Cyber attackers hide in your network longer than you’d think

Cyber Attackers

Most firms find out about the presence of cyber attackers only after they pull the trigger on their nasty plans, usually ransomware. I see a lot of ransomware victims comment that there is “no evidence any data was infiltrated” when news of the breach becomes public. The truth is, these firms have no idea whether they lost data or not, especially only a week after they find out they were attacked. At this point, an expensive and thorough cyber forensic examination is required to determine the extent of the breach.

Hackers meticulously plan before they strike

Generally, attackers spend 90 days or more within a network mapping out the entire architecture and obtaining the necessary credentials to inflict the most damage possible to maximize their ransom amount. More often than not, hackers not only steal and encrypt information, but they also delete backups. Even if the victim is diligently doing backups, when the trigger is pulled the client has limited to none backups from which to recover. Thus forcing them to pay the ransom, which commonly is in the millions of dollars. These cyber-villains are criminal business enterprises and they are getting better. Don’t expect it to slow down anytime soon, as I project 2020 to be worse in terms of ransomware and cyber breaches.

Yes, I said “stealing data” in the previous paragraph when talking about ransomware and the hacker’s laying-in-wait for three months before encrypting everything. Most ransomware victims think the crime is only about encrypting and demanding a ransom. That is now the last phase of the victimization. In the three months leading up to that event, the hackers are stealing anything and everything they can find, including credit card information, financial records, personally identifiable information (SSNs, etc.), protected health information, intellectual property and more. Only after they have extracted all that information and sold it on the dark web do they twist the unfelt knife and demand the encrypted data ransom.

The threat of cyber-breaches haven’t slowed down

Dark Reading’s article, Attackers Increasingly Focus on Business Disruption, provides validation for the discussion in this blog post. In the article Robert Lemos says, “The number of days attackers went undetected increased to 95, up from 85 days in 2018.” His story goes on to say, “Not all of these threat actors are deploying ransomware, but they were really focused on disrupting the business’ ability to perform business,” he says. “That disruption was behind higher ransom amounts and the decision to often pay the ransom.”

Furthermore, his story makes another observation with which I concur, “While successful attacks have decreased in number by some accounts, attackers are focusing on larger targets and threatening to do greater damage. Called “big-game hunting” by many firms, the revised strategy is about minimizing effort and maximizing the profit from criminal activity.” The under 100 user segment used to be the target with highly automated scripts, but now with big ransoms paying off, victims are getting personalized attention from very capable hackers. The story says, “That type of access that the attacker has, it really gives them the flexibility to understand where the critical data assets are, what approach they are going to take to encrypt those assets, where the backups are stored — and that really puts the customer at a disadvantage.”

According to the Crowdstrike report cited in this article, manufacturing and healthcare firms are the most common sector attacked by hackers.

Finally, the article closes with, “Companies that deploy a handful of defenses could fend off many of the attacks…. Multifactor authentication on all public-facing portals, for example, will prevent attackers from gaining easy access through stolen credentials. Network segmentation helps prevent attackers from easily moving around a network following a compromise.” However, Lemos left out one of the most important defense measures, apply security software updates each month. Most companies are months or years behind on many, if not all, patches. Experian’s breach is a good example.

If you want to be safer you must have

  1. Multi-factor authentication
  2. Network segmentation
  3. 24×7 Network monitoring because most of these attacks happen after hours, on Fridays or holidays when no one is watching and around to respond
  4. Software patching
  5. Daily backups on a disconnected system and/or with separate admin credentials. Just being in the cloud is not good enough

Firewalls and antivirus software are just the cost of entry in the 2020s.

Microsoft WSUS Consultant

WSUS Consulting Services

Software update service for system administrators to manage Microsoft product updates

SCCM Consulting Services

Systems management software for managing large numbers of computers running multiple operating systems and application.

We utilize a proven 31-step patching process.

*Diagram represents a portion of our process”
Patch Management As A Service

FREE Webinar Every Thursday
from 10:00 - 11:00 AM. PST

RSVP Early - Limited Seats

$250K Cyber Insurance Coverage

Our integrated insurance coverage and breach response services includes $250,000 of cyber liability insurance (annual aggregate) with $0 deductible.

As a Patchworx℠ client, you will be protected for the cost of an actual or suspected violation of a privacy regulation due to a security breach that results in the unauthorized release of protected personal information (PPI) up to the policy limits.

PPI is defined as any private, non-public information of any kind in the merchant’s care, custody or control. This coverage territory is worldwide and is backed by a carrier rated A+ by AM Best.

ACHIEVE PATCH COMPLIANCE ASSURANCE