In the weeks and months after a cyberattack on a high-value target, such as SolarWinds, Colonial Pipeline, or JBS, the industry will dissect the event in an attempt to find solutions to help us prevent future events like this. While we learn from this analysis, we know that we must remain vigilant on all fronts as our adversaries are becoming increasingly determined, well-resourced, and agile.

The increase in sophistication and operational security capability of threat actors is a major driver for evolving regulations, such as NIST 800-171, NIST 800-172, CMMC, and others which are designed to protect our most critical infrastructure.

In the commercial sector, IP theft and financial crime pose the greatest risk to companies and make up at least 75% of losses to cybercrime. Then there are the hidden costs of cyber-attacks ranging from reduced efficiency and downtime to brand damage and loss of trust. Cybercrime costs the global economy over $1 trillion per annum, reports McAfee, an increase of almost 50% from 2018.

Which types of cyberattacks are increasing?

Vulnerability exploitation

Exploiting vulnerabilities is one of the most common methods for threat actors. They will scan networks, gathering as much information as possible about the devices, operating systems, version numbers, and any other information they can use to their advantage. Once they have found a known vulnerability that is specific to a device used in the target network, the hackers will search for exploits that have already been written for that weakness, these exploits are readily available if you know where to look. If no exploits exist and they are sufficiently motivated, the attackers may design their own exploit to infiltrate their target network.

Ransomware attacks

In early March 2021 news broke of a massive Microsoft Exchange hack that affected 30 to 60 thousand organizations around the world, many of them small businesses and government agencies. Beginning in January hackers had exploited a group of critical vulnerabilities, together known as ProxyLogon, to carry out what looked like a virtual smash and grab of email inboxes.

Microsoft quickly identified Hafnium, a Chinese group thought to be state-sponsored, as one of the attackers who first exploited the zero-day weakness. Since then, other threat actors, such as Black Kingdom, have emerged as they begin to make their motives clear.

Within a few weeks, victims began to report ransomware attacks. Attackers had delivered their payload in the form of DearCry or DoejoCrypt and were demanding large ransoms for the release of encrypted files.

Ransomware is malware designed to hold a computer system or data hostage by encrypting files with a key that only the attacker holds. The victim is told to pay a ransom, usually in a cryptocurrency, in exchange for the encryption key or release of their captive files. If they do not pay, they are warned that their files will be destroyed or released publicly.

Microsoft released a patch for the vulnerabilities on March 2. However, many organizations that rely on the affected on-premises Microsoft Exchange Servers are small and do not have the dedicated resources needed to respond to these incidents quickly. Weeks after the patch was released Palo Alto estimated that there were still 125,000 servers unpatched around the world.

In the time that it takes from the attack to the patch being applied the hackers would have had the opportunity to steal data and move around in the network.

It is critical that organizations who suspect they may have been compromised run checks on their network to see if any unauthorized changes have been made, and this requires the company to understand what the baseline network configuration is.

Phishing scams and attacks

Verizon reports that 22% of data breaches in 2020 were the result of phishing attacks and involved the exposure of credentials, personal and business data, medical records, and bank details.

In a phishing attack, a malicious actor sends a fraudulent email disguised to look like it is from a trusted source. The goal is to get the recipient to either download and install malware onto their drive or share confidential personal or business information. For instance, the email could say that the recipient’s bank account has been accessed and if it was not them, to click the link in the email to change their password. Clicking the link will take them to a website that looks just like the bank’s website but has been set up by the attacker. Entering their details into the form will expose their credentials to the hacker.

Spear phishing is a highly targeted form of phishing, where the attack is tailored to a specific person. The attacker will research their victim to find out the best way to get their attention before launching an attack.

Over the past year businesses have reported a large number of phishing attacks referencing COVID directives and vaccines. Many of these scams have utilized a dynamic algorithm that allows scammers to extract features from employee email addresses and combine that with information from Google such as company logo, to create emails and phishing sites that appear to be from the company.

One example of this, reports SC Magazine, was an email that appeared to be from the HR department within a company asking employees if they would be willing to get one of the COVID-19 vaccines. The email asked employees to complete a survey so that the company could arrange for staff to get vaccinated in a nearby clinic. However, when an employee clicked the link, they would be taken to a credential harvesting website on a hijacked domain.

How can we put the shields up? In addition to ensuring all people in the organization are educated on identifying phishing attempts, we need to prepare for an event when a phishing attempt is successful in getting someone to give up their credentials or install their malicious software.

Correctly configured firewall routing rules can ensure the malware is unable to ‘phone home’. n other words if you cut off its ability to get its command and control the malware will be unable to carry out its purpose.

Advanced persistent threats (APTs)

An advanced persistent threat consists of a multi-phase, usually long-term, advanced operation against a specific target. These attacks target organizations or nations for business or political reasons and due to the complexity, skill and determination required to carry out an attack like this, APTs need to be well-funded and are often state-sponsored.

The APT’s purpose is to deploy customized malware, on one or multiple systems. The malware needs to remain undetected until it has either spread to its intended destination or been shipped out to other organizations, possibly hidden inside legitimate software.

In late 2020 news broke of a sophisticated, multi-layered attack on SolarWinds, designed to infiltrate their customers. US government departments including the Treasury Department and State Department and thousands of organizations within the defense supply chain were affected.

The attackers’ technique demonstrated their persistence and determination, they understood how to get around the target networks undetected. They were able to create privileged credentials which allowed them to hide their malware within the Orion update, and keep it hidden long enough to ensure it was shipped out to thousands of customers.

The group of hackers responsible are reported to have been sponsored by the Russian Government and, while their end goal is still under speculation, the implications for national security cannot be ignored. Foreign powers have been able to penetrate the networks of the US Defense Department and US Government.

This attack drives home the need for heightened vigilance, especially within the US Defense Industrial Base. For organizations in the DoD supply chain this attack reinforces the imperative to regularly assess their compliance with NIST 800-171, making sure they maintain a high level of cyber resilience to protect the controlled and sensitive government information they handle.

The SolarWinds compromise shows how attackers can create administrative credentials and use those credentials to impersonate any of the existing users and accounts, acquiring elevated permissions which ultimately would allow them to modify other settings to their advantage.

After an attack like this anyone who has been, or suspects they may have been compromised, has an enormous task to perform. Short of ripping up everything and building your data centers up again from scratch, which in practical terms, not many organizations will have the time and resources to do, teams should run thorough checks on their networks.

Everything that you can check you absolutely should check as a clean sweep to bring your networks back to a known good state. Increasing the cadence of network audits and having automated ways of running them will be powerful.

Regularly auditing firewall, router and switch settings allows security teams to detect any unauthorized changes that may have been made to these devices and help identify any vulnerabilities in the organization’s network.

With vulnerability exploitation, ransomware, phishing and APT attacks on the rise, how can organizations protect themselves?

The exploitation of weaknesses, ransomware incidents and the kind of multi-layered and persistent attacks we saw with SolarWinds have been taking place for many years. Trends indicate they are on the rise and that our adversaries are becoming increasingly sophisticated, determined, and well-resourced, allowing them the patience to break into and hide inside networks until they can carry out their purpose.

The paradigm for how we defend our networks has changed in the last decade from how we defend the perimeter by making sure no one gets in, to understanding that people are always going to get in. Therefore it’s crucial to ask, what can we do to build cyber resilience and protect our networks even if someone has been able to get in?

After an event the ability to push a button and see what’s changed and, as a result, what you need to focus your attention on, is critical. Monitoring your firewalls, switches and routers regularly can limit the amount of damage a threat actor can do once they are inside your network.

There are two dominant principles in cybersecurity, the first is the principle of least privilege which means that you only give a person the privileges they need to do their job and no more. You assiduously follow their career and if they move from a department, you take away the privileges they don’t need and only leave the ones they do need.

The second is the principle of zero trust which requires us to take a granular approach to privileges. This involves two aspects, the first is making sure each part of the network requires strong authentication and the second is putting in place robust controls around this. In a zero-trust environment the network checks will make no assumptions about any traffic being trusted, for each transaction you need to perform, the receiving node will ask for proof of your right to be there. This means that if an attacker were able to enter the network, your policies would make it incredibly difficult for them to move around inside.

Having a strong set of principles that determine how you should allow access and how you record how someone has accessed each part of your network or each resource will help you minimize risk and reduce any time window within which people can gain access to each part of your network.

A robust risk management framework would set out what your authentication rules are, the controls around these and it should identify the intolerable risks, the risks that your organization cannot afford to leave unaddressed.

Configuring your firewalls, switches, and routers so that they follow this principle, and regularly auditing them to ensure that no settings have been changed, is key to maintaining a zero-trust environment and minimizing your attack surface. Titania’s award-winning solution, Nipper, can help organizations establish a defendable core network with accurate configuration and vulnerability management. Find out more about Nipper here >