It’s rare that a month goes by without a significant hacking incident or ransomware attack entering the public domain. As you swipe from one ransomware news item to the next, you could be forgiven for thinking you are up to speed. However, the majority of ransomware attacks are not reported, with organisations often preferring to deal with the impact of attacks internally for fear of reputational damage.
This trend shows no sign of abating, as cybercriminals continue to evolve their methods and demonstrate their understanding of the value of data.
On foot of the European Union Agency for Cybersecurity (ENISA) July 2022 report on the Threat Landscape for Ransomware Attacks, this article explores techniques exploited by cybercriminals to enable such attacks, citing real-world incidents that have occurred and offering practical steps that can be taken to prevent an attack.
The ENISA report observes that ransomware models have evolved, both technically and organisationally since ransomware attacks first entered the lexicon. Ransomware-as-a-Service (RaaS) is now being offered to networks of affiliates – ransomware platforms incorporating attack methods and tools are sold or rented to affiliates who seek to orchestrate ransomware attacks. Examples of RaaS include DarkSide (Colonial Pipeline hack), REvil (Kaseya ransomware attack), Conti (Irish health service ransomware attack) and LockBit (Entrust attack).
Double ransomware attacks, where data is exfiltrated from a network, as well as being encrypted within it, have become increasingly common. Such attacks give additional leverage to cybercriminals who, once data is extracted, can take on the role of a data broker for other criminals seeking to exploit the outcome of a cyberattack. Another form of brokerage activity on the rise is that of the “initial access broker”. An initial access broker gains access to an organisations network and then sells that access to other cybercriminals who further exploit it for their own ends. Data breaches resulting from these attacks cause significant harm, both operationally and reputationally for the organisations targeted and for the individuals whose data is breached. Impacted individuals may experience humiliation, discrimination, financial loss, physical or psychological damage, and in some instances, a threat to life as a direct result of their personal data being disclosed or otherwise affected by a breach.
Common initial access point
ENISA’s research identifies common initial access points for cyberattacks. They include:
- Phishing: Threat actors may send messages to gain access to victim’s systems (e.g., Email, SMS, Messenger Services). Phishing can involve social engineering techniques.
- External Remote Services: Threat actors may leverage external-facing remote services to gain initial access to a network (e.g., VPN, Citrix, RDP).
- Supply Chain Compromise: Threat actors may compromise product, or product delivery supply chains before they reach the customer, as in the case of attackers targeting the SMS supplier of the Signal Messenger App and when an account of a third-party support engineer to Okta (providers of an identity management platform) was compromised.
- Valid Accounts: Threat actors may obtain and take advantage of existing account credentials as a means of gaining initial access to the network and its information systems. This type of attack was seen in the Colonial Pipeline hack. Inactive accounts relating to individuals who may no longer be part of the organisation are a particularly attractive target for attackers exploit access undetected.
- Exploitation for Privilege Escalation: Threat actors may exploit software vulnerabilities in order to elevate account privileges. This type of exploit is often linked to the ‘Valid Account’ access point mentioned above.
The above techniques are increasingly being deployed in attacks involving Ransomware as a Service. Sectors such as healthcare and the public sector are particularly vulnerable, as we have seen in Ireland with the cyberattack on the HSE and, more recently, a ransomware attack on a French hospital and the UK NHS.
How to protect against the ransomware threat
No organisation is immune from the risk of cyberattacks. It is essential to put adequate safeguards in place to protect against these threats, as well as to identify when they occur so that steps can be taken to contain and respond to the security incident.
Below are a number of recommendations to address the risk of a cyberattack and build resilience in your organisation should they occur. The recommendations presented are those which can have a significant impact on an organisation’s cybersecurity posture. However, this is not an exhaustive list, and any adopted recommendations should form part of a wider program to enhance cybersecurity preparedness over time. The recommendations are presented in suggested stages, to aid in considering where they may sit in your organisation’s cybersecurity maturity program.
|Foundation||Establish the foundational elements of a cybersecurity program.||Risk Management Organisations should conduct regular risk assessments to identify and re-evaluate risks. Good situational awareness is necessary to consider the evolving threat landscape. |
Staff Training The human factor in cyber security is a critical line of defence for your organisation. A mature security training and awareness program complimented by a suite of regularly reviewed security and data protection policies is necessary to maintain robust cybersecurity hygiene.
Backup Strategy A robust and verified backup strategy is essential for business-critical files and personal data. Backups should be kept up to date and isolated from the network. Apply the “3-2-1 rule of backup”: 3 copies, 2 different storage media, 1 copy offsite. Such a strategy lowers the impact of a single point of failure with backup datasets.
Incident Response Plan An incident response plan is a key control measure that can limit the impact of a major incident. Complimenting this, a disaster recovery plan should be developed and tested to ensure that operations can be reinstated as quickly as possible in the event of a serious security incident. Organisations should assess their incident reporting obligations under regulations such as the GDPR, the NISD (the NIS 2 Directive introduces enhanced reporting requirements) and the Cyber Incident Reporting for Critical Infrastructure Act (USA), as appropriate, to ensure preparedness to meet regulatory requirements.
Network Protection Your network carries the lifeblood of your organisation – your internal systems and data. Adequate safeguards must be in place to protect the network and the information systems connected to it from attack. Networks should be segmented as appropriate, and firewalls set up and configured.
Vendor Due Diligence Organisations must have appropriate governance in place to ensure that appropriate due diligence is carried out on the procurement of any products or services that may introduce vulnerabilities. Suppliers should be assessed against baseline security requirements, with due consideration given to the nature of the product or the service that is being supplied and how it integrates into the wider service offering of the organisation.
Principle of Least Privilege (PLOP) Access to information systems should be given to employees on a least privilege basis, ensuring that individuals only have the permissions necessary to carry out their duties. Similarly, administrative privileges should be assigned using the same principle.
|Evolve||Build on the foundations put in place, implementing appropriate controls to mitigate the risk of cyberattack.||Malware and Virus Detection Security software, such as antimalware and antivirus should be installed to defend against malicious threats such as viruses, Trojans, worms, rootkits, spyware and ransomware. Devices should be scanned regularly to identify suspicious activity. |
Patch Management Software updates, including security patches should be rolled out to all company-owned devices. Where staff use personal devices to access the organisations data, mechanisms should be put in place to ensure that such devices are compliant with company policies.
Identify and Access Management (IAM) A unified approach to identity and access management enables your organisation to systematically provision and revoke access as needed for staff and other parties. This is particularly important in larger organisations as the scale of the challenge of managing joiners, movers and leavers grows exponentially. This approach enables security measures such as Multi Factor Authentication to be centrally-managed and consistently deployed.
Encryption Organisations have an obligation under GDPR and other regulation as applicable (e.g., NIS Directive for critical infrastructure operators and Medical Device Regulation for manufacturers of medical devices) to ensure that appropriate safeguards are in place to protect personal data. Applying encryption scrambles data thereby enhancing its security. Where appropriate, encryption can be a significant safeguard to prevent unauthorised access to personal data and should be considered for data both at rest (stored files and databases) and in transit (when data is being transmitted from sender to recipient).
Endpoint Management Ensure that appropriate endpoint management tools are in place to manage the alignment of your organisation’s hardware (e.g., employee laptops and mobile devices) with company policies. These tools can also assist with identifying threats on devices.
Remote Access Remote access routes are a common access point for attackers. These should be managed and secured appropriately.
|Advance||Develop cloud strategy (to accompany other organisational security strategies) that direct how the organisation will secure its assets in the cloud. Implement advanced monitoring mechanisms to identify and address vulnerabilities.||Cloud Strategy Organisations are increasingly moving to the cloud. Leveraging cloud computing can reduce costs, streamline operations, and ensure systems and data are available to staff wherever they are located. However, a move to the cloud can introduce a new set of risks. If your organisation has adopted the cloud as part of its IT strategy, whether in hybrid, multi-cloud or another form, it is necessary to have a well-considered cloud strategy with appropriate governance within the organisation in place to ensure that the strategy is met and maintained. A Cloud Access Security Broker (CASB) solution can be a useful component of an organisations cloud strategy, acting as an intermediary between users, devices and cloud providers to enforce organisational security policies. CASB solutions can also incorporate cloud Data Loss Prevention (DLP) features to detect and prevent the loss, leakage or misuse of data. |
Advanced Network Protection Building on the foundational elements, organisations may consider implementing tools such as Security Information and Event Management (SIEM) and Data Loss Prevention (DLP) solutions to monitor and alert security personnel to events that may constitute a threat. SIEM solutions, which consolidate logging information from systems connected to the network can assist with identifying and reporting suspicious activity, providing a key layer of defence. Additionally, networks can be continuously scanned for threats and vulnerabilities, such as open ports that hackers could exploit and network DLP tools can assist with detecting and preventing the loss, leakage or misuse of data.
Vulnerability Scanning and Penetration Testing Automated vulnerability scanning can identify vulnerabilities in an organisations’ network and information systems. In addition, penetration testing, carried out by skilled professionals, can imitate the activities of would-be black-hat hackers, attempting to identify vulnerabilities and sub-optimal configurations that leave systems vulnerable. These pro-active measures can act as an early warning sign that a vulnerability exists that may be exploited by a motivated adversary.
The ENISA report observes that ransomware attacks are thriving, estimating that approximately 62% of companies may be entering into varying forms of negotiation concerning ransomware demands, with nearly 38% of documented security incidents resulting in data being leaked into the public domain. As such, all organisations who handle personal and sensitive data are a potential target and should be taking steps prepare for security incidents before they occur.
There are several elements required to develop a robust cybersecurity risk management program with varying degrees of investment required to implement the necessary capabilities and controls. Trilateral advises applying a maturity-model methodology to provide a path forward, taking account of the organisations’ starting point, its threat landscape, cost of implementation and the steps needed to mature its cybersecurity posture over time.
For information on how Trilateral can assist with maturing your organisations cybersecurity and data protection compliance posture, please refer to our Cybersecurity and Data Protection service offerings. Our cybersecurity services include Information Systems Auditing, Certification Support, Information Security Policy Development and Security Awareness Training. Contact one of our advisors today, who would be happy to support your compliance journey.