacks have dramatically shifted focus toward businesses and institutions, including government agencies. According to a report by Malwarebytes, there was a 263% increase in ransomware targeting organizations in the second quarter of 2019.
So what exactly has led to the increase in ransomware attacks against businesses? Well, while there are a number of factors contributing to this trend, the main answer is money. According to the Malwarebytes report, attackers found that focusing on businesses provides a larger and more consistent return on investment. Not only do hackers expect businesses to have more money than indyuvial consumers, the loss of data can prove more harmful and costly for organizations than a single person. This gives businesses a larger incentive to pay up. What’s more, ProPublica has written a series of articles detailing how insurance companies and other firms offering ransomware solutions often opt to simply pay the ransom rather than work to unlock encrypted files by other means. Hackers are therefore becoming more and more confident their victims will cough up the money.
However, ransomware attackers are also learning they don’t even need the ransom to make money off their attacks. Ransomware-as-a-service (RaaS) is a growing business model on the dark web, where groups will build and sell ransomware kits to those without the technical know-how to carry out an attack on their own. RaaS has therefore made ransomware a more accessible method of attack, contributing to the rise in attacks we have seen in the past few years.
Protect and Prepare
Given the dramatic rise in ransomware attacks against organizations, every business needs to invest time and energy in protecting against and preparing for the possibility of a ransomware attack.
Protecting yourself from a ransomware attack largely involves getting back to the basics of cybersecurity. Upgrading and patching outdated operating systems and software regularly, using anti-virus and malware protection, and restricting access privileges only to those who need them will all help to decrease the risk of an attack. Regular penetration test and vulnerability scans will show the areas in your systems that need the most protection. Routinely backing up your systems and information and testing those backups is also essential. If a ransomware attacks locks up your files, having a recent backup of your information could be one way to ensure access without paying a ransom.
However, even if you take every possible preventative measure, you can’t just assume you won’t be targeted. Given the dramatic increase in ransomware attacks, it is essential to also plan your response if something ever happens. Incident response teams should therefore understand the response plan and simulate ransomware attacks to ensure preparedness and find ways to strengthen your response should the worst happen.
Here is the bottom line: when it comes to cyber threats, we should of course take steps to protect ourselves and our businesses from attacks. However, we also need to prepare ourselves for the very real possibility that, at somepoint, someone will get into our systems. That’s why many cyber experts are beginning to use the new term “cyber resiliency.”
The concept of cyber resiliency stems from an understanding that the cyber threat landscape is so diverse that it’s important to make sure you can withstand and not simply prevent attacks. The overall goal of a cyber resilient system is therefore to maintain essential operating functions even when it is under attack.
The Basics of Cyber Resiliency
In the fall, the National Institute of Standards and Technology (NIST) released a cyber resiliency engineering framework that provides detailed steps organization can take to minimize the impact of attacks. However, the overall framework can be broken down into four basicgoals:
According to the NIST framework, the first goal of cyber resiliencyincludespreventative measures often included in cyber security policies. However,anticipating a cyber threat goes beyond prevention by also focusing on preparing for an attack.This includes having an incident response plan in place, as well aschanging your system often in order to preempt attacks.
Withstanding a cyber attack should involve steps taken to limit the overall damagean attack has, even if you haven’t detected the attack yet. In general, this involves deflecting the attack to areas that can take the most damage without disrupting day to day activities. You should also be prepared toentirely remove andreplace systems that are badly damaged.
Before an attack even happens, you should know exactly how you plan to recover if one ever happens. This should primarily involve being prepared to revert your systems back to the state they were in before the attack. Recovery strategies will therefore depend heavily on having good backups of your system that you test regularly.
At bottom, adaption means understanding that if the threat landscape continues to change, so do your security policies and systems. You should constantly be looking for new vulnerabilities within your system as well as new forms of cyber threats. If an attack does happen, you should also be willing to take a hard look at how it happened and make changes accordingly.
Leaders are best equipped to drive cyber resiliency efforts
Because many executives don’t come from a background in cyber security, it may seem to make the most sense to leave the responsibility to the IT department or someone trained security. However, cyber resiliency is as much a function of culture as anything: how we govern, organize, and communicate about cyber threats are all necessary considerations for putting cyber resilient policies into action.
The report found that leaders who scaled technologies and security systems across all levels of the organization were far more effective at both preventing attacks and discovering attacks already in place.
Offering comprehensive security training across all levels of the organization also proved to be an effective method for protecting and maintaining system during cyber attacks. Business leaders are therefore key for investing in and maintaining robust training programs.
Perhaps the most important skill a business leader brings to cyber resiliency is the ability to collaborate. Putting in place a cyber resiliency policy requires cooperation and communication between all levels and aspects of the business. By bringing different groups together and keeping everyone on the same page, organizations can be confident their policies and practices are as effective as possible.
The Take Away
At its root,cyber resiliency involves preparing all aspects of an organization so that any potential cyber threat has a minimal impact on business operations. This involves well-informed risk management strategies, effective communication and training for employees, updatedintrusion detection systems, and a strong incidence response plan thatis testedand revised regularly.Cyber resiliency takes a village but depends first and foremost on a leadership team that takes the task seriously.