Ransomware, Critical Infrastructure and COVID-19: Confronting the New Reality of Nation-State Threats

0
786
locked computer with ransom note

Over the past decade, we have seen just how destructive cyberattacks have become. It seems every time we turn around, there are new methods surfacing that can often make us question our decisions and actions, and how we can continue to improve. But while we have seen nation-state attacks become more advanced, especially attacks using lateral movement such as unsanctioned east-west traffic and increased dwell time, there is also a silver lining. We can often learn more from the organizations that have been successful in circumventing even the most sophisticated cyberattacks. This is true even in cases of ransomware, critical infrastructure and the latest attacks – biotech research and COVID-19 vaccines.

Ransomware is consistently a huge challenge for many industries from financial services to healthcare and others, and the data shows a disturbing trend. A recent survey, The State of Ransomware, by the cybersecurity company, Sophos, reveals that 51% of organizations were hit by ransomware in the last year, and hackers succeeded in encrypting the data in 73% of those attacks. However, only 26% of ransomware victims whose data was encrypted got their data back by paying the ransom. And according to Verizon’s Data Breach studies into industrial espionage attacks against the private sector, the volume of nation-state actors increased from being 12% of the perpetrators of such attacks in 2018, to 23% in the 2019 study and to 38% in the 2020 study. There is no escaping the fact that nation-states are increasingly engaged in hacking.

From what I’ve witnessed as a cybersecurity consultant, nation-states are better at hiding than ever before. State hackers use various sophisticated techniques such as acting through proxy layers, avoiding attribution by manipulating data, and using clever toolkits and other means to mislead forensics. One of the best examples of this is the Wannacry ransomware that wreaked havoc across the world in 2017 and throughout 2018. It used EternalBlue, a cyberattack exploit developed by the United States National Security Agency (NSA). It was leaked by the hacker group, Shadow Brokers in April of 2017, just one month after Microsoft released patches for the vulnerability. Wannacry was especially nasty due to its self-propagating nature, meaning it has the ability to move itself from machine to machine, or network to network, spreading the infection entirely on its own.

When Consequences Turn Deadly

Nation-state actors have become brazen in their attacks, and we see evidence of this in the use of many different methods to carry out attacks that have even resulted in fatalities.

In the past, ransomware-focused criminal organizations would avoid targets where human lives would be at risk. But now, even hospitals are seen as acceptable. In September 2020, a ransomware attack on the German Düsseldorf University Clinic led to a death of a patient. German law enforcement is seeking prosecution of the Russian attackers involved in that attack. The same criminal gang was also responsible for attacking and taking down all 250 facilities of US based UHS healthcare.

Nation-state actors have also targeted critical infrastructure that aims to hurt or even kill citizens of the target countries. From April to July of 2020, Israel’s water supplies were threatened three separate times by nation-state hackers (suspected to be Iran). The industrial controls of Israeli water processing facilities were attacked in an attempt to alter the injection of treatment chemicals to unsafe levels. The attack was so disconcerting, a cyber counterattack was levied against Iran (allegedly initiated by Israel) that disrupted port traffic at the Port of Shahid Rajaee.

These examples are a far cry from the typical nation-state attacks of the past – intelligence, influence, disinformation, propaganda and espionage. If we were once under the impression that investing in cybersecurity was strictly a decision based on the risk of data and financial loss, it’s time to reevaluate. We have entered an age where attacks could truly lead to devastating consequences, certainly to enterprise survival and now even to the safety and lives of people.

The Latest Biotech Hit: COVID-19 Vaccine

In the throes of the COVID-19 epidemic the US, Canada and the United Kingdom all reported attempts by Russian and Chinese state actors to steal, manipulate and even obstruct the development of the COVID-19 vaccine. First warnings of such activity came from a joint CISA/FBI PSA to the vaccine research community in May 2020. By July, the US Department of Justice issued an indictment for two Chinese nationals working for the People’s Republic of China. They were not only charged with attempted theft but attempted destruction of vaccine research held in the United States, Australia, Belgium, Germany, Japan, Lithuania, the Netherlands, South Korea, Spain, Sweden, and the United Kingdom.

How We Can Win the War With Segmentation

In cybersecurity, we are constantly inundated with stories of failures. Reports of data breaches seem to be much more popular with the media, while safe, secure organizations that are successfully protecting themselves and blocking attacks aren’t considered headline news. However, this is doing the industry and companies across the world a huge disservice. In a way, we are victims of reverse-survivor bias. While it’s important that we continue to stay vigilant and recognize these threats as real, there are many tangible things that companies and government organizations are currently doing to mitigate threats, minimize damages and recover gracefully.

Here are seven ways you can protect your organization from nation-state threats:

  1. Better Vulnerability and Patching Regimen:
    Add vulnerability and patching checks to end users, public facing and data center environments, and should be included and automated wherever possible.They should also be incorporated into devops playbooks as new instances are spun out and/or modified. They should be incorporated into switch/route and other infrastructure devices as well, since we’ve seen a rise in focus here among attackers.
  2. Incorporate Multi-factor Authentication:
    Brute force password cracking is one of the easiest direct assaults seen on end user and application environments, yet it’s easy to enforce the use of strong passwords and to implement two factor authentication.
  3. Privileged Accounts and Expiration Controls:
    These can be easily added to overall enterprise security. New attacks often take advantage of the user they ride in on. Or, they can take advantage of an account that should have been used for a specific, scheduled purpose and subsequently deleted. Even with administrative accounts, one could easily work with reduced privileges – only invoking a higher “sudo” when needed.
  4. Certificate Management and Control:
    Many attackers take advantage of poor certificate management to propagate across an enterprise. By taking better control of certificate management you take away the ability of hackers to fool your workloads into trusting them.
  5. Core Service Controls:
    By better securing DNS, Remote Access, Active Directory and other critical enterprise services you prevent attacks from doing major damage.
  6. Micro-segmentation Practices:
    As Zero Trust discusses, the end of the enterprise edge is nigh. We need to move away from the reliance on perimeter firewalls and edge security and instead shore up our software-based segmentation throughout our enterprise workflow. With software-based segmentation, you replace the complexity of VLANs, firewalls and cloud security groups with a platform agnostic, simplified, fast and granular method to segment across your entire environment. Even when applied sparingly you decrease an attacker’s ability to land and even more to move laterally across the environment.
  7. Better and Redundant Backup and Restore Procedures:
    This is especially important today when ransomware and nation-state attacks are concerned. The ability to restore systems means you avoid costly downtime and restore without paying a ransom.

Setting Expectations: Plan, Practice and Survive

Adding to the seven focus areas, by far the most important indicator of whether you’ll succeed or fail, comes down to whether you’ve set expectations within your enterprise. Staff and executives need to accept that at some point you will be breached. They need to understand that it’s not a matter of if but when. With that in mind, you must also have a well thought out and practiced incident response plan that includes non-technical and executive staff. By doing such, you maximize your ability to respond, remediate and to recover gracefully.

While attackers seem so troublesome, we have everything in our grasp to defend against them. With just a little effort we will indeed survive and flourish.

___

This post was originally published on the Guardicore blog