To be ready for what’s new, you have to be ready for what’s now. So far, 2017 has been a landmark year in cybersecurity. This year a single ransomware attack, WannaCry, halted businesses across globe and another ransomware outbreak, NotPetya, crippled a nation-state’s infrastructure. Exploitation of a vulnerability in the open source framework Apache Struts ripped through businesses, compromising so much data it called into question the value of classic identity verification credentials like social security numbers and passwords. Meanwhile law firms and professional services firms became an increasingly common target, reminding us that cyber criminals are always expanding their hunt for the vulnerable. During a year like this, information security teams are often scrambling to build resilience against attacks as they see them happening to others and as they happen to themselves.
To ready your organization for 2018, it’s time to make sure your organization is prepared to detect, respond, and remediate against intrusions like these by assessing your cybersecurity protocols and incident response framework. These attack methods are already in criminals’ playbooks and are a foundation from which new attacks are likely to evolve.Let’s walk through the major attacks and attack trends of the year and talk about what you can do to reduce their likelihood and damage.
Ransomware: Simplify Response with Easy Proactive Steps
In 2017, ransomware WannaCry and NotPetya created disturbances on a global scale. The destructiveness of ransomware, however can be greatly reduced with the right response preparation—as was seen in January when Washington D.C.’s surveillance cameras were brought down from ransomware and operation was quickly restored without payment to the criminals.
Common advice is to maintain backups of the whole network and everything on it. But this is an oversimplification. True preparedness involves verifying the completeness of backups against a comprehensive asset inventory, including all computer systems and the versions of software that are running on them. It also requires the security team practice restoring the network from these backups to the point that an effective restore is muscle memory. This practice also teaches organizations approximately how much network downtime to expect, information that should be incorporated into disaster recovery and business continuity planning. This way when ransomware strikes, there are no unforeseen bugs and challenges in file restoration, and the organization has appropriate business continuity plans in place.
Apache Struts Vulnerability: Preparation Can Be Preventative
This year a vulnerability in the popular Apache Struts web application framework caused a lot of breaches. Anecdotally exploitation of this vulnerability compromised hundreds of millions of records. Personally, it made me quite busy. Again having a thorough asset inventory is key, because this vulnerability existed solely on certain versions of the software. Companies that knew what software versions were in use across their network when the critical nature of the Struts vulnerability became known would have been better equipped to patch their systems before becoming victims. The Heartbleed attack that swept through businesses in 2014 was similar, made possible by a vulnerability only on a specific version of software, which also could have been quickly addressed given an accurate asset inventory including all software versions present on systems. It’s time for organizations to stop falling victim to these kinds of preventable attacks.
Going forward, web servers should be considered critical assets and protected as such. Attackers can use vulnerabilities in their infrastructures to intrude and pivot to other areas of the network. Security teams should do proactive reviews of webserver logs to look for threats, and the privileges of accounts used to run web services should be the lowest possible. If web services are running with any type of administrative rights, when the attackers get in, they will have the rights to install malware as an administrator and collect other legitimate user credentials to help them pivot further into the network. Privileges should allow for operation, but should be limited to curtail illicit use.
Professional Services Firms in the Crosshairs: Best Practices to Mitigate Expanding Threats
Through our incident response work, we have seen a growing number of cyber incidents and network intrusions at law firms and other professional service consultancies. These organizations hold, use, and create valuable, sensitive information about many companies and influential people and have become a target of attack. In the past, it was primarily nation states that would attack professional services firms to gain access to information that would benefit their interests. Today, cyber criminals are attacking these firms for a wide variety of reasons including insider trading, extortion, espionage, and black-market sale. But ransomware, a notably simpler attack with a quicker payday for the criminal, is also a known risk.
This sector’s increase in attacks, as well as the expansion in both sophisticated and simple crimes, reflect the reality that no business is free of cyber risk. Whether it’s credit card numbers or trade secrets, cyber criminals are learning how to benefit from the data, and tools like ransomware are widely available and are being applied by criminals just as broadly. Cyber resilience involves implementing best practices such as multifactor authentication for all external-to-internal login traffic, the encryption of sensitive data when at rest and in transit, limited access to sensitive data, egress filtering, data loss prevention solutions, tested disaster recovery plans, and a strong patch management program prioritized based on vulnerability management criteria.
Prepare for 2018 to Reduce Cyber Risk
If 2017 showed the cybersecurity industry anything, it’s that any size company, with or without extensive internal cybersecurity resources, can become a victim of attack and that basic preparations can be the difference between devastation and a minor disturbance. As the saying goes, you don’t want to be building a plane in mid-air.
Creating and maintaining a detailed asset inventory and practicing the restoration of backups are powerful measures for resilience no matter an organization’s industry, size, or location. Another valuable preparedness tool is having an incident response (IR) retainer with an expert third party. With an IR retainer, you can lock in blended hourly rates and contract terms upfront so when you need help, you know who to call, you have a set response time, and conversations are protected by a non-disclosure agreement. You’re not shopping around for service providers and going through procurement approvals in the midst of a crisis. With an IR retainer, you can also have a partner in preparation to help identify the threats relevant to your organization, recommend additional preparedness steps, and test your defenses. The attacks of 2017 are only the ones we already know about, but many more will likely surface in the coming year. Now’s the time to be ready for what we know is out there and what we don’t yet know is lurking.