In today’s cyber world, full of uncertainty and constantly evolving threats and data obligations, have you ever wondered, “how can my organization protect itself against the unknown?” The quick answer to that question is threat intelligence, the human element that leverages cyber intuition and honed investigation skills to pre-empt attacks. Threat intelligence is actionable, timely, and provides context to threats. Let’s delve into the details and better understand all that threat intelligence has to offer the industry.
What is Threat Intelligence?
Threat intelligence gathers multi-source, raw, curated data about existing threat actors and their tactics, techniques, and procedures (TTPs). This cyber modus operandi helps analysts understand the tactics used by adversaries and identify signs or signals of their unauthorized presence in a target environment. In fact, it helps cyber analysts identify likely future targets by understanding their motivation, transferrable phishing campaigns, and other tools that could be applied from one target to another. For example, a campaign that uses stolen lawsuit information to target law firms could be modified to target healthcare organizations by using stolen malpractice litigation documents.
This knowledge and understanding of the adversary can prevent future attacks by helping organizations to develop defenses based on likely attack scenarios. In essence, threat intelligence is a way to proactively defend your organization and remain a few steps ahead of cybercriminals. It’s not a crystal ball, but it could be a money ball approach to cybersecurity.
Threat intelligence professionals threat hunt by proactively searching for suspicious activity indicating malicious or network compromise. It is often a manual process backed by automated searches and existing collected network data correlation. Other prevention and detection methods can only detect known and categorized threats. Below are some requirements for a threat hunting tool:
Practical Threat Hunting Tool Requirements:
Proactive threat hunting quickly establishes itself as a critical pillar in security strategies and ensures situational awareness that other methods do not offer. This approach requires the expertise of cybersecurity professionals who can draw from the knowledge of a system’s specific functionality and connectivity. In addition, they understand the attacker’s tactics, techniques, and procedures (TTPs) and capabilities to expose potential attacks and compromises. For additional context, below are a few threat intelligence challenges and benefits:
Threat Intelligence Challenges
Threat Intelligence Benefits
Who Should Invest in Threat Intelligence?
Threat intelligence adds value across security functions for companies of all sizes. When threat intelligence is integrated into an organization’s IT team, it can assist with adequately prioritizing and helping with incoming threats. Threat intelligence provides external insights and context when accurately prioritizing essential vulnerabilities. It also provides context around threat actors’ TTPs. Fraud protection, risk analysis, and high-level security processes become enriched by understanding threat intelligence’s high-level security knowledge.
Proactive threat intelligence and hunting require 24/7 continuous scanning, which is typically a challenge for organizations that struggle to source the right talent or have a low budget. A standard cost-effective solution can be to outsource the skill and expertise needed.
Move Beyond Automation: Take Charge
In today’s world, adding threat intelligence to your cybersecurity strategy is no longer a luxury; it is a necessity. It’s said to be the way of the future for detecting and responding to advanced threats. Threat intelligence assists with lowering cybercrime and data breach costs. There is a significant cybersecurity transformation, and organizations can’t be waiting around to be attacked anymore. The key is adding elements that strengthen your organization for battle— the human element within threat intelligence. Taking charge is more than a suggestion; it’s a critical move that, if not made correctly, will result in irreversible damages to pay.
At Adlumin, we are constantly monitoring trends in malware and the capabilities used by threat actors to attack customer networks. Ransomware poses a unique threat to customer environments and businesses as attackers’ use of the technique continually evolves and spreads while payouts increase.
The Threat
Ransomware is a popular method of computer network exploitation, extortion, and a potentially big payday for cybercriminals. In a ransomware attack, malware specializes in detecting local and network-shared user files and then encrypting the victims’ data implanted on a device. Once encrypted, unless there are unaffected backups, the user’s documents and data are rendered inaccessible and unreadable. That is until the victim pays up. Ransomware attackers set up payment portals through the clear, dark web and the bridges between them so that victims can ‘conveniently’ make an online payment to decrypt their files and access their data.
Foundations
While the widespread use of ransomware targeting businesses for financial gain is relatively new, modern examples started to trend in the mid-2000s and picked up in 2013– the first examples can trace their roots back to the 80s – decades before modern times, payment methods like cryptocurrencies existed. In 1989 Joseph Popp authored and deployed the “AIDS Trojan”. This first-of-its-kind malware hid the user’s files, encrypted their names, then displayed a message demanding a $189 payment to “PC Cyborg Corporation” to receive a repair tool under an expired software license. It’s worth noting that this early ransomware sample was vulnerable to extracting the decryption keys from the sample as it used symmetric encryption to encrypt the files. This meant that the same key was used to encrypt and decrypt data which had to be handled by the malware to encrypt the files.
By the mid-90s, researchers had introduced the idea of using public-key cryptography to enable ransomware’s encryption of data without the need to store the decryption keys in the malware, leaving it vulnerable to reverse engineering and key-recovery-based remediation. This was a critical step in the attacker’s ability to ensure decryption keys couldn’t be recovered reliably, and ransomware remained a profitable problem.
In 2006, multiple public-key enabled ransomware families caused trouble in networks worldwide. These attacks weren’t typically pointed at individual targets and often spread through file-sharing platforms. By 2009 ransomware variants had shifted to using secure 1024-bit RSA-driven encryption implementations, which essentially prevented the ability to recover decryption keys through static analysis.
In 2013 ransomware began its modern popularity with the explosion of the CryptoLocker malware. CryptoLocker propagated through a botnet or as an attachment to an email message which appeared to be sourced from a legitimate company. The ZIP file attached to the message contained a Window’s executable disguised as a PDF by changing the executable’s icon. CryptoLocker used public-key encryption to ensure the decryption key was only hosted on the malware command and control server. When paired with strong key strength and algorithms, decryption by means other than payment is impossible. The malware would encrypt files across the local and mapped network drives targeting only specific file extensions such as those associated with Microsoft Office Suite, documents, and images.
Since CryptoLocker, hundreds of ransomware families and variants have been introduced to networks worldwide. Locky followed as a spiritual successor to Crypto lockers; WannaCry affected networks globally and leveraged a zero-day to spread relentlessly across a network, bringing organizations like the British NHS to their knees. Ryuk appeared in 2018 and targeted specific organizations and industries for their deep pockets and ability to pay. Ryuk led to Conti, which recently announced its support of Russia and threatened to deploy “retaliatory measures” if cyberattacks were launched against the country in response to the 2022 Russian invasion of Ukraine. As these attacks grow, we’ve seen considerable impacts on business and industry, such as in the 2021 Colonial Pipeline attack, which led to the shutting down of control systems and oil delivery pipelines, leading to increased prices and limited availability, and panic-buying.
Trends
Adlumin’s Threat Research group has identified two primary trends in ransomware that increase the risk associated with ransomware attacks: the continued shift to ransomware-as-a-service (RaaS) and the growth of data-exposure driven double-extorsion models. These trends represent a widening in ransomware capabilities and prevalence and a decrease in an organization’s ability to control a breach.
Ransomware-as-a-Service (RaaS)
Ransomware as an attacker methodology has grown from initial custom development of tools for individual exploitation campaigns to large-scale availability as a commodity product with the sale of ransomware capabilities taking place on clear and darknet markets. Ransomware capabilities are now available for sale or lease, decreasing the technical capability required to conduct these attacks and lowering the barrier to entry for would-be attackers.
These capabilities can range from costing as little as $20 to thousands depending on the ransomware’s; capabilities, the scope of allowed usage, detection mitigations, automation, exclusivity rights, and inclusion of management or victim portals.
Ransomware has moved from a tailored and unique exploitation method to a pay-for-play access model.
Data Breach & Double-Extortion
Globally, ransomware groups and attacks have started to incorporate more direct extorsion methods – shifting from pay-for-decryption to a combination methodology involving the potential release of stolen, often sensitive, data. To ensure payout from victims, attackers have had to mitigate the impact increased defenses and updated cyber best practices have had on ransomware.
A defensive shift in segmenting devices and services to prevent lateral infection and the ability to restore from otherwise unaffected backups on non-critical systems have lessened businesses’ potential need to pay ransom to recover from an attack. To ensure their operations remain profitable, attackers have begun stealing data from companies and ransoming the possible public release of the stolen data. Such data might include customer PII, payment information, or business secrets – and public release of that data may have severe reputational, business, financial, and regulatory impacts on the affected business, further increasing the cost of a single breach.
This data exposure or “Double Extorsion” tactic means the attackers can choose to require two ransoms – one to decrypt the data and another to delete the data stolen before encryption. The potential release of data is an intense pressure to pay for victims who may not even know what information was stolen.
Explosive Growth
Ransomware as an attacker capability and exploitation method has experienced explosive growth since the introduction of cryptocurrency payments and continued profitable attacks. According to the FBI’s Internet Crime Complaint Center (IC3), CISA reported, ransomware incidents continue to rise, with 2,474 incidents reported for all of 2020 and 2,084 complaints between January and July of 2021 alone, a doubling of reported incidents. The cost and ransom amount have also grown with a 225 increase in ransom demands, and victims are on track to hit over $40M in losses.
What You Can Do
Your business or organization isn’t helpless in preventing ransomware attacks and limiting their impact when they make it past defenses. In a joint 2022 release by cybersecurity authorities in the United States, Australia, and the United Kingdom which included the FBI, the Cybersecurity and Infrastructure Agency (CISA), and the National Security Agency (NSA) – authorities recommended multiple best practices for protecting your network:
Keep all operating systems and software up to date If you use RDP or other potentially risky services, secure and monitor them closely. Implement a user training program and phishing exercises Require MFA Require all accounts with password logins (e.g., service accounts, admin accounts, and domain admin accounts) to have strong, unique passwords. Using Linux, use a Linux security module (such as SELinux, AppArmor, or SecComp) for defense in depth. Protect cloud storage by backing up to multiple locations, requiring MFA for access, and encrypting data in the cloud. Segment Networks help prevent the spread of ransomware by controlling traffic flows between – and access to – various subnetworks by restricting adversary lateral movement. Implement end-to-end encryption, which can prevent eavesdropping on communications, which, in turn, can prevent cyber threat actors from gaining insights needed to advance a ransomware attack. A network-monitoring tool identifies, detects, and investigates abnormal activity and potential traversal of the indicated ransomware. Document external remote connections. Enforce the principle of least privilege through authorization policies. Reduce credential exposure. Disable unneeded command-line utilities; constrain scripting activities and permissions, and monitor their usage. Maintain offline (i.e., physically disconnected) backups of data and regularly test backup and restoration Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure Collect telemetry from cloud environments
On Friday, May 27, 2022, a new zero-day remote code execution vulnerability was reported by security researcher “nao_sec” on Twitter. Validated by the community and given the Common Vulnerabilities and Exposure (CVE) designation CVE-2022-30190, the vulnerability dubbed Follina, takes advantage of a flaw in Microsoft Office. It allows attackers to call the Microsoft Support Diagnostics Tool (msdt.exe) to launch malicious executions, including PowerShell commands.
The vulnerability has been confirmed as present and effective against Office Pro Plus, Office 2013, Office 2016, Office 2019, and Office 2021 and affects the following operating systems: Windows 7, Windows 8.1, Windows 10, Windows 11, Windows Server 2008, Windows Server 2012, Windows Server 2016, Windows Server 2019, and Windows Server 2022. It leaves most combinations of Office and Windows susceptible to exploitation and should be assumed that all versions of Office are vulnerable.
Technical Details
Follina was first observed as active in the wild and took advantage of a flaw in Microsoft Office and Windows, which allows for arbitrary remote code execution giving attackers potential control of the victim’s machine. Unlike traditional Microsoft Office-based attacks, which typically leverage document macro functionality to gain execution—a generally mitigated strategy—Follina takes advantage of Office’s remote template feature to gain initial execution.
The office template feature allows the infected file to retrieve a remote HTML file containing JavaScript code that executes malicious code in the command line using the Microsoft Support Diagnostics Tool (MSDT / msdt.exe). As a result, PowerShell scripts are typically run at the opening user’s privilege level, allowing the attacker to modify, view, or destroy data and install additional programs and malware.
Detection, Defenses, and Mitigations with Adlumin
Adlumin allows security administrators to collect and query security-relevant logs from multiple sources, including network endpoints and process executions. Using this capability, we can develop a query to look for potential instances of exploitation of this vulnerability.
The exploitation of Follina / CVE-2022-30190 should create multiple recorded artifacts, which can be searched to see if the vulnerability has been used in a network. To query for these instances, we can search for endpoint process executions where the parent process is a Microsoft Office product and the child process launched by it is the process msdt.exe or sdiagnhost.exe.
Adlumin stores historical customer data to identify if this vulnerability was leveraged months before the exploit was publicly released. Searching the data set, Adlumin’s Threat Research team could not find any examples of exploitation among our customers.
Defenses
At the time of the vulnerability’s disclosure to the public, there was not, and still is no, official patch from Microsoft to address the vulnerability. Microsoft has come forward recommending disabling the MSDT URL protocol as potential mitigation to the vulnerability.
Disabling the MSDT URL Protocol
Disabling the MSDT URL protocol prevents troubleshooters from being launched as links, including links through the operation system. The following steps will disable the MSDT URL protocol protecting systems from the Follina vulnerability:
Run Command Prompt as Administrator
Backup the registry key:
reg export HKEY_CLASSES_ROOTms-msdt backup
Delete the following registry key:
reg delete HKEY_CLASSES_ROOTms-msdt /f
Additionally, Microsoft recommends customers with Microsoft Defender Antivirus turn on cloud-delivered protection and automatic sample submission to help quickly identify and stop new unknown threats. Microsoft Defender for Endpoint customers can enable attack surface reduction by setting the rule for “Block All Office applications from creating child processes” (GUID: d4f940ab-401b-4efc-aadc-ad5f3c50688a).
Continuous Monitoring
Adlumin recommends using a Continuous Vulnerability Management product to collect the needed data from endpoints to determine if they are running vulnerable versions of Microsoft Windows and Office. The Continuous Vulnerability Management software can also be used to identify those assets which have or do not have the official Microsoft mitigation in place.
Adlumin also recommends leveraging our managed security services product to continually search and alert for suspicious executions, which may result from the exploitation of the vulnerability.
Dive deeper into the Follina vulnerability – read Adlumin’s latest customer use case here.
In the book Charlie and the Chocolate Factory, a young boy receives a “golden ticket” that provides him access to Willy Wonka’s chocolate factory. In a cybersecurity context, a Golden Ticket attack means a cybercriminal has gained access to an organization’s entire Active Directory (AD) domain for up to 10 years. As the name and description suggest, these attacks can be devastatingly invasive and leave a network at the attacker’s mercy for long periods of time.
A core concept in the mechanism of these attacks is the Kerberos Key Distribution Center (KDC). The KDC functions as a trusted third-party authentication service as part of every domain controller within an AD. Kerberos grants a Ticket Granting Ticket (TGT) to prove recent authentication, allowing users to access resources without constantly reauthenticating.
Kerberos
The user requests a TGT from the Authentication Server encrypted with the user’s password to access a resource.
Kerberos checks for user access rights and prepares a TGT and session key, including a timestamp to dictate the duration of a session is valid. Before being sent, the TGT is encrypted with the KRBTGT password hash (this is shared amongst all the domain controllers in the AD).
The user then requests a service granting ticket with the TGT they received.
The Ticket Granting Service (TGS) then verifies this request using the TGT and returns a service ticket and session key for the requested Resource Server.
The user sends a request with this ticket and session key to the Resource Server.
The Resource Server verifies the ticket and session key match and then grants access, thus providing mutual authentication.
The Attack
During a Golden Ticket incident, attackers bypass steps 1 and 2 in the above example and forge the TGTs themselves. Forging TGTs can be done manually but is commonly done using an exploitation software called mimikatz, which needs four information parameters to forge a TGT convincingly:
Domain name
Domain Security Identifier (SID)
An account with ‘Replicating Directory Changes All’ and ‘Replicating Directory Changes’ privileges enabled (typically admins)
The KRBTGT Password hash
Assuming parameter 3 is met, the other parameters can be gathered by simple PowerShell commands and mimikatz. Running the whoami /user command, using the account provides an attacker with the domain name and domain SID. Running a DCSync attack with mimikatz will lead to the KRBTGT password hash. Mimikatz can then use this information to generate a Golden Ticket. An attacker can then access network resources as a domain administrator on any account within the domain.
Adlumin Defense
Golden Ticket Attacks are hard to detect because there are many ways to gather the above parameters beyond the standard technique. Adlumin Data Science takes a practical approach to build a defense – instead of tracking an attacker’s journey to obtaining fake credentials, parsing Windows event logs for end-result signatures of a Golden Ticket attack can be more fruitful. For example, attackers will look to obfuscate their activity by reusing an existing SID with an account that may or may not have an account name similar to that of the original SID owner. Thus, evidence of SID duplication can be a warning sign.
Adlumin Data Science is developing a suite of alerts based on attack signatures like the one mentioned above—being holistically deployed as a comprehensive defense against Windows authentication exploits. Watch our announcement forums for more on this soon.
Adlumin provides a Software-as-a-Service SIEM and managed security services. Our SIEM allows ingestion from multiple and diverse data sources from Office 365 events to Windows Critical Events and Linux Syslog and those from your existing security appliances and solutions.
The legal system, in many ways, is the town hall of the economy, bringing together investors and businesses, filing IP and trademark applications, assessing compliance for regulatory bodies, interpreting statutes for their clients, and navigating complex legal proceedings. Law firms manage unparalleled access to confidential and valuable information. It’s a one-stop shop for lucrative data that attracts cybercriminals to law firms.
According to the American Bar Association (ABA), 25% of law firms were breached last year. Beyond the financial losses, the reputational damage can be fatal, and the trust relationship between client and attorney can be irrevocably harmed. This article will outline why law firms are being targeted and what types of insider threats to look out for going forward.
Why Are Law Firms Targeted?
Law firms are connected to many facets of the economy and are often considered softer targets than their clients. While firms can be small, their clients can be quite large or manage enormous sums of money. In essence, they are viewed as an easy target with an A-list of confidential and potentially damaging data, access to large funds, and a vector into their client’s operations:
DLA Piper suffered a public ransomware attack, resulting in the firm’s IT department putting in more than 15,000 hours of overtime for disaster recovery and shuttering operations across thousands of clients.
Some law firms oversee high-profile cases and names, making them a primary target. In 2020, Grubman Shire Meiselas & Sacks’, a law firm representing Hollywood A-listers and athletes, data was breached and held for a $21 million ransom. And, of course, there was the data breach that crumbled Mossack Fonseca at the heart of the Panama Papers.
Law firms have access to large amounts of money: trust funds, escrow accounts, etc.
Threats Law Firms Should Know About
Law firms don’t only have to mitigate risk from outside intruders, but they also need to ramp up security for protection against insider threats. In a previous blog post, we discussed how employees could be considered the weakest links. Insider threats can be classified into the following categories:
Employees fall victim to phishing or scams from an external source.
Employees use weak passwords or don’t adequately protect their equipment.
Employees exploit information, leak information to cybercriminals, carry information to a new job, or share data with personal systems.
Finding the perfect balance between protecting your firm’s assets or client information and making your employees feel trusted and valued can be challenging. Therefore, it’s essential to educate employees on cyberthreats to empower them while tightening up your security operations.
Law Firm’s Responsibility to Safeguard
While not directly regulated, a law firm’s obligations stem from three sources: ABA guidelines for attorneys, specific regulators that call out law firms as vendors of regulated entities, or the contractual obligations formed with their clients and their client’s compliance requirements.
The American Bar Association Model Rule of Professional Conduct covers attorney obligations to safeguard their clients’ information, uphold contractual agreements and even report specific cybersecurity incidents that could affect the client. These rules obligate managing partners and attorneys to hold themselves responsible for the conduct of the staff and non-licensed employees. When it comes to technology, the ABA requires attorneys to:
Employ competent and reasonable measures to safeguard the confidentiality of information relating to clients.
Communicate with clients about the attorney’s use of technology and obtain informed consent from clients when appropriate.
Supervise subordinate attorneys, law firm staff, and service providers to make sure that they comply with these duties.
Specifically, Formal Opinion 483 Oct 2018: Model Rule 1.4 requires lawyers to keep clients “reasonably informed” about the status of a matter and to explain matters “to the extent reasonably necessary to permit a client to make an informed decision regarding the representation.” And in response to the pandemic, the ABA issued Formal Opinion 498 Mar 10, 2021: The ABA Model Rules of Professional Conduct permit the virtual practice, which is technologically enabled law practice beyond the traditional brick-and-mortar law firm. When practicing virtually, lawyers must consider ethical duties regarding competence, diligence, and communication, especially when using technology.
Beyond the legal community, regulators extend their coverage to include law firms as vendors. In healthcare, HIPAA considers law firms as business associates with their set of rules for managing healthcare records, and the New York Department of Financial Services covers vendors such as law firms in section 11 of the 23 NYCRR 500 cybersecurity regulations.
Law firms need to equip their employees with the proper knowledge not to jeopardize their law firm or clients’ reputations.
The ABA adopted a resolution encouraging law firms to develop, implement, and maintain proper cybersecurity to comply with ethical and legal obligations. Many firms (big or small) look for external help when tightening up their security. They do not rely on one resource to secure their IT landscape. As an example, the ABA reported that 80% of law firms use third-party consultants/experts, IT staff, and a Chief Information Officer for their security needs.
Law firms should consistently evaluate their security posture to avoid insider slip-ups to determine where their gaps lie. The regulations that the ABA issues and compliance regulations provide a minimum standard for the industry. All parties should do their due diligence and strive for more robust protection as a matter of healthy client service.
Learn about the common types of malware, proactive strategies to fight against cyberattacks, the importance of threat hunting, and how to recognize indicators of concern in this comprehensive guide. Equip your organization with the necessary knowledge and tools to protect your IT environment from malware attacks.
An increasingly remote workforce spurred by the COVID-19 pandemic has brought changes to the information security landscape. Users have shifted from working in carefully constructed walled gardens to café hotspots and home networks with no security assurances. Adlumin’s Threat Research group outlines some of the new and rising challenges of increased Remote Work adoption in the security landscape.
Increased Attack Surface
Every additional web application or service introduced to an environment increases businesses’ risk and attack surface. The increased risk and potential threat of any added service should be tied to the service’s permissions and role in the network. Many applications introduced to support remote work requirements would be categorized as high-risk introductions to a typical network. Virtual Desktop Interface (VDI) solutions, Remote Desktops, Virtual Private Networks (VPNs), and other remote access solutions are critical to many Remote Work architectures. Typically, they are associated as high risk due to their attractive accesses, permissions, and location in data’s lifecycle.
Administrators and security staff must ensure that all internet-facing devices are patched promptly. They should regularly monitor the systems logs, accesses, connections, and behavior to ensure its security. Additionally, it is essential to continually monitor the organization’s web exposure to ensure that only documented and secured services, not malicious backdoors, or outdated products, are associated. (Note: Adlumin offers Adlumin Perimeter Defense, which gives you insight into your network from an attacker’s perspective.)
User Origin Tracking
Gone are the days of employees working out of a single central office with a sprinkling of branch offices and remote sites diversifying the network’s architecture. Modern remote work requirements include supporting remote employees on a state, country, or globally diverse level.
The mentioned techniques are the processes of monitoring for suspicious traffic by geolocating access and login requests. Requests are compared to a baseline or set of rules which can alert to potentially malicious access indicated by a remote endpoint connecting or acting from outside the business’s pre-defined operating area. The expansion of the security domain complicates but does not prohibit user origination tracking and access origination monitoring and alerting.
To overcome the challenge of manually creating alerting mechanisms for logins outside a central office or branch location, more complex machine learning algorithms are required to learn about a user’s access behavior over time. This includes continually analyzing a user’s current and historical access location, behavior, and relationships in the network to draw conclusions beyond an endpoint’s origination. (Note: Adlumin User & Entity Behavior Analytics (UEBA) – Adlumin uses proprietary UEBA data science to identify, detect, analyze, and prioritize anomalous behavior—without any input from your cybersecurity team—that will likely present a risk to your network’s security in real-time)
Crossing Security Domains – Split Tunneling and Introduction of Remote Endpoints
Removing endpoints into your business network can bring additional risk through added surface area and exposure. The usage of split tunneling in Virtual Private Networks (VPNs) and the abstracted idea of letting a device live in two security domains or jump between them is an added risk. Split tunneling is an example concerning just network traffic related to VPN access, whereby some traffic is routed securely to the business network. In contrast, other traffic routes to the local network or internet. This creates a potential vulnerability where a device is bridging a trusted and untrusted network, potentially linking the security domains. This same potential vulnerability can be abstracted to any device or user access to a business application from networks or sources that cannot always be trusted.
Administrators and security staff must ensure that any systems matching this pattern, such as business-owned and issued laptops used in remote work situations by connecting to the business through an employee’s local home intranet, are secured. This involves strong log management and analysis, aggressive patching, endpoint protection products, and security-oriented architectures.
Data in Transit
With a partially or fully remote workforce accessing business assets from locations distant to hosted infrastructure, businesses are forced to send data that was once transiting dedicated ethernet connects and leased fiber MPLS circuits over untrusted infrastructure. From coffee shops or home wireless networks to cellular-based-access and remote data centers, modern remote access requirements are diverse and may change for users regularly.
Nearly all remote services supporting remote work require sending sensitive data across unmonitored, unmanaged, and potentially hostile networks. Rooted in applications requiring high reliability, network routes that traffic takes from the remote user to the business are dynamic, difficult, or impossible to predict or manage. They are often subject to interception by arbitrary service providers and attackers.
In a recent February 2022 attack suspected to be of Chinese origin, the routing protocol used to direct traffic over the internet was abused. As a result, traffic was validly routed to transit locations thought friendly to attacker intercept and inspection1. This technique isn’t new and has been used by multiple nation-state attackers and e-crime organizations alike since at least 2004.2 In addition to threats from APTs and eCrime actors, ISPs along the transit route, which can’t be controlled, also can inspect, or inject network traffic.3
To help mitigate the risks of sending business data over untrusted infrastructure, a business should consider at least one layer of encryption mandatory for all business traffic. This can be provided at the application level, commonly through TLS/SSL, or at the transport layer through IPsec and TLS VPNs. Businesses should also consider layering encryption to provide a double-wrapping of sensitive traffic. Such as requiring remote web applications to only be accessible over an IPsec-backed VPN connection layered with an HTTPS TLS/SSL back connection to the remote resource. When possible, businesses should diversify the encryption algorithms and supporting libraries and implementations to ensure that a single vulnerability or compromise does not expose data. (Note: Adlumin supports ingestion of security logs from VPN appliances and firewalls)
Data At Rest
Even when paying careful attention to implementing secure remote access, some critical business data related to IT or other sensitive operations is left locally stored on the device. Outside of the most stringent thin-client solutions and implementations, users will typically have locally stored data on their business device and, at a minimum, will typically have some sensitive data stored in its internet, application, and memory caches. Data could include sensitive business information, customer, or employee PII, chats, emails, credentials, and accounts.
To ensure data at rest remains protected, organizations should adopt Full Disk Encryption (FDE) policies backed by secure implementations and encryption algorithms. Most operating systems now support native full disk encryption solutions, including Windows through BitLocker, MacOS through FileVault 2, and Linux through dm-crypt with LUKS (Note: Adlumin supports ingestion and alerting of logs related to FDE features)
What happened?
Bob is an employee of Business Bank who recently shifted many of its onsite staff to a work-from-home setup with a company-owned laptop. Bob has a home computer with an out-of-date antivirus and several update cycles behind.
His home computer gets infected with malware, and an attacker leverages his home machine to stage an attack against the Business Bank laptop over an SMB vulnerability. The next time he connects his laptop to Business Bank’s internal network through the VPN connection, a ransomware attack is launched against the domain.
Future Prevention Method
In this case, Business Bank could have saved itself by implementing tighter security controls and monitoring. In addition to modifying its host-based access policies to restrict inbound traffic not required to establish the VPN connection, it should have implemented a monitoring solution and SIEM to identify the abnormal connection from Bob’s home computer.
Adlumin provides a Software-as-a-Service SIEM and managed security services. Our SIEM allows ingestion from multiple and diverse data sources from Office 365 events to Windows Critical Events and Linux Syslog and those from your existing security appliances and solutions.
Al Capone had it right. He once said, “Prohibition has made nothing but trouble.” One hundred years on, we will see if he was right. It never stopped the rum runners—will it stop the cybercriminals?
Earlier this year, North Carolina became the first state to prohibit government agencies from paying ransoms in the wake of a cyberattack. As part of the latest 2021-2022 budget appropriations, North Carolina bars communications with adversaries and funds transfers. The law applies to agency, department, institution, board, commission, committee, division, bureau, officer, official, or other entity of the executive, judicial, or legislative branches of State government and other entities for which the state has oversight responsibility.
While the law applies to institutions like the University of North Carolina, it does not apply to private sector businesses. Other states are pursuing similar legislation, with New York pushing legislation to ban ransom payments across both public agencies and private businesses and Pennsylvania’s Senate approving a bill to ban the use of taxpayer funds to pay ransoms.
Congress is also considering a bill (by a representative from North Carolina) to make it illegal for financial firms to pay ransoms over $100,000 without prior government approval. This move is contrary to FBI advice to not ban payments which could result in companies facing alternate extortion tactics or hiding payments from authorities. Of course, the FBI does not officially support the paying of ransoms in response to cyberattacks.
Before considering the merit and efficacy of ransom payment prohibition, it is important to mention that US Treasury published an advisory warning of risks facilitating or paying ransoms to recipients on the Office of Foreign Assets Control (OFAC) sanctions list. I cannot complete this point without noting that the Internal Revenue Service (the largest bureau in the Treasury department) allows ransom payments (partner of a larger list of theft acts) as a tax deduction. (Play canned laugh track here.)
Should ransom payments be made illegal? Well, by their very nature, they are illegal. The question is should payment by victims be banned, prohibited, or governed?
Pro-ban advocates argue that ransoms are, after all, illegal, and banning payments would break the economic supply-demand engine that makes ransomware so profitable. This tough-love approach might cause short-term pain to unprepared victims who cannot recover without purchasing decryption keys.
Pro-pay (or choice) advocates argue that banning payments will not discourage ransomware gangs and will only leave victims helpless in the wake of costly operational disruptions. In fact, they often invoke scenarios in which hospitals and clinics are disrupted for weeks and months, patient care suffers and causes medical chaos, and payment prohibition costs lives and not just money. Their approach is the lesser-of-two-evils ethos.
Beyond the philosophical or political charge, it remains to see if ransomware bans will have the desired effect of diminishing ransomware attacks. Ransomware attacks continued to increase after Treasury’s saber-rattling about OFAC sanctions. It doesn’t seem the courts are clogged with cases filed against companies that paid ransoms to parties they could not verify as OFAC sanctions. That said, anecdotally, a cottage industry is popping up to conduct OFAC checks, and insurance companies will refuse coverage if payments violate Treasury regulations.
The other question is whether paying the ransom improves the outcome for the victim organization and its operations. Indicators suggest paying ransoms is simply adding insult to injury. One study that surveyed 5,000 companies found that the cost of a ransomware attack doubled for companies that paid the ransom. That same report also noted that 92 percent of ransom payers never recovered the entirety of their data and systems.
I am often asked how best a firm can avoid paying a ransom. And my answer is always this: the best way is to avoid being hit by a ransomware attack. Awareness, training, preparation, and rapid detection can stop ransomware attacks before they disrupt your business. The second-best way is a rapid response based on well-tested business continuity and disaster recovery planning. The interruptions are short, with fail-over to hot backup systems minimizing the impact.
The companies that face the to-pay-or-not-to-pay dilemma are the ones that were not prepared, thought their insurance would solve the problem or the ones that never tested their backup systems. Backup systems were designed for business continuity scenarios like power outages, floods, or fires. They were not designed with out-of-the-box resilience to withstand intentional sabotage by criminals.
Most frustrating is the oft-quoted statements that there were no signs before the attack. This inaccurate statement is misleading and absolves the affected parties of all responsibility. I am not shaming the victim here. But events like ransomware attacks are like airline accidents. It takes a confluence of many factors that culminate in an incident.
Cybercriminals are more chefs than Jason Bourne or James Bond. The sophistication in their attacks lies in the way they stage the attack and use expertise where it counts. The actual ingredients they use are well-known malware or practices, referred to as tactics, techniques, and procedures (TTPs). And ransomware disruptions require longer dwell times and multiple touchpoints within your environment. Each touch, step, file change, login, upload, and so on is another chance for you to detect their presence and do something about it before it is too late.
Adversaries combine publicly available documents and information with stolen credentials or data sold on the dark web to build convincing phishing emails and fake websites. These lures are designed to trick unwitting victims into surrendering their passwords. In the early stages, you can search for compromised credentials on the dark web, detect concurrent log-ins, impossible travel events (consecutive log-ins from two geo locations in a time frame that eliminates travel as a possibility), or failed log-in attempts when criminals hit controls like multi-factor authentication. They aren’t even in, and you can catch them checking the door locks and rattling the windows.
Assuming they gain initial access, we can catch establishing, persistent access. Unusual administrative access, bandwidth spikes, new user accounts, and other well-documented tactics give away their presence. User and Entity Behavioral Analytics (UEBA) identifies suspicious actions committed by authorized accounts and devices, and the endpoint can detect changes and flag attempted sabotage of defensive controls. And then, of course, there are beacons calling back to bad guy headquarters, payloaders, lateral movement, and a plethora of TTPs that give away malicious activity.
There were plenty of signs. Post-event, your insurance company will find them, or their appointed incident response firm will. So, pretending there were no signs won’t help. As I say, ignorance is not bliss—it’s potential negligence or liability.
So why do ransomware attacks go unnoticed if there are so many early signs of compromise? Simple. Most companies don’t know where to look in the shadows to find the indicators. What you can’t see poses the most significant risk. Between the cloud, hybrid networks, and the darknet, there are countless gaps where threats can hide. Most companies are in the dark regarding what is happening in their environment. And no one likes to be in the dark alone.
That’s where Adlumin comes in. We illuminate threats to eliminate the risks. We illuminate threats that would have otherwise gone unseen with powerful automation that enables rapid action and continuous compliance. And our platform is backed by an expert team delivering human insights and trusted support.
That might sound like marketing (and it is) but is more than a well-honed tagline. I have been in the cybersecurity business for over 25 years, and I helped define Managed Detection and Response. I’ve seen nation-state attacks, rampaging ransomware gangs, and clever criminals take down companies of all sizes.
I joined Adlumin because they get it. They know where to look and how to respond to protect their customers. And I am proud to represent the experts who develop our products and analysts that work in our security operations centers. They face these sophisticated adversaries every day and stop their attacks before they shutter our customer’s operations.
There are ways of stopping ransomware attacks before you need to consider paying extortion fees or crossing regulatory lines. You can stop attackers before they stop you.
Will prohibition work for ransomware payments when it has failed to control alcohol and narcotics use and distribution? If we ask the pundits, the answer is no. The Nobel prize-winning economist Milton Friedman once likened prohibition to making water run uphill.
While payment ban legislation and bills line up like planes on final approach at a major airport at Thanksgiving, pragmatism and market pressures will decide the matter. As insurance coverage decreases, claim denials increase, and (fingers crossed) companies invest in cybersecurity strategies that reduce their risk, the efficacy of ransomware will erode, and criminals will find a new tactic.
Data breaches are more expensive and detrimental than you expect. Why? Companies are not just paying for the immediate repair of the breach but the aftermath that comes with it. The follow-on effects include not just financial consequences such as lost productivity and revenue but reputational damage and employee attrition. Additionally, these effects can play out over the best part of two years.
A company’s size can also contribute to whether there is a chance of recovery. For example, “60% of small businesses fold within six months of a cyber-attack,” according to Inc. This statistic makes sense when considering that the margin for error is negligible in many businesses that live month to month in terms of solvency. Consider Mossack Fonseca, a little-known law firm in Central America but remembered (if at all) as the epicenter of the Panama Papers scandal. In the wake of a cyberattack, “reputational deterioration” led to the demise of the firm.
Large or small, it is clear that no one company is safe from breaches. Even with many companies folding after an attack, some high-profile companies have worked their way back up after almost business-fatal breaches. Let’s dive into some of the most expensive data breaches to date.
$190 Million – Capital One
What happened?
A hacker broke into a server at Capitol One and gained access to over 100 million customers’ accounts and credit card applications. In addition to 140,000 Social Security numbers. Capital One agreed to pay $190 million to settle a class-action lawsuit.
Year: 2019
Location: Seattle, Washington
$1.4 Billion – Equifax
What happened?
In 2017, the personal information of over 147 million people was exposed and stolen from Equifax, a credit reporting agency. Equifax faced a lot of backlash and was criticized for its lack of security and response to the breach. Due to failure in patch management, they were hacked through a compliant web portal. Their internal process lacked entirely, and now they suffer from a substantial financial hit.
Year: 2017
Location: Headquartered in Atlanta, Georgia
$4 Billion – Epsilon
What happened?
After years of recovery, Epsilon, an international marketing company of Alliance Data Systems Corp, comes in first place for the most expensive data breach. The breach affected 75 companies, including Target, Chase, JP Morgan, and Best Buy. Epsilon houses 40 billion emails annually and 2,200+ brands internationally, so you can imagine the impact this had on customers. It is estimated that only 3% of email addresses were exposed, resulting in them losing $45 million worth of business.
Year: 2011
Location: Headquartered in Irving, TX
Additional Notable Breaches:
Travelex was hit by ransomware, lied about the attack for months (called it a maintenance issue), and finally folded.
Starwood Marriott had information of over 500 million guests stolen. Marriott inherited the cost of the breach two years after they acquired Starwood—M&A means assets plus liabilities.
Yahoo lost billions in value post-hack during the acquisition by Verizon.
US Office of Personnel Management (OPM) experienced over 21.5 million individuals’ background investigation records stolen. In addition, the personal data of 4.2 million former and current Federal government employees was stolen.
Solutions: How to Protect Your Organization
The cost of a data breach is not the only misconception harbored by business leaders. The notion that these attacks are impossible to stop is another. This second fallacy is more damaging because it creates a sense of impunity or fatalistic surrender. It admonishes the company from taking any responsibility in the wake of a data breach. In other words, you can protect your business from sophisticated cyberattacks, and you must defend. Regulators, court decisions, and denied insurance claims are finally beginning to counterbalance this skewed narrative.
As an organization, you may not have control over whether a cybercriminal will go after your data or not, but you do have control over the steps to take to mitigate the risk. Typically, it is best to invest in a managed security services platform that does the heavy lifting for your IT team. These platforms are built to discover threats, malfunctions, and IT operation failures in real-time. You can also receive updates that go directly to your phone and email about what is going on within your IT environment. The managed security platform you choose should be built on the following three components:
Network Health and Compliance
This feature will keep your organization’s compliance up to date while actively searching for violations in real-time and keeping you informed.
Detection and Artificial Intelligence
A platform that gives you AI and machine learning in the form of User & Entity Behavior Analytics (UEBA) to automatically write (and re-write) your SIEM rules dynamically as your network traffic changes.
Data Research and Log Management
With one quick step, all user and account activity can be correlated. A security analytics platform allows you to quickly scope out a potential breach using advanced research tools that help visualize access for every account and system on your network.
In addition, for complete visibility into your enterprise network, there are 24/7 Security Operations Center (SOC) services available. This service can provide you and your IT team with 24/7 monitoring of every system and account on your network. There is a light at the end of the dark tunnel for options for protecting your customers, employees, and organization. The great news is that these options are available as all-in-one solutions and are cost-effective.
Next Steps
If you’re interested in learning more about data breaches, check out Data Breaches: Uncovering the Unknown. Or, if you are looking to enhance your organization’s security, request a demo with one of our experts.
Ransomware attacks are increasing by the day, and they’re wreaking havoc across a range of industries. Adlumin has launched the beginning of its Ransomware Protection Suite of products: The Ransomware Self-Assessment Tool (R-SAT). During the early days of COVID-19, which provided new opportunities for attackers, ransomware attacks surged. According to Statista, “ransomware attacks experienced annually by organizations have been on the rise since 2018, peaking at 68.5% in 2021.”
Ransomware is a type of malware designed to encrypt files on a device, making any files and systems that rely on them unusable. When a cybercriminal maliciously encrypts confidential files within an organization’s system, a subsequent monetary demand and payment must ensue before the perpetrator releases the information back to the organization.
R-SAT helps institutions, regardless of size, assess their level of information security, recognize gaps in that security and measure their ability to mitigate the possibility of a ransomware attack. Understanding the vulnerabilities in your institution’s security processes and procedures is imperative to aid in your protection from ransomware. R-SAT is a solid place to start to help identify gaps in your protection strategy and validate effective security practices.
To protect yourself from ransomware, it is critical to recognize the vulnerabilities in your security practices regardless of whether your data is held on-premise or third party. If your organization is victimized by ransomware, many questions may immediately come to mind: If you provide the money, are you certain the information will be released? Will the data be released to the public if you refuse to pay? R-SAT can assist and better prepare you to respond.
Adlumin looks to continue to add to its suite of Ransomware tools such as greater reporting, automated alerts, and more. Below are just a few cost and payment trends for ransomware:
“The total cost of a ransomware breach was an average of $4.62 million in 2021, not including a ransom.” (IBM)
“The average cost for education institutions to rectify the impacts of a ransomware attack, including the ransom itself, was $2.73 million in 2021 — 48% higher than the global average for all sectors.” (EdScoop)
“The 2,084 ransomware complaints received by the IC3 in the first half of 2021 amounted to over $16.8 million in losses.” (FBI and CISA)