|Cyber attackers hide in your network longer than you'd think
Categories: Ransomware Detection, Software Patching
Most firms find out about the presence of cyber attackers only after they pull the trigger on their nasty plans, usually ransomware. I see a lot of ransomware victims comment that there is “no evidence any data was infiltrated” when news of the breach becomes public. The truth is, these firms have no idea whether they lost data or not, especially only a week after they find out they were attacked. At this point, an expensive and thorough cyber forensic examination is required to determine the extent of the breach.
Generally, attackers spend 90 days
or more within a network mapping out the entire architecture and obtaining the
necessary credentials to inflict the most damage possible to maximize their
ransom amount. More often than not, hackers not only steal and encrypt
information, but they also delete backups. Even if the victim is diligently
doing backups, when the trigger
is pulled the client has limited to none backups from which to recover. Thus
forcing them to pay the ransom, which commonly is in the millions of dollars.
These cyber-villains are criminal business enterprises and they are getting
better. Don’t expect it to slow down anytime soon, as I project 2020 to be
worse in terms of ransomware and cyber breaches.
Yes, I said “stealing data” in the
previous paragraph when talking about ransomware and the hacker’s
laying-in-wait for three months before encrypting everything. Most ransomware
victims think the crime is only about encrypting and demanding a ransom. That
is now the last phase of the victimization. In the three months leading up to
that event, the hackers are stealing anything and everything they can find,
including credit card information, financial records, personally identifiable
information (SSNs, etc.), protected health information, intellectual property
and more. Only after they have extracted all that information and sold it on
the dark web do they twist the unfelt knife and demand the encrypted data
Dark Reading’s article, Attackers Increasingly Focus on Business Disruption, provides validation for the discussion in this blog post. In the article Robert Lemos says, “The number of days attackers went undetected increased to 95, up from 85 days in 2018.” His story goes on to say, "Not all of these threat actors are deploying ransomware, but they were really focused on disrupting the business' ability to perform business," he says. "That disruption was behind higher ransom amounts and the decision to often pay the ransom.”
Furthermore, his story makes another observation with which I concur, “While successful attacks have decreased in number by some accounts, attackers are focusing on larger targets and threatening to do greater damage. Called "big-game hunting" by many firms, the revised strategy is about minimizing effort and maximizing the profit from criminal activity.” The under 100 user segment used to be the target with highly automated scripts, but now with big ransoms paying off, victims are getting personalized attention from very capable hackers. The story says, “That type of access that the attacker has, it really gives them the flexibility to understand where the critical data assets are, what approach they are going to take to encrypt those assets, where the backups are stored — and that really puts the customer at a disadvantage.”
According to the Crowdstrike report cited in this article, manufacturing and healthcare firms are the most common sector attacked by hackers.
Finally, the article closes with, “Companies that deploy a handful of defenses could fend off many of the attacks…. Multifactor authentication on all public-facing portals, for example, will prevent attackers from gaining easy access through stolen credentials. Network segmentation helps prevent attackers from easily moving around a network following a compromise.” However, Lemos left out one of the most important defense measures, apply security software updates each month. Most companies are months or years behind on many, if not all, patches. Experian’s breach is a good example.
Firewalls and antivirus software are just the cost of entry in
2 Executive Circle, Irvine, CA 92614 | (844) 957-2824 | firstname.lastname@example.org | www.patchworx.com