Not only can a successful ransomware attack seriously disrupt business activity, but it also has the potential to trigger a substantial regulatory fine for GDPR compliance failure, and incur reputational and legal costs.
A classic example of the ‘cyber attack chain’, ransomware attacks work their way through a series of more or less delicate steps before generating any reward for the criminals behind them. [Remember: At several points in the chain the malware itself is vulnerable]. Stage One – infection – is the ‘root cause‘, the means by which the malware initially accesses the victim’s endpoint(s) and network. This is a crucial moment, one of the few during which the target can defend itself. The root cause is normally one of two vectors: Phishing emails and vulnerable websites or web applications, which are often at risk due to misconfiguration, stale patches or security flaws in the code.
Once inside the network, the malware normally ‘phones home’ to a command and control server and scans the network before attempting to traverse to sensitive databases. If it succeeds, it encrypts the data residing there using secure encryption systems such as AES-128. This is followed up by an email or other communication from the attacker that notifies the victim that their files have been encrypted and that the process can only be reversed for some large amount of money, payable by a cryptocurrency such as bitcoin.
A recent, post-GDPR spin on ransomware is a blackmail threat, warning that if the ransom payment is not promptly made, then the relevant national regulator will be informed about the data breach. In this case, not only does the malware encrypt the data, but also exfiltrates it – and a hefty GDPR penalty can be devastating.
Preventative measures which address the root causes mentioned above include awareness training to help avoid phishing attacks and web application security to secure the online attack surface. If this fails, endpoint protection and anti-malware software may be able to disrupt the ransomware attack chain – which is vulnerable in several places – before encryption and data exfiltration takes place.
A social engineering type attack whereby fraudulent emails are sent out by criminals targeting potential victims. Phishing emails have reached a high level of sophistication that makes it very hard to detect them – they may look almost identical to bona fide corporate emails from well-known companies. Victims that are fooled by the mails are often inclined to click on the attached files or links, allowing the malware into the machine and network. Once this happens, the organisation will be exposed to the risk of data breach, ransomware etc.
Spear-phishing is a refined form of phishing that entails attackers targeting specific individuals in an organisation. Having done prior research, the criminals involved will certainly know the email address and other contact details of the target, but also personal information about their interests, online purchases etc. This profile helps them to build a highly tailored attack – normally an innocuous looking email that appears to be from a friend or colleague. However, as in a normal phishing attack, the link or attachment is malicious and enables them to become unwanted guests inside the targeted device and network.
Business Email Compromise (BEC) aka ‘CEO fraud’ is an even more sophisticated form of phishing that also involves targeting senior staff but will incorporate multiple attacks using different media. For example, a fake email may be constructed that is sent to a targeted individual in the accounts department, and which appears to come from the CEO. The mail will be a request to transfer funds to a specified bank account, and typically will use an urgent tone, asking the transfer to be completed ASAP. There may be a phone call or text message to the same targeted individual corroborating the transfer requirement.
Phishing attacks can be avoided by training employees to recognise fraudulent emails and messages, and to become familiar with the underlying criminal concepts. There are also machine learning based applications that are trained to recognise malicious activity of this type, and to warn the victim and/or block related links or attachments.
Use this free Phishing Test from KnowBe4 to check how many of your employees are able to detect a phishing email attack
A Denial of Service attack is one that renders some network resource unavailable one way or another, but generally the way that this is achieved is by flooding the resource with superfluous requests. In a DDoS attack, the requests come from many different sources – typically a ‘botnet’ – and it’s much harder to manage, partly because the computers involved and their associated IP addresses are innocent participants. Although DDoS is out of the limelight at the moment, with most people focusing on ransomware, supply-chain attacks and so on, it remains a serious problem: The majority of ‘enterprise’ companies report that they suffer DDoS attacks, and we know that they can cost more than $100k/hour due to the disruption of commercial activity. The biggest attack of this type is reckoned to be one that was suffered by Github in Feb 2018, during which the flood of unwelcome data peaked at 1.35 Terabytes/s (1,350,000Mb/s).
This type of attack is normally mitigated nowadays by using technical defences, such as bandwidth management tools (load balancers) and ‘next generation’ firewalls, that are smart enough to distinguish malicious data packets from friendly ones.
WEB APP VULNERABILITIES
Coding errors, misconfiguration and neglect in websites and web applications frequently expose them to attack from hackers. These errors don’t necessarily cause any observable functional problems. However, they can be spotted or indeed automatically scanned for by malicious actors who abuse them in order to access devices and networks, where they implant malware and steal or disrupt confidential data. This is an area of serious risk, as ‘the application layer is the hardest to defend‘ on account of its constant exposure to the outside world and the frequent coding changes to complex websites.
Among the most common exploits that take advantage of application vulnerabilities are ‘injection attacks’ such as cross-site scripting (XSS), which entails the attacker inserting malicious code into a website (‘injection’). This code is typically then used to steal cookies or access local APIs. A similar exploit takes advantage of weaknesses in SQL: the attacker is able to insert code into a data field (for example one that requests a username or password) and inspect or tamper with sensitive information in the underlying database. Misconfiguration tends also to be viewed as part of this group. There are many, many other potential vulnerabilities in code, as monitored by The Open Web Application Security Project (OWASP).
Websites can be protected against this threat by applying vulnerability scans, managing cookie security and/or applying a Web Application Firewall (WAF). Ideally, websites and other applications are developed with this risk in mind, a practice called ‘secure coding’.
A powerful criminal cyberstrategy is to create a ‘Botnet’ – or robot network – of ‘zombie’ computers. Such a network can, in turn, engage in a range of malicious activities such as conducting DDoS attacks, sending out spam emails or emails containing further malware, or cryptojacking on a large scale.
The first step in this strategy is to attempt to gain access to as many computers as possible – typically via a broad phishing campaign, or by hacking compromised websites. Victims of such attacks effectively invite a small piece of malware (a Trojan or Remote Access Trojan (RAT)) into their computer and network, from where it subsequently ‘calls home’ to a C&C (command and control) server that provides further instructions and software. This is the hijacking part of the operation. From there, the attacker can decide their next move and then execute from the C&C server.
It’s relatively easy to avoid hijacking and becoming part of an evil botnet, as there are several weak points in this particular ‘cyber kill chain’: Various mitigating solutions exist against phishing/web compromise and associated malware delivery (see phishing). Once ‘inside’, attacker network traversal and activity can be limited by the various features of zero trust networks including MFA. ‘Calling home’, unusual network activity and data exfiltration can normally be spotted and prevented by DLP and UEBA based network intruder prevention systems (IPS) and endpoint protection.
Bitcoin used to be the most popular currency for cryptojacking, probably largely due to its incumbent role as currency of choice for criminal cyberactivities such as ransomware attacks. However, there has been a recent surge in interest in Monero – a currency that focuses on anonymity – and there is correlation between the Monero price and the level of cryptojacking activity.
One might argue that, if some illicit cryptojacking on your network is the result of a breach, then you’re in good shape compared to a victim of ransomware or a major theft of personal data. However, the reality is that if a large number of corporate computers have been compromised in this way, the total loss in productivity can be material in terms of reduced processing availability and wasted power consumption. On top of this, cryptojacking has been shown to be able to damage sensitive devices such as those used in industrial infrastructure. Finally, who can be sure that this type of exploit will not be followed up by something more aggressive, now that the attackers are inside the network?
“Skipping configuration integrity to jump straight to vulnerability detection is like taking classes on how to wrestle alligators and driving there with your seatbelt unbuckled” is a pretty valid introduction to this topic. It basically means not setting things up right – password/username on a device (including ‘harmless’ IoT devices such as vacuum cleaners or lightbulbs), firewalls, applications, cloud storage configurations and so on. The problem is exacerbated by the fact that generally the default/initial settings are insecure (e.g. default password settings, full access to database/cloud storage).
Although one of the least technically interesting aspects of information security, misconfiguration is a very common access point into an organisation for criminals and can lead to serious data breaches. Hackers actively use freely available software to scan for this type of vulnerability across the internet, on cloud storage, applications and connected devices.
The best defence against misconfiguration is rigorous application of ‘principle of least privilege’, whereby the default setting for everything is off and proper password protection applied throughout. This can be opened up as and when required. There are also some cloud and web application security providers that offer solutions that scan for misconfigurations.
UPDATES AND PATCHES
Security threats arise continuously and evolve rapidly, and commonly used applications and operating systems are under constant scrutiny from cybercriminals. Normally, software mitigations can be developed, and they are applied via updates and patches, and in new operating system (OS) versions. It’s very important to apply updates as soon as they come out – if not, your computers, devices and network are at risk. This also applies to firmware on IoT and ICS devices. Unpatched or out of date software is the second most common ‘root cause’ of data breaches after phishing.
Data are among the most valuable assets of an organisation, and even if not – for example when we’re talking about Personal Information (PI) such as credit card credentials, email addresses and passwords – they need to be treated as such, because this type of information is also targeted by cybercriminals. This is particularly the case now that GDPR and other data privacy regulations apply. There are a number of things that attackers may do with data: They may simply extract it for their own use – this may be old fashioned corporate espionage; finding out about the company’s plans, designs, client lists etc (IP or Intellectual Property) – or it may be for indirect criminal use (for example credit card credential theft, for resale on the dark web). Alternatively, the attackers may deploy a ransomware attack, whereby data is encrypted and can only be restored by application of a ‘private key’ that is supplied in return for a large amount of money. Absolutely fundamental to information security are the key objectives of maintaining Confidentiality, Integrity and Availability of data (the ‘CIA’ triad).
Typically the first stage in the process that leads to a data breach is a successful phishing attack, or an infection due to website misconfiguration or application vulnerabilities (one of the so-called root causes). Therefore the priority must be to defend against the root causes by using risk awareness training and web application security. However, there are also some security approaches that can be applied if an attacker successfully infiltrates the network. These include data encryption, maintenance of off-site backups, network segmentation, DLP and software that looks out for unusual behaviour (UEBA).
ATTACK SURFACE RISK
It can often be uncertain exactly what online assets an organisation has outside the firewall (the ‘digital footprint’). This may be due to M&A activity, shadow IT – or simply a sprawling multi-national IT infrastructure. On top of this, those assets are often neglected – unpatched, misconfigured, with expired SSL certificates and outdated software. Attackers perform reconnaissance to find and exploit unknown, vulnerable, and unmonitored internet-facing websites, applications, forms, and underlying infrastructure. This is a relatively easy way to infiltrate large enterprises.
The first step towards mitigating this risk is discovering exactly what online resources are linked to the organisation, and then managing and monitoring those resources – a process called attack surface management.
Another type of online threat that larger organisations are exposed to results from the creation of fake websites and other resources, along with piggybacking on existing ones. This activity – in particular false domains, applications and social media accounts – can be immensely harmful, as it leads to phishing attacks on employees and customers, distribution of malware and association of brands with offensive or illegal content.
The majority of times that malware gets into a computer, it is due to the user doing something avoidable – typically clicking on a malicious attachment or link in a phishing email or text message. Strictly speaking, a drive-by download is any download that happens without the permission of the user, however recently this exploit description tends to be associated with malware that installs itself without any related user action. This generally happens when a victim visits an insecure website that has been tampered with by a criminal, with malicious script inserted.
Ways to avoid these attacks including improved website application security and secure coding, and patching and security updates. Solutions that manage an organisations ‘digital footprint’ (attack surface management) can also help by searching out fake websites or other fraudulent digital assets.
When it comes to information security, most companies focus overwhelmingly on external threats – that’s to say hackers and other criminals that are probably geographically far away. However, research from a number of organisations indicates that, in fact, nearly half of reported data breaches result from the activities of employees of the companies affected. To be fair, only around 1/3 of these are due to properly malicious activity, with around 60% due to negligence and errors (for example, failing to apply secure configurations or appropriate password settings or copying the wrong addresses on emails carrying sensitive data). But the adverse effects of a breach are the same whether the cause is malicious or negligent, so solutions are required to manage this risk.
The most appropriate defence is DLP (data loss prevention), which monitors data exfiltration of all kinds: emails, FTP transfers, USB keys and even printed documents. Related to this is software that looks for anomalous behaviour – activity that appears unusual in terms of timing, location of sender etc. It’s also a good use case for authentication and privilege management tools, and generally the approach of zero trust networks that assume that any agent in a network may have malicious intent.
ZERO DAY ATTACK
The traditional defence against malware (viruses, trojans etc) is so-called ‘signature-based’ anti-virus software. The way that this works is by relying on companies that search for the files that carry malware: When they find such files, they keep a record of the code (in fact a hash of the code) and update client libraries on a regular basis. Anti-malware software on endpoints, firewalls and elsewhere looks at files that they are exposed to, and compares them to the signatures of known malware. It then blocks, ‘quarantines’ or deletes anything that gets flagged, depending on the software configuration.
The problem with the signature-based approach is that is relies on regular updates and is unable to identify malware that has been developed very recently – so called Zero Day threats. Nowadays, cybercriminals are able to tweak existing malware so that it cannot be identified by reference to existing libraries but still has the disruptive effects of the original version, with the result that zero day threats are an increasing problem. Polymorphic viruses are a type of threat that has emerged in the last few years – they evolve and change autonomously, frequently and continuously.
A brutal application of ‘zero days’ is when specialised cybercriminals build highly tailored versions – or purchase them ready-made on the dark web – for use by APT groups or nation state actors in targeted attacks on corporate or governmental organisations, sometimes as part of a wider attack. In order to defeat these threats, solutions have been developed that use heuristic analysis or machine learning (“AI”) methods. Of course, it’s also important to be vigilant about root causes of malware exposure (phishing, misconfiguration, website vulnerabilities etc).
SUPPLY CHAIN ATTACK
Also known as a third-party attack, this happens when a malicious actor infiltrates an organisation’s network via another company that has a close digital relationship – for example a supplier (the ‘third party’). Even if your own security posture is very robust, you may well be compromised if your partners are more lax – which is exactly what happened in the infamous ‘Target breach’ in the US in 2013, along with many other similar cases. And unfortunately, data protection regulations such as GDPR do not allow data controllers or processor to pass blame over to guilty suppliers.
As usual, strong security around data assets and application of the zero trust network approach is a vital fallback measure to limit the effects of any breach, should it occur. Access to sensitive areas should be carefully controlled and authentication procedures applied throughout the network. However, it is also important to be able to assess supply chain risk, that can sometimes be extremely complex. This can be done by scrutinising the security measures in place at relevant third parties and possibly requiring them to be certified according to a respected framework such as ISO 27001.
OPERATIONAL TECHNOLOGY (OT)/ICS RISK
Industrial Control System (ICS) refers to digital instrumentation, networks and devices that are used to manage industrial processes, ranging from factories to critical infrastructure. SCADA (Supervisory Control And Data Acquisition) is a type of ICS that is mainly used for “long distance monitoring and control of field sites” and is commonly used by operators of networks – for example oil and gas transportation, and power grids.
Criminal groups and ‘nation state actors’ – both hostile (APT groups) and friendly – have been scrutinising ICS for several years now for several reasons: Firstly, information technology (IT) and operational technology (OT) have effectively merged in recent years, meaning that industrial appliances such as remote-controlled valves are now connected to the IoT (Internet of Things), in a similar way to devices such a smart thermostats in our homes. Secondly, the software (firmware) running on these devices is often misconfigured (default username and password left unchanged, for example), and out of date, meaning that it can be easily hacked if accessed. Finally, several of the companies and organisations at risk are strategic by any definition, and critical for the smooth running of the industries that they support. That makes them attractive financial targets for organised criminals (ransomware) and for hostile nation states (who can use an attack to cause economic disruption). The first recorded attack of this type happened in Ukraine in 2015.
There are two main ways to defend against cyberattacks on ICS/SCADA: Firstly, digital access to the systems is restricted by network segmentation, strict firewall policies, physical protection and avoidance of more fragile communications channels such as WiFi. In an extreme case, facilities may be ‘air-gapped’, meaning that their network has no logical connection with external networks including the internet. Air-gapping is not a perfect solution, however, as malware can jump the gap (for example in a USB key), and it presents problems for software updating and patching.
It is also possible to apply specific software solutions that incorporate some or all of the following features: Identify and document all exposed components (recording manufacturer, MAC address, firmware version etc); Check for misconfiguration and out-of-date firmware; Monitor threat intelligence for relevant trends among threat actors.
Check Point provides specialised security solutions for OT/ICS risk. Forcepoint offers a product which is very similar to a next generation firewall, called Data Guard, which inspects data content and can control the flow of certain information or instructions. In the context – for example – of a power station operator, Data Guard may serve the purpose of restricting the type of commands that are sent to a sub-station, and blocking malicious activity.
Websites are, by definition, exposed to pretty much everyone that has access to the internet. On top of this, there are many potential vulnerabilities in their coding that expose them to risk of infiltration by hackers. In fact, scanning software can be easily obtained that automatically searches out many such vulnerabilities. The mixture of these two characteristics makes compromise a real threat, and if this happens, the website can be used as a soft access point into the organisation’s network, or a distribution mechanism for malware via ads, popups and drive-by downloads – a common first stage in a ransomware or data-breach attack. Owners and operators can protect themselves by properly understanding and managing the scope of their online assets (attack surface management), scanning their websites and employing secure coding techniques. However, it is extremely challenging to achieve perfect security, due to the dynamic nature, size and complexity of many websites.
ADVANCED PERSISTENT THREAT (APT)
Most cyberattackers are fairly indiscriminate in their goals. For example, the criminal gangs that engage in ransomware or cryptojacking campaigns simply attempt to distribute as much malware as possible; even if only a small percentage of the attacks are successful then they can achieve a good financial return for their efforts. The maximum focus that such a campaign might attempt would be to select a certain target industry or sector – say European financial institutions. An APT or Advanced Persistent Threat actor, on the other hand, tends to concentrate all their efforts on a handful of target entities, which may be enterprises, government bodies or other types of organisation, and their possible aims are diverse: They may want to gain information (industrial or state espionage), make money, or simply cause disruption. Digital attacks that serve a clear military purpose (the obvious example being the Stuxnet campaign) are, of course, engaged in by the most sophisticated of APT actors.
Because of the resources required, APT groups are almost always supported by nation states, with the most active ones allegedly being from China, Iran, Russia, North Korea and the US, although there are almost certainly similar teams operating in other countries.
The main features of an APT attack are as follows:
- Attack methods are technologically Advanced, well thought out and executed, and expensive. They will typically entail use of several zero day exploits.
- A lot of time will be spend preparing the attack, and when or if the target network is breached, the group will normally attempt to operate within it for several months (Persistent). This time is spent scouting the network, establishing a command and control (2C) connection and exfiltrating data.
- An APT attack is a genuine Threat – the aggressors are well-funded and ruthless, with plenty of resources in terms of time and manpower.
It’s rare for anyone to have to deal with this kind of situation. The advice, if you are at risk from this type of attack is:
- Use next generation firewalls including web application firewalls
- Whitelist domains, applications etc (ie control which resources can be accessed from your endpoints)
- Maintain your online assets and network in terms of patching, configuration and other aspects of web application security
- Apply Zero Trust Network conditions including MFA
- Use advanced EDR (endpoint detection and response) technology
- Adopt a solid information security framework for your organisation such as ISO 27001
ATTACK CHAIN/ROOT CAUSES
Information security threats can broadly be divided into three phases of implementation:
ROOT CAUSE This is when and where the threat/malware is introduced to the victim, also known as the vector or delivery method. Recently the most popular vector – by far – has been phishing, but attackers also send malware via instant messaging apps such as WhatsApp, and compromised websites are a significant and growing threat. Weak security on IoT devices in the home and industrial infrastructure (ICS, SCADA) has enlarged the available attack surface to criminals, who can infiltrate networks at these points.
INFILTRATION EVENT This is when the malware is launched, and if it is launched successfully it will infiltrate the network and start to execute the criminal strategy (Execution phase).
The malware payload may be an executable file that the attacker wants to insert into the target device and network, and is typically attached to an email or message, or a malicious link/URL. In these cases, the victim has to take some action – effectively ‘inviting’ the malware onto their device and network. However, compromised websites can also deliver malware without any action being taken – for example simply by hovering over a certain part of the infected page – an exploit known as a drive-by download. An attacker that directly infiltrates a network via an insecure IoT device doesn’t need to bother with any of this – they are inside the network and can install malware directly.
EXECUTION Now that the malicious software is safely inside the network, it will often ‘phone home’ to make contact with a command and control server (2C) which can provide further resources (e.g. an encryption package) and instructions. It will then scan the network for target areas (for example databases, or other computers that can be incorporated into a botnet). Then it will be in a position to mount a ransomware attack, exfiltrate sensitive data or steal credit card details.
The Root Cause is the most important phase of the attack from the defenders standpoint, and should be a focus of the organisation’s information security strategy. If the attack can be prevented at this stage, then the risks associated with infiltration and execution are eliminated.
Security awareness training and web application security are efficient mitigating responses to the current main root cause risks (phishing and other communications-based malware vectors, and vulnerable websites). Attack surface management is also important. Finally, a company with significant IoT/ICS exposure should consider this risk separately.
The expression “malware” (from Malicious Software) covers a wide range of different threats, and there are at least ten categories including worms, viruses and trojans. Adware, spyware and ransomware are all classed as types of malware. And although exploits are frequently delivered in the form or as part of executable files, an actual file does not necessarily have to be involved, as malware can also be spread in a fileless manner, using objects such as registry keys or scheduled tasks.
It’s not necessary to click on an attachment or link to introduce malware into your computer, as drive-by downloads are able to execute by opening a compromised web page or even simply hovering the cursor over a hyperlinked image.
Amongst the most pernicious forms of malware is the ‘rootkit’, which can be installed by an attacker that has appropriated admin rights. This type of malicious program is installed in an area that is normally very hard to access (such as the kernel) , and once there it can be very hard to find, and in some cases is even able to modify anti-malware software. Really bad rootkit infections may require reinstallation of the computer’s operating system.
Zero-day exploits or vulnerabilities arise due to malware being used that has not been seen before, and will not be recognised by traditional signature-based approaches.
The risk of malware infiltration can be significantly mitigated by considering root cause threats (particularly phishing , misconfiguration of devices and software and web application security). This is the first layer of a so-called ‘defence in depth’ approach to information security. Clearly it is also important to use anti-malware software as part of endpoint protection, and nowadays it probably makes sense to employ a solution that applies machine-learning rather than a signature-based approach, in order to limit the risk of being a victim of a zero-day exploit.
The main security risk that results from using the cloud is the fact that some responsibility for data stored there shifts to the service provider (Amazon Web Services (AWS), Microsoft Azure etc.) – the so-called ‘Shared Responsibility Model’. What that means is that the customer is responsible for security IN the cloud (configuration, software security such as passwords, updates and patches etc), but the vendor looks after the security OF the cloud (the operating system, virtualisation and physical security of its facilities), and the customer loses some control over the data asset. Clearly, it’s vital to use vendors that are responsible and secure, and carefully to monitor application security for data that is stored on the cloud. Also, many data breaches are due to cloud storage misconfiguration (for example ‘AWS S3 bucket misconfiguration’) and unpatched software.
Due to privacy laws such as GDPR, it is very important to remember that the customer must comply with the relevant regulations with respect to data held in the cloud. This implies being aware of what data is stored in the Cloud, where it is, who can access it and how it is protected. It is certainly recommended to encrypt data that is stored there.
Employee utilisation of unauthorised cloud applications is a further risk, and organisations are always surprised at the number of such applications that are being used on endpoints (computers AND personal devices – BYOD or ‘bring your own device’ risk). An increasingly relevant insider threat risk is provided by the possibility of uploading sensitive data to cloud storage apps such as Dropbox.
Many aspects of cloud security (for example security configuration and patching) can be looked after by the organisation. However, there are also specialist cloud security providers (in particular CASB – Cloud Access Security Brokers) that can help with this, and also offer services that help to protect against cloud-based application risk.