Increasing standards alignment and consistency is a core pillar in the PCI Security Standards Council’s strategic framework, which guides how the Council achieves its mission and supports the needs of the global payments industry. In this interview with PCI SSC Operations Officer Mauro Lance, we discuss this strategic pillar and how it’s shaping Council priorities.
Even though 2017 still remains the year when we saw the ransomware pandemic at its peak, cybercriminals will not stop these attacks on individuals and businesses anytime soon. Unfortunately, ransomware attacks continued to make headlines this year as well. So, in this article, I’m going to look at the highest ransomware payouts of 2019, what organizations paid the ransom, and explain why it’s never a good idea to pay.
But first of all, let’s start with some mind-blowing 2019 ransomware statistics from 2019.
Ransomware statistics in 2019
Here are the most shocking ransomware facts coming from 2019 alone:
- Two-thirds of ransomware attacks targeted state and local governments.
- 55% of SMBs from the US would pay hackers to recover their stolen data in ransomware attacks.
- Over 500 US schools were affected by ransomware attacks in 2019.
- Almost 70 US government organizations were infected with ransomware since January 2019.
- A total of 140 US local governments, police stations, and hospitals have been infected with ransomware.
- In the third quarter of 2019, the average ransomware payout increased to $41,000.
The most significant ransomware payouts of 2019
In the best-case scenario, victims of ransomware could simply wipe their systems and recover their data from offline backups. However, some organizations don’t keep any backups at all. Or worse, even if they do have copies of their data, sometimes they also end up being locked up by cybercriminals.
There are times when ransomware victims can decrypt their files with free ransomware decryption tools but sadly, there isn’t a decryptor available for all the ransomware strains out there. This sometimes leads to companies paying the ransom, being desperate to get their business back up and running.
Without further ado, below you will find the most significant ransomware payouts of 2019.
#6. Park DuValle Community Health Center, Kentucky, USA
Amount paid: $70,000
In June 2019, Park DuValle Community Health Center had the medical records of almost 20,000 patients encrypted by ransomware and ended up paying the $70,000 ransom. The attack had left them locked out of their system for almost two months, impacting the health center’s medical records system and appointment scheduling tool.
For seven weeks, they had to record the patients’ information on pen and paper and ask them to speak from memory about their past treatments. The health care center basically had to operate on a walk-in basis since they were not able to schedule appointments or view any data.
“This is everything. This is medical records, contact information, insurance information, anything about a patient…everything is gone,” said Elizabeth Ann Hagan-Grigsby, CEO of Park DuValle. “The records involved are for past and present patients,” she continued.
This was the second time during the same year that Park Duvalle was impacted by a ransomware attack. Back in April 2019, their systems had been locked down for about three weeks. This time, they had their data backed up, so they did not pay the ransom. However, the second time, they were unable to recover their data from the backups, so they decided to pay the ransom to restore it.
The amount was paid in 6 bitcoins (the equivalent of $70,000). Cybercriminals provided the encryption keys and Park DuValle was able to recover its data.
#5. Stratford City, Ontario, Canada
Amount paid: $71,000
In April of this year, the City of Stratford also became a victim of a ransomware attack that chose to pay the ransom. According to the story published on Cybersecurity Insiders, the malware was installed on six of their servers on a physical note, that encrypted two virtual servers as well, leaving their sensitive data locked down.
Even though they received warnings from officials, they paid 10 bitcoins, which at the time of attack meant roughly $71,000. The security company they contacted was not able to recover their data and was only involved in forensics. Consequently, the city negotiated the price that needed to be paid for their information to become available again. Their cyber insurance covered $15,000 of the ransom.
It seems that no personally identifiable information data was compromised and revealed in this ransomware incident.
#4. La Porte County, Indiana, USA
Amount paid: $130,000
Another victim of the Ryuk ransomware, La Porte County, Indiana, paid $130,000 to recover their data.
The attack happened on July 6 and was noticed right before it managed to spread to all of the network’s computers. The IT staff confined it to less than 7% of machines, however, two domain controllers were impacted and thus, network services became unavailable.
According to the source, the FBI and a forensic investigation firm attempted to recover the data without paying the ransom, but their efforts proved to be unsuccessful. $100,000 out of the $130,000 payment demand was covered by insurance.
Apparently, the county did have back up servers in place, however, they became infected by ransomware as well.
The ransomware that affected La Porte County’s systems is allegedly Ryuk, the same strain that affected Lake City. It was called a “triple threat” because it originated from an Emotet infection that delivered the Trickbot trojan, which then launched Ryuk.
#3. Jackson County, Georgia, USA
Amount paid: $400,000
Back in March, Jackson County had its network shut down by a ransomware attack, leaving only its website and 911 emergency system untouched. This meant they had to do their reports and bookings in pen and paper, just like they did before using computers became the norm.
Their officials contacted the FBI and hired a cybersecurity consultant. The security specialist negotiated with the cyber attackers and it was decided that Jackson County had to transfer $400,000 to receive the decryption key and gain access to their data once again.
“We had to make a determination on whether to pay. We could have literally been down months and months and spent as much or more money trying to get our system rebuilt”, said Kevin Poe, Jackson County Manager.
Apparently, the county’s network had been infected with the Ryuk ransomware strain, which as of now, does not have a free decryption tool available. According to experts, this type of ransomware had one of the most active campaigns in 2019, also affecting over 500 schools in the US.
Researchers are saying the Ryuk ransomware only launches after it completely spreads on the target’s network.
Here is what the Ryuk ransomware note would look like:
#2. Lake City, Florida, USA
Amount paid: $500,000
A second city in Florida paralyzed by ransomware agreed to pay the ransom: 42 bitcoins ($500,000).
Even though their IT staff disconnected the systems within ten minutes of the attack’s detection, the ransomware managed to infect their network almost entirely. The police and fire departments were not affected, as they were running on a separate network. The people who needed to pay their bills could only do it in cash or money orders and they received handwritten receipts.
Cybercriminals reached out to the city’s insurance provider a week after the infection took place and the ransom payment of 42 bitcoins was negotiated. The money was paid from the city’s insurance.
Over 100 years’ worth of records (ordinances, meeting minutes, resolutions, and City Council agendas) were encrypted for almost a month. A few weeks after the ransom was paid, they did not even recover all of their data. What’s more, Lake City’s information technology director was accused of failing to secure the network and not recovering the data quickly enough and eventually lost his job.
Lake City was another victim of the Ryuk ransomware strain.
#1. Riviera Beach City, Florida, USA
Amount paid: $600,000
This brings us to the biggest ransomware payout of 2019, which was made by Riviera Beach City in Florida.
Allegedly, right after an employee clicked on a phishing email link received on May 29, hackers managed to infiltrate into the city’s network and locked it up. All of the city’s online systems went down, including email and even some phones, and on top of that, water utility pump stations were affected as well. As a result, payments could only be accepted in person or by mail (only in cash or by check) and communication was conducted by phone.
The City Council unanimously agreed to pay the ransom. The requested amount was 65 bitcoins, the equivalent of nearly $600,000. More than $300,000 from the city’s insurance policy was used to pay the ransom. The payment was officially made merely a few weeks after Riviera Beach agreed to spend around $1 million to replace the infected computer equipment.
Riviera Beach’s attack looked similar to what Jackson County experienced in March, so it seems they were yet another victim of the Ryuk ransomware strain.
The biggest ransom ever paid
Even though we’ve witnessed several major ransomware payouts this year, none of them was the all-time biggest.
In 2017, the Korean web hosting firm Internet Nayana received the largest ransom demand ever (a whopping $1.14 million), which they also ended up paying. During their negotiations, some of their data was permanently deleted. To make up for the incident, Nayana offered free hosting for life and refunds to its affected customers. So, of course, besides the actual payment, the ransomware attack involved additional costs and reputational damage.
Others refused to pay
Paying the ransom is not something that every ransomware victim considers. And sadly, data recovery costs for some organizations that decline the payment end up being much higher than the actual ransom. For instance, back in March 2018, the City of Atlanta was infected with the SamSam ransomware variant. Cybercriminals demanded a $52,000 ransom payment, however, Atlanta refused to pay and they had to spend $2.6 million to recover from the attack. So, since it has been proven that paying the ransom can be a lot cheaper than dealing with an attack’s aftermath, local governments are increasingly choosing to pay.
But here is an example of an organization that declined the ransomware payment.
Baltimore City’s ransomware resistance story
On May 7, 2019, cybercriminals froze around 10,000 Baltimore government computers and asked for a $100,000 payment in bitcoins. The city’s employees were locked out of their email accounts and citizens were unable to pay their bills. This wasn’t the first time the city became a victim of ransomware – in 2018, their 911 system was shut down for about a day by another similar attack and in both cases, they did not transfer money into the attackers’ Bitcoin wallet.
The second time, their computer systems were infected with the RobbinHood ransomware strain.
Bernard C. Jack Young, Mayor of Baltimore City, explained why they chose not to pay the ransom:
— Mayor Bernard C. Jack Young (@mayorbcyoung) June 5, 2019
The city representative acknowledges that by paying the ransom there is no guarantee their systems will be unlocked and also emphasizes the fact that they are choosing not to encourage criminal behavior.
“Why don’t we just pay the ransom? I know a lot of residents have been saying we should’ve just paid the ransom or why don’t we pay the ransom?
Well, first, we’ve been advised by both the Secret Service and the FBI not to pay the ransom. Second, that’s just not the way we operate. We won’t reward criminal behavior.
If we paid the ransom, there is no guarantee they can or will unlock our system.
There’s no way of tracking the payment or even being able to confirm who we are paying the money to. Because of the way they requested payment, there’s no way of knowing if they are leaving other malware on our system to hold us for ransom again in the future.
Ultimately, we would still have to take all the steps we have taken to ensure a safe and secure environment. I’m confident we have taken the best course of action.” – Bernard C. Jack Young, Mayor of Baltimore City
US mayors have adopted a resolution against paying the ransom
A proposal to ban ransom payments was put forward by Bernard Young, the abovementioned mayor of Baltimore City, which has also been adopted. The resolution reads:
“Paying ransomware attackers encourages continued attacks on other government systems, as perpetrators financially benefit.”
“The United States Conference of Mayors has a vested interest in de-incentivizing these attacks to prevent further harm.”
“The United States Conference of Mayors stands united against paying ransoms in the event of an IT security breach.”
Although the adopted resolution doesn’t have any legal binding, it can be used to justify not paying the ransom in front of federal authorities and taxpayers.
Paying the ransom is a short-term solution
Ransomware payouts have become a highly controversial topic and for a good reason. Several questions arise when it comes to paying the ransom: Are you really going to recover your data? Where is your money actually going? Are you funding terrorist groups?
The FBI has explicitly stated that they do not support the practice and they urge organizations to report any ransomware incidents to law enforcement, no matter if they paid or not.
I strongly believe no one, be them consumers or organizations, should ever pay the ransom.
Here is why:
#1. There is no guarantee you will ever recover your files
In some cases, people still lost their data even if they paid the ransom. For instance, the GermanWiper ransomware deletes your files even though you did pay.
Also, malicious hackers actually like to be taken seriously, so if you think that by paying only a fraction of the requested amount you will get your data back (or at least some part of it), you are wrong. For example, the City of New Bedfords, Massachusetts, was yet another government institution infected with the Ryuk ransomware. They tried to negotiate for $400,000 instead of $5.3 million, aiming to align the payment with the ones that were paid by cities hit by the same type of malware. However, their offer was declined.
#2. You are funding criminal organizations
Yes, it may be cheaper and faster to get your data back (if you are “lucky” enough) by paying the ransom. But are you really okay with transferring your money to shady hacking groups who may be using it for more malicious purposes?
#3. You are only encouraging this behavior
If organizations continue to pay the ransom, cybercriminals will not stop this practice anytime soon. In fact, it has already become a highly profitable underground business, also known as Ransomware as a Service (RaaS).
So, do you actually want to incentivize more and more attacks and contribute to the further propagation of the ransomware illegal industry?
Think about it this way. In the long run, if you’ve chosen to pay the ransom, you will definitely not save any money. Why not use the amount that you would have given to those ransomware attackers to improve your defenses instead?
How to Prevent Ransomware in Your Organization
Ransomware disasters can, fortunately, be avoided. As you’ve probably noticed from the ransomware incidents that I’ve listed, the best targets seem to be government entities that have outdated IT systems in place and that don’t always follow cybersecurity best practices.
Here is how you can stop ransomware from infecting your organization:
#1. Back up your data
I can’t stress this enough. The first and most important thing you can do is have copies of your data stored somewhere safe, that won’t get infected as well. What’s more, make sure that your back up system actually works and test it frequently.
#2. Watch out for excessive admin rights inside your organization
Sometimes, ransomware can prove to be a result of abused privileged accounts (malware propagation is often linked to compromised credentials that belong to admin accounts).
So, be certain that your organization runs on the principle of least privilege and the Zero Trust model. In short, be careful whom you grant admin rights to within your organization. A tool such as Thor AdminPrivilege can help you easily escalate and de-escalate privileges and when used in tandem with our other security solutions, you will get notified when threats are discovered and more than that, admin rights will be automatically de-escalated on your compromised accounts.
#3. Use security tools specifically designed to stop ransomware
For instance, a product like Thor Foresight Enterprise is properly equipped to protect your organization against ransomware. First of all, it instantly blocks any incoming attacks (for example, associated with malicious URLs) and secondly, it contains a patch management tool, created to help you close all vulnerabilities related to outdated systems and software.
#4. Train your users
Last, but not least, your users should be able to recognize the signs of cyberattacks. I often hear IT admin struggling with compromised accounts and malware infections that happen due to users that seem to keep clicking on phishing links and following the instructions (for example, submitting their login credentials).
All in all, 2019 has shown us that ransomware is still a lucrative business for cybercriminals. The organizations that are choosing to pay the ransom only worsen the situation, setting high expectations for future ransomware attackers. So, the bottom line is this: if you are ever faced with this tough decision – to pay or not to pay – think about what paying actually means.
Are you in favor of paying the ransom? Let me know your thoughts in the comments section below.
The Cambridge Analytica scandal may be old news, but it has far-reaching implications – Internet users grew more concerned over their online visibility and website owners were compelled to list their data-collection privacy. We can state for a fact that some good came out of it, although the amount alone of paperwork can be a powerful demotivator for someone with a sound business idea.
Since we’re on the topic of privacy, it would appear that we may have another Cambridge Analytica in the making. There’s been a lot of buzz around the implementation of DoH (DNS over HTTPS), a somewhat new encrypted communication protocol that should, theoretically, uphold privacy.
As one of my colleagues pointed out, DNS over HTTPS is poised to become the next “golden standard”, since it has achieved “an unprecedented default level of privacy and data protection”. DoH does have its merit –in a traditional DNS comm model, the user queries the domain name system for the numerical IP address associated with that specific website.
In turn, the DNS returns the address, allowing the user to view the requested web content. That’s, more or less, how web-surfing works. The major caveat of this comm protocol is that the DNS lookups are not encrypted. In essence, each time you’re trying to connect to a website, the endpoint pings the ISP about your request. Of course, your Internet Service Provider is blind to what you’re doing on that website, but can still ‘see’ and even log your request(s).
That’s a pain-point right there, and Google, Mozilla et al. have done a bang-up job speculating the market’s ‘needs.’ The push for DNS over HTTPS is at its peak, with browsers now allowing the users to implement the protocol. Despite limited effectiveness against MiM (man-in-the-middle) attacks, it would appear that the early adoption could, allegedly, paint a gigantic bullseye on the users’ backs.
Back in October, ZDNet pointed out that the premature adoption of DoH will not only wreak havoc in the enterprise/SMB/startup sector but could, presumably, give malicious hackers the upper hand. I’ll cover all these points throughout the article.
Since the topic du jour revolves around privacy/data protection or the lack thereof, here’s an interesting dilemma: should DNS over HTTPS replace VPN or work together? Should we completely forget about VPNs and stick with this new and ‘wobbly’ technology?
B2B – What does a VPN do?
In trying to figure out just how DoH can replace a VPN, I find myself compelled to go on a little B2B (back to basics trip). So, bear with me on this one.
Now, consider the way your endpoint (i.e. smartphone, tablet, PC, Mac) connects to the Internet. Let’s say that you want to search YouTube for the latest Witcher trailer. In order to do that, you will need to get out ‘into the wild’ and inquire about your ISP’s DNS for YouTube’s numerical IP.
Once the server finds the right address, you will be able to go to that place on the Internet where YT resides (here be dragons!). At a glance, the mechanism itself appears to be straightforward and secure. However, do bear in mind that the communication goes both ways (endpoint to ISP and ISP to the Internet), and, to our very misfortune, both are unsecured.
The time-honored solution to this is the VPN. What the VPN does is that it interposes a VPN client and VPN server between the querying machine, ISP, and the Internet. Breaking it down even further, it should look, more or less, like this: endpoint wants to end up on Wikipedia.
The request is sent in an unencrypted form to a VPN client. The client encrypts the packages containing the request and pipes them through to the ISP. In turn, the ISP sends the encrypted request to a VPN server, which communicates with the Internet. Basically, the ISP will be oblivious to your search strings.
So, that’s how a VPN works. Next, let’s take a closer look at DNS over HTTPS.
B2C Part 2 – How does DNS over HTTPS work?
DNS over HTTPS – the crux of this article. It may as well be the best thing that happened to privacy ever since GDPR was enforced, but I seriously have my doubts about that statement. More on that a bit later.
As I’ve mentioned, DoH is or was supposed to be the golden standard of data privacy and protection. The idea behind DNS over HTTPS was to prevent everyone (ISP, Government, secret services, hackers) from peeking at your traffic. It’s more than that; up until now, DNS queries were made in plaintext.
Remember the golden rule of password-making? Never leave them in plaintext, which can mean anything from writing them down in a notepad document from keeping network logs on your machine.
Basically, this is what happens in the traditional DNS comm model – plaintext DNS queries can be retrieved and reviewed by any of the IP matchmaking entities. Thus, the need for a more secure comm solution. Here enters DNS over HTTPS. It was specifically engineered to deal with this particular issue. Should it become the norm? Perhaps, but not in its current state.
Headbutting DoH is DNS over TLS, yet another security protocol that uses a dedicated communication port on your machine. While some sysadmins argue that neither of them solves the issue, they are inclined to choose the ‘lesser evil’ which, in this case, is DNS over TLS. Why is that?
As I’ve mentioned, DNS over TLS uses a dedicated comm port on your machine (853), whereas DoH uses port 443, which is the standard port for HTTPS traffic. So, why is this important? Traffic routed through 853, albeit encrypted, can still be seen at the network level. And, in some countries, such as the United States, DNS over TLS connections can raise some suspicions regarding your online activity.
Moving on to more pressing matters – DNS over HTTPS hides traffic info in HTTPS streams. DoT (DNS over TSL) does not. That’s not even the main issue. The endorsement of DoH means that we will need to change the way we look at the entire network infrastructure.
In order to make this happen, ISPs will need to implement DoH resolvers (DNS servers capable of handling DoH-type queries). Evidently, the existing architecture would have to undergo a rather radical makeover. And that translates into more money, time, and energy, which, in the end, maybe wasted on a solution that adds more to the issue than actually solving it.
It all boils down to this – encrypted DNS comm should be an industry standard, but neither DoH nor DoT are the answers.
DoH vs DoT vs VPN
The entire debate revolves around privacy vs. security – are you willing to let your guard down, even for a brief moment, to ensure that no one can spy on you? If we were to remove the context and ask the same question, the answer would be a staunch ‘no’. However, given what we know so far, it’s very difficult to predict the outcome, let alone make a decision that could ultimately tear down that modicum of privacy we thought we had.
DoH vs. DoT
In the previous section, I have outlined some of the pros and cons of using DoH over DoT. Here’s a short and comprehensive list of the pros and cons of each comm method.
DNS over HTTPS
- Prevents Man-in-the-Middle attack. No more plaintext DNS queries since they are secured.
- Circumvents ISP or third-party interception. All packages are obfuscated.
- Machine performance is greatly increased, since DNS over HTTPS method centralizes all DNS traffic, meaning fewer servers are required to process the queries.
- Most browser makers are pushing DoH, which means faster deployment.
- Wreaks havoc in enterprise sectors. Infrastructure expansion alone can ramp up the costs.
- Blocks just one tracking vector. True that ISPs or third-parties cannot see your DNS requests, but there are other ways to keep tabs on your online activity, such as OCSP connections, SNI fields or both.
- Potentially bypasses tradition DNS traffic filtering technology. Since DoH tends to overwrite a company’s DNS, allowing employees to visit otherwise banned websites.
- Leaves endpoints more vulnerable to cyberattacks. It may prevent MiM attacks but potentially makes an organization more vulnerable to insider threats and other forms of malware.
DNS over TSL
- Fairly easy to implement. DoT takes advantage of the existing network infrastructure.
- Mature encryption methodology. Tried-and-tested, TSL is more mature and flexible compared to HTTPS.
- Completely encrypts the connection. DoH merely encapsulates DNS traffic in HTTPS comm.
- Mim attacks can be fended off even with DoT. Users must empty their cached data from the server. This is usually stored in plaintext format.
- It doesn’t offer full protection against SNI leaks and traffic analysis.
- Must be constantly updated to patch vulnerabilities.
- Uses a dedicated comm port.
- Might raise legal issues in some countries.
DNS over HTTPS – A replacement for VPN?
And we finally come down to our little dilemma: should DoH replace VPN? The answer is still ‘no’. Although the technology was engineered to address some privacy issues, it ended up creating more security issues than ever before.
The tech eliminated one traffic-inspection vector, but do bear in mind that your ISP still has other means of keeping tabs on your activity. To say that the technology is still in its infancy would be a major understatement; in its diaper would be more precise.
DNS over HTTPS should never be conceived as a 1-to-1 replacement for a VPN client; at the very least, we can consider it as its counterpart, its partner in crime. While the VPN ‘scrambles’ your IP as to make it impossible to track your activity, DoH only ensures that the communication channels with the DNS are secured by encapsulating the DNS querying in the HTTPS.
VPN is here to stay. At least for the time being. Unfortunately, the same thing can’t be said about DNS over HTTPS. The approach may be sound on paper, but in reality, it’s something like curing the disease by killing the patient – you really don’t want to create a breach in your security network, just for some extra privacy.
When talking about DoH vs VPN, I always like to use the following analogy – for certain blood disorders, docs prescribe anticoagulants. Despite being hundreds of them on the market, they prefer Sintrom, because it’s the only curable one (things get out of hand, the doc can neutralize it). The same thing applies to VPN and DoH – VPN can be plugged, while DoH can’t! Well, at least not yet.
DNS over HTTPS does more for privacy but falls behind as far as security is concerned. Google and the other giants are doing their best to push DoH. Still, if we have the option to opt-out, we should take it. As I’ve pointed out, the technology needs a serious redesign before it can tackle both privacy and data protection issues.
The post DNS over HTTPS (DoH) – A Possible Replacement for VPN? appeared first on Heimdal Security Blog.
Justin Angel // Penetration testing and red team engagements often require operators to collect user information from various sources that can then be translated into inputs to support social engineering and password attacks. LinkedIn is obviously a prime source for this type of information since users can associate themselves with a particular company. Assuming we […]
The post Collecting and Crafting User Information from LinkedIn appeared first on Black Hills Information Security.
Today FireEye launches the Cyber Physical Threat Intelligence subscription, which provides cyber security professionals with unmatched context, data and actionable analysis on threats and risk to cyber physical systems. In light of this release, we thought it would be helpful to explain FireEye’s philosophy and broader approach to operational technology (OT) security. In summary, combined visibility into both the IT and OT environments is critical for detecting malicious activity at any stage of an OT intrusion. The FireEye approach to OT security is to:
Detect threats early using full situational awareness of IT and OT networks.
The surface area for most intrusions transcend architectural layers because at almost every level along the way there are computers (servers and workstations) and networks using the same or similar operating systems and protocols as used in IT, which serve as an avenue of approach for impacting physical assets or control of a physical process. The oft touted airgap is in many cases a myth.
There is often a singular focus from the security community on industrial control system (ICS) malware largely due to its novel nature and the fact that there have been very few examples found. This attention is useful for a variety of reasons, but disproportionate to the actual methods of the intrusions where ICS-tailored malware is used. In the attacks utilizing Industroyer and TRITON, the attackers moved from the IT network to the OT network through systems that were accessible to both environments. Traditional malware backdoors, Mimikatz extracts, remote desktop sessions and other well-documented, easily detected attack methods were used throughout these intrusions and found at every level of the IT, IT DMZ, OT DMZ and OT environments.
We believe that defenders and incident responders should focus much more attention on intrusion methods, or TTPs, across the attack lifecycle, most of which are present on what we call “intermediary systems”—predominately networked workstations and servers using operating systems and protocols that are similar to or the same as those used in IT, which are used as stepping-stones to gain access to OT assets. This approach is effective because almost all sophisticated OT attacks leverage these systems as stepping stones to their ultimate target.
To illustrate this philosophy, we present some new concepts for approaching OT threats, including the Funnel of Opportunity for OT Threat Detection and the Theory of 99, as well as practical examples derived from our analysis and incident response work. We hope these ideas challenge others in the security community to put forward new ideas and drive discussion and collaboration. We strive for a world where attacking or disrupting ICS operations costs the threat actor their cover, their toolkits, their time and their freedom.
The "Funnel of Opportunity" Highlights the Value of Detecting OT Attacks In "Intermediary Systems"
Over the past 15 years of responding to and analyzing many of the most important threats in IT and OT, FireEye observed a consistent pattern across almost all OT security incidents: There is an inverse relationship between the presence of an attacker’s activities and the severity of consequence to physical assets or processes. The attack lifecycle when viewed like this begins to take on a “funnel” shape, representing both the breadth of attacker footprint and the breadth of detection opportunity for any given level. Similarly, from top to bottom we represent the timeline of the intrusion and its proximity to the physical world. The bottom is the cross-over of impact from the cyber world to the physical world.
Figure 1: The Funnel of Opportunity for OT Threat Detection
In the early stages of the attack lifecycle, the intruder spends prolonged periods of time targeting components such as servers and workstations across IT and the IT DMZ. Identifying threat activity at this architectural level is relatively straightforward given that dwell time is high, threat actors often leave visible traces, and there are many mature security tools, services and other capabilities designed to detect this activity. While it is difficult to anticipate or associate this early intrusion activity in IT layers with more complex OT targeted attacks, IT networks remain the best zone to detect attacks.
In addition to being relatively easy to detect, early attacker activity also presents a very low risk of negative impact to OT networks. This is primarily because OT networks are commonly segmented, often with an OT DMZ separating them from IT, limiting attacker access to the industrial process. Also, targeted OT attacks commonly require threat actors to acquire abundant process documentation to determine how to cause a desired outcome. While some of this information may be available in IT networks, planning this type of attack would almost certainly require further process visibility only available in the OT network. This is why, as the intrusion progresses and the attacker gets closer or gains access to OT networks, the severity of possible negative outcomes becomes proportionally higher. However, the activity becomes more difficult to detect as the attacker’s footprint grows smaller and there are fewer security tools available to defenders.
The TRITON and Industroyer Attacks Exemplify This Phenomenon
Figure 2 shows an approximate representation of endpoints that were compromised across the architecture of victim organizations during the TRITON and Industroyer attacks. The Funnel of Opportunity is located in the intersection between the two triangles. It is here where the balance between attacker presence and operational consequence of an intrusion makes it easier and more meaningful for security organizations to identify threat activity. As a result, threat hunting close to the OT DMZ and DCS represents the most efficient approach as the detectable features of the intrusion are still present and the severity of potential consequences of the intrusion is high, but still not critical.
Figure 2: Approximate representation of endpoints compromised during the TRITON and Industroyer attacks
In both the TRITON and Industroyer incidents, the threat actor followed a consistent pattern traversing the victims’ architecture from IT networks, through the OT network, and ultimately reaching the physical process controls. In both incidents, we observed that the actor moved through segmented architectures using computers located in different zones. While we only illustrated two incidents in this blog post, we highlight that movement across zones leveraging computers has also been observed in every public OT security incident to date.
The Theory of 99: Almost All Threat Activity Happens in Windows and Linux Systems
FireEye’s unique visibility into the full attack lifecycle of thousands of intrusions from both independent research and first-hand incident response experience has enabled us to support this theory with real-world data, some of which we share here. FireEye has consistently identified similar TTPs leveraged by threat actors regardless of their target industry or ultimate goals. We believe that visibility into network traffic and endpoint behaviors are some of the most important components for IT security. These components are also critical in preventing pivots to key assets in the OT network and detecting threat activity once it does reach OT.
Our observations can be summarized in what we call the Theory of 99, which states that in intrusions that go deep enough to impact OT:
- 99% of compromised systems will be computer workstations and servers
- 99% of malware will be designed for computer workstations and servers
- 99% of forensics will be performed on computer workstations and servers
- 99% of detection opportunities will be for activity connected to computer workstations and servers
- 99% of intrusion dwell time happens in commercial off-the-shelf (COTS) computer equipment before any Purdue level 0-1 devices are impacted
As a result, there is often a significant overlap across TTPs utilized by threat actors targeting both IT and OT networks.
Figure 3: TTPs seen across both IT and OT incidents
Figure 3 presents a summary of TTP overlaps between TRITON, Industroyer, and some relatively common activity from cybercrime group FIN6. FIN6 is a group of intrusion operators who have compromised multiple point-of-sale (POS) environments to steal payment card data and sell it in on the dark web. While the motivations and ultimate goal of the threat actors that developed TRITON and Industroyer differ significantly from FIN6, the three actors share common TTPs, including the use of Meterpreter, compromising dual-homed systems, leveraging RDP to establish remote connections and so forth. The overlap in tools and TTPs across actors interested in IT and OT should be of no surprise. The use of IT tools for OT compromises directly corresponds to a trend best known as IT/OT convergence. As IT equipment increasingly becomes integrated in OT systems and networks to improve efficiency and manageability, we can expect threat actors to be able to leverage networked computers as a conduit to reach industrial controls.
Drawing parallels between intrusions into high security environments, we can gain insight into actor behaviors and identify detection opportunities earlier in the attack lifecycle. Intelligence on intrusions across various sectors can be useful in highlighting which common and emerging adversary tools and TTPs are likely to be used in tailored attacks against organizations with OT assets.
FireEye Services, Intelligence, and Technology Provide Unparalleled Protection In IT and OT
While the FireEye approach to OT security detailed in this blog post emphasizes the criticality of “intermediary systems” when defending OT, we do not want to downplay the importance of the OT expertise and technology needed to respond to the most critical 1% of threat activity that does impact control systems. OT is in our DNA at FireEye: FireEye Mandiant’s OT practice has been one of the leading industry voices over the past six years, and the FireEye Cyber Physical Intelligence offering is the most recent evolution of the heritage of Critical Intelligence—the first commercial OT threat intelligence company founded in 2009.
Figure 4: FireEye OT-specific offerings
We believe that sharing our philosophy for OT security and highlighting FireEye’s comprehensive OT security capabilities will help organizations look at this security challenge from a different angle and take tangible steps forward to build a robust, all-encompassing security program. Figure 4 maps FireEye’s OT security offerings against the NIST Cybersecurity Framework’s Five Functions, matching FireEye services to the lifecycle of an organization’s cyber security risk management.
If you are interested in learning more or purchasing FireEye OT-focused solutions, you can reach out here: FireEye OT Solutions.
The first step in bridging the gap starts with understanding the problem. IT and security operations have worked in silos for decades so one might think “If it ain’t broke, don’t fix it.” But it is, in fact, broken, and there is little awareness of the impact caused by the fragmentation.
According to a recent study conducted by Forrester on behalf of endpoint security company Tanium, 67% of IT leaders surveyed admitted that driving collaboration between the two groups is a challenge and that the rift widens an already big gap in visibility and makes resolving issues harder.
Stock up on sprouts, hang the decorations and prepare for a barrage of cyber attacks, because the Christmas season is in full swing.
December is a busy time for cyber criminals, as they look to take advantage of understaffed IT departments and employees who are distracted by tight deadlines, Christmas parties and the upcoming break.
Let’s take a look at some of the most common mistakes organisations make and how to address them. Some are quick fixes that you can sort out before you go away for the holidays, whereas other require a refined, systematic approach to information security.
1. Weak passwords
Hackers can crack passwords in a variety of ways:
- Dictionary attacks: Hackers download a text file containing a list of words (usually from a dictionary) into a cracking application, and run it against user accounts located by the application.
- Rainbow tables: Most modern systems store passwords in a hash. This means that even if hackers can get to the area or file that stores the password, the information will be encrypted. A rainbow table helps reverse the hash by comparing the hashed password with a list of hashed dictionary entries.
- Brute force: The hacker tries common passwords in the hope that they will find a match.
The received wisdom about passwords is that they should have at least eight characters and mix letters, numbers and special characters.
However, this often leads to ridiculously complicated passwords that are hard to remember and, ironically, comparatively easy for computers to crack.
There’s another problem: even though complex passwords are theoretically hard to crack, you’d do well to not have to write them down somewhere, which immediately compromises them.
A simpler and more secure technique is to create a mnemonic or cipher, such as taking the first character from each word of a sentence.
Organisations should create a policy that lists specific requirements for creating passwords and instructs employees to change default passwords when they create accounts. If the account contains sensitive information, organisations should consider using multi-factor or hardware-based tokens in place of system-level passwords.
2. Poorly configured devices
Inexperienced or underfunded organisations often install routers, switches and other networking gear without involving anyone who understands the security ramifications of each device.
Misconfiguration can happen at any level of the application stack, including the code, web and application servers, databases and frameworks.
Here are some signs of a poorly configured device:
- Default account information: Attackers can easily break into your application if you’ve left your account name as ‘admin’ or ‘test’ and not changed the default password.
- Third-party applications installed on a production server: A production server with additional applications on it leaves organisations exposed.
- Ineffective firewalls: If more ports than necessary are open, or if unauthorised hosts can connect to the server, attackers can gain control of the server.
- Missing operating system security patches: Attackers exploit security holes that have been identified by patches. If you haven’t applied those patches, you are vulnerable.
To avoid making those mistakes, organisations should use a strong application architecture that separates components, create a process for applying software updates and patches as they are released and conduct regular scans and audits to help detect future misconfigurations or missing patches.
3. Insider threats
Employees are often directly responsible for data breaches. These can be broken down into three categories:
- Malicious actors, who steal or expose data for financial gain, political reasons, revenge, etc.
- Accidental loss, such as misplacing a removable device.
- Negligence, where, for reasons other than malice, employees fail to comply with security policies.
It’s hard to identify potential sources of insider error, because everyone in the organisation is susceptible. Accidental loss and negligence can be mitigated by providing your staff with regular awareness courses that remind them of their security obligations.
Preventing malicious actors requires stricter measures, such as:
- Implementing access controls to limit the amount of information any one employee can view;
- Creating policies restricting the use of removable devices; and
- Monitoring unauthorised accounts.
Educate your employees on cyber security risks
Educated and informed employees are your first line of defence when it comes to information security.
Empower them to make better security decisions with our Information Security and Cyber Security Staff Awareness E-Learning Course.
This GCHQ-approved training course gives your employees a comprehensive overview of the threats they face and how to avoid them.
A version of this blog was originally published on 1 December 2017.
The post Don’t gift cyber attackers access to your organisation this Christmas appeared first on IT Governance UK Blog.