Most firms find out about the presence of cyber attackers only after they pull the trigger on their nasty plans, usually ransomware. I see a lot of ransomware victims comment that there is “no evidence any data was infiltrated” when news of the breach becomes public. The truth is, these firms have no idea whether they lost data or not, especially only a week after they find out they were attacked. At this point, an expensive and thorough cyber forensic examination is required to determine the extent of the breach.
Hackers meticulously plan before they strike
Generally, attackers spend 90 days or more within a network mapping out the entire architecture and obtaining the necessary credentials to inflict the most damage possible to maximize their ransom amount. More often than not, hackers not only steal and encrypt information, but they also delete backups. Even if the victim is diligently doing backups, when the trigger is pulled the client has limited to none backups from which to recover. Thus forcing them to pay the ransom, which commonly is in the millions of dollars. These cyber-villains are criminal business enterprises and they are getting better. Don’t expect it to slow down anytime soon, as I project 2020 to be worse in terms of ransomware and cyber breaches.
Yes, I said “stealing data” in the previous paragraph when talking about ransomware and the hacker’s laying-in-wait for three months before encrypting everything. Most ransomware victims think the crime is only about encrypting and demanding a ransom. That is now the last phase of the victimization. In the three months leading up to that event, the hackers are stealing anything and everything they can find, including credit card information, financial records, personally identifiable information (SSNs, etc.), protected health information, intellectual property and more. Only after they have extracted all that information and sold it on the dark web do they twist the unfelt knife and demand the encrypted data ransom.
The threat of cyber-breaches haven’t slowed down
Dark Reading’s article, Attackers Increasingly Focus on Business Disruption, provides validation for the discussion in this blog post. In the article Robert Lemos says, “The number of days attackers went undetected increased to 95, up from 85 days in 2018.” His story goes on to say, “Not all of these threat actors are deploying ransomware, but they were really focused on disrupting the business’ ability to perform business,” he says. “That disruption was behind higher ransom amounts and the decision to often pay the ransom.”
Furthermore, his story makes another observation with which I concur, “While successful attacks have decreased in number by some accounts, attackers are focusing on larger targets and threatening to do greater damage. Called “big-game hunting” by many firms, the revised strategy is about minimizing effort and maximizing the profit from criminal activity.” The under 100 user segment used to be the target with highly automated scripts, but now with big ransoms paying off, victims are getting personalized attention from very capable hackers. The story says, “That type of access that the attacker has, it really gives them the flexibility to understand where the critical data assets are, what approach they are going to take to encrypt those assets, where the backups are stored — and that really puts the customer at a disadvantage.”
According to the Crowdstrike report cited in this article, manufacturing and healthcare firms are the most common sector attacked by hackers.
Finally, the article closes with, “Companies that deploy a handful of defenses could fend off many of the attacks…. Multifactor authentication on all public-facing portals, for example, will prevent attackers from gaining easy access through stolen credentials. Network segmentation helps prevent attackers from easily moving around a network following a compromise.” However, Lemos left out one of the most important defense measures, apply security software updates each month. Most companies are months or years behind on many, if not all, patches. Experian’s breach is a good example.
If you want to be safer you must have
- Multi-factor authentication
- Network segmentation
- 24×7 Network monitoring because most of these attacks happen after hours, on Fridays or holidays when no one is watching and around to respond
- Software patching
- Daily backups on a disconnected system and/or with separate admin credentials. Just being in the cloud is not good enough
Firewalls and antivirus software are just the cost of entry in the 2020s.