On May 6, 1954, British athlete Roger Bannister stunned the world when he ran the first sub-four-minute mile. Bannister was the first but certainly would not be the last elite runner to break that record once thought to be impossible.
Like Bannister, cyberattacks are breaking new ground and changing our definition of what is possible.
Want to learn ransomware basics and earn a CPE credit? Try our free course.
This past December, 18,000 organizations — including federal government agencies — could’ve potentially been affected by hackers who, according to Dark Reading, “compromised systems at SolarWinds and inserted malware into updates of the company’s widely used Orion network management products.”
A few weeks later, IT professionals scrambled to respond to a new vulnerability in their Microsoft Exchange servers that affected at least 30,000 organizations. In both cases, skilled state-sponsored attackers ended up behind the wheel of a high-powered server inside corporate and government networks — and no security staff noticed.
The attackers behind the SolarWinds supply-chain attack reportedly used their access to look at Exchange source code at Microsoft, which they could use to search for vulnerabilities like these.
Our collective security has become interdependent. Attack chains that were once only theoretical are now a reality. SolarWinds was the Roger Bannister of cyberattacks — now that we’ve had one breakthrough, we will have others.
With cryptocurrency, attackers are able to monetize data easily. They relentlessly seek and exploit vulnerabilities to get a foothold. They then get to and monetize corporate data through encryption and extortion. In fact, it’s common for attackers to brag about how successful they are and how much money they make.
Attackers brazenly try every lock on every door, window and chimney (repeatedly) until they find their way in. It’s not a stretch to assume any vulnerable internet-facing system you have has already been compromised. Any internet-facing system with a login — vulnerable or not — is probably being “brute forced” right now — that means attackers are trying innumerable combinations of usernames and passwords until they find one that works.
Over the past year, we’ve seen attacks start with vulnerabilities in VPN devices, remote access servers and file transfer servers — so many ways to begin. Employees let attackers in by clicking links that entice them to give up credentials or download malicious code. If an attacker doesn’t feel like breaking in themselves, they can buy their way in on the dark web. They then use your data as a weapon against you and leave you with a decision — do you pay the ransom?
Once attackers gain control of a server or endpoint, they usually follow the same playbook: Establish command and control to use the first system as a jumping-off point; do basic reconnaissance with well-known, stealthy techniques; compromise powerful accounts by exploiting internal weaknesses, vulnerabilities or by using more brute-force attacks; use an account to steal data and install backdoors; then encrypt and ask for Bitcoin in exchange for a decryption key and a shady guarantee that stolen data won’t be leaked. Most organizations are blindsided when the ransom note appears.
One vulnerability in Active Directory, called “Zerologon,” created a shortcut to take over an entire domain — two hours from phish to complete control. Four minutes is within reach.
If your organization is data-driven, as most are, you are an information bank, and attackers see you as holders of Bitcoin. Your “bank” has an ATM in every home and on every corner with a direct connection to your vaults, and there are new vulnerabilities in your ATMs every week.
How To Be A Better Information Bank
• Start at the end — the vault. Most attackers are after data — that’s what they can monetize most easily. Where are your biggest, most at-risk vaults? Make sure you know that your sensitive data is in the vault, only the right people can get to it, and make sure you can spot someone making an unusual withdrawal.
•Determine your “blast radius.” If you have a compromised system or user, how quickly can you determine the “blast radius”? What data could they access, and what did they access?
Reducing the blast radius before an attack makes a cybercriminal’s job more difficult. If you’ve adopted a Zero Trust approach, no user or account should have more access than they need — to systems, applications and, of course, data — especially sensitive data. If you don’t need access to the vault, you don’t get the keys or the combination.
We’ve seen that detective controls are more effective when the blast radius is smaller and everyday behavior is more controlled. If humans aren’t supposed to use application accounts, it sticks out when a laptop connects to another system with one. If your administrators only make changes during regular work hours and from certain systems, access outside of these norms sticks out.
• Practice responding. Assume there are bad guys in the bank already — that one of your workstations, servers or gateways is compromised. See if you can detect what an attacker would likely do next. Can you see the recon? Can you see unusual activity in Active Directory? Unusual access to data or systems? This requires a baseline of normal behavior. “Red team/blue team” and “purple team” exercises can help you understand your risk.
• Block and tackle. There’s no room to miss the basics anymore. If there’s a known vulnerability, someone will try to exploit it. Too many IT departments aren’t able to keep up with patching. If there’s a site that only requires a username and password, someone is trying to guess them — and too many organizations allow single-factor authentication on internet-facing services.
These tips can help you ensure your organization has a better chance against today’s proficient and motivated attackers. Trying to keep them outside the bank isn’t realistic. Thanks to cloud resources and remote work, there’s no real outside.
Put important data in the vault. Lock the vault. Watch the vault. That’s how you can make sure it takes longer than four minutes to take your sensitive data.