In incident response, protecting against a targeted attack is like slaying the hydra. For those not familiar with what a hydra is, it is a multi-headed serpent from Greek mythology, that grows two new heads for every head you chop off. A determined attacker will try again and again until they succeed, targeting different attack vectors and using a variety of tactics, techniques, and procedures.
The Snowden and Shadowbroker leaks really drove this home, giving partial insight into the toolkit of nation state actors. What really stuck out to me was the sheer variety of utilities, frameworks, and techniques to infiltrate and gain persistence in a target. Without the leak, would it be possible to reliably determine that all of those hacking tools belonged to a single entity? Would a large organization with thousands of alerts and hundreds of incidents every day be able to identify that these different attacks belonged to a single, concerted effort to breach their defenses, or would they come to the conclusion that these were all separate, unrelated attempts?
Our colleagues in the Threat Intelligence and Forensic analysis industries have a much better chance to correlate these tools and their footprint in the wild – they may discover that some of these tools share a command and control infrastructure for example. A few did have at least an outline of the threat actor, but judging by the spate of advisories and reports that were released after the leaks, not very many actually appear to have achieved this to a great degree. The majority were only able to piece the puzzle together once equipped with a concise list of Indicators of Compromise (IoC) and TTP’s to begin hunting with.
“How does this affect me? We are not important enough to attract the attention of a nation state actor”
Some readers may now be thinking, “How does this affect me? We are not important enough to attract the attention of a nation state actor”. I would urge caution in placing too much faith in that belief.
On the one hand, for businesses in some countries the risk of economic espionage by-nation state hacking has decreased. As I wrote on Securityweek in July, China has signed agreements with the USA, Canada, Australia, Germany and the UK limiting hacking for the purpose of stealing trade secrets and economic espionage. However, this does not affect hacking for national security purposes, and it will have little impact on privately conducted hacking. These are also bilateral agreements, and none exist in other nations, for example, Russia or North Korea. For militarily and economically weaker nation states, offensive cyber security is a cheap, asymmetric method of gaining a competitive or strategic advantage. As we have seen, offensive cyber activity can target civilian entities for political rather than economic reasons, and hackers are increasingly targeting the weakest link in the supply chain. This means that the potential probability of being targeted is today based more on your customer, partner, and supply chain network, and not just on what your organization does in detail. Security through obscurity has never been a true replacement for actual security, but it has lost its effectiveness as targeted attacks have moved beyond only focusing on the most prominent and obvious victims. It has become much easier to suffer from collateral damage.
Cyber criminals are becoming more organized and professional
On the other hand, cyber criminals are becoming more organized and professional, with individual threat actors selling their services to a wide customer base. A single small group of hackers like LulzSec may have a limited toolbox and selection of TTP’s, but professional cybercrime groups have access to numerous hackers, supporting services and purpose-built solutions. If they are targeting an organization directly and are persistent and not opportunistic, it will be as difficult to discern that a single concerted attack by one determined threat actor is taking place.
What this means in practical reality for any organization that may become the target of a sophisticated threat actor, is that you have to be on constant alert. Identifying, responding to and containing a threat is not a process to be stepped through with a final resolution step – instead, cyber security incident response is an ongoing, continuous and cyclical process. Advanced and persistent attacks unfold in stages and waves, and like a war consist of a series of skirmishes and battles that continue until one side loses the will to carry on the conflict or succeeds in their objectives. Like trying to slay the hydra, each incident that you resolve means that the attacker will change their approach and that the next attempt may be more difficult to spot. Two new heads have grown instead of one.
To tackle this requires that we cultivate a perpetual state of alertness in our SOC and CSIRT
To tackle this requires that we cultivate a perpetual state of alertness in our SOC and CSIRT – but we must do this without creating a perpetual state of alarm. The former means that your team of analysts is always aware and alert, looking at individual incidents as potentially just one hostile act of many that together could constitute a concerted effort to exfiltrate your most valuable data, disrupt your operational capacity, or abuse your organization to do this to your partners or customers. In the latter case, your analysts will suffer from alert fatigue, a lack of true visibility of threats, and a lack of energy and time to be able to see the bigger picture.
The hydra will have too many heads to defeat.
In the Greek legend of Heracles, the titular hero eventually defeats the Hydra by cauterizing each decapitated stump with fire to prevent any new heads from forming. Treating an incident in isolation is the Security Incident Response equivalent of chopping off the head of the hydra without burning the stump. Applied to our problem, burning the stump means that we have to conduct the response to each incident thoroughly and effectively, and continue the process well beyond containment.
We must invest more time in hunting and investigating, and we have to correlate and analyze the relationship between disparate incidents. We must use threat intelligence more strategically to derive situational awareness, and not just tactically as a machine-readable list of IoC’s. This also requires gathering sufficient forensic evidence and context data about an incident and related assets and entities during the incident response process, so that we can conduct post event analysis and continuous threat assessment after containment and mitigation have been carried out. This way we can better anticipate the level of threat that we are exposed to, and make more informed decisions about where to focus our resources, add mitigating controls and improve our defenses. In Incident Response “burning the stump” means making it more difficult for threat actors to succeed in the future by presenting them with a hardened attack surface, reducing their reside time in our infrastructure, and reducing the time we need to discover and contain them. To do this we need to learn from every incident we manage.
While many institutions and businesses from various industries were still reeling from the WannaCry attack that took the world by storm back in May, cyber criminals launched another crippling ransomware attack earlier this week, catching a lot of cyber security professionals across 60 countries by surprise and bringing essential business operations to a halt.This latest high-profile attack, called Petya ransomware, bears many of the hallmarks of WannaCry, in that it is a typical ransomware scheme, paralyzing computers and spreading through internal networks after infecting one machine.
Another important similarity is that just like WannaCry, Petya exploited the same Microsoft Windows vulnerability – Eternal Blue, to spread within networks. On the other hand, there is one significant difference between the two attacks – Petya, unlike WannaCry, was not aimed at extorting money, but rather incurring serious damage to computer networks, with researchers saying that Petya was just disguised as ransomware, but its main goal was to spread throughout networks as fast as possible and cause the biggest infrastructural damages possible.
Containing the Damage
Petya ransomware was primarily designed to infect computers in order to prevent organizations from continuing their day-to-day operations, rather than gaining financial benefit, and the attack did affect business operations of many companies, inflicting severe financial and reputation damage upon them. Ransomware attacks are extremely difficult to prevent, and the best thing organizations can do to avoid serious long-term consequences in case they get hit by one, is to make sure they have the tools to respond to it and contain the damage as fast as possible.
That can be best done with the help of an incident response platform with automation and orchestration capabilities. These types of platforms can help security teams reduce their reaction time when responding to an incident, which is crucial when attacks such as Petya occur. With a set of playbook actions specific to ransomware attacks, an incident response platform will allow your team to detect and analyze the attack faster, and it will suggest a specific list of actions that can help contain the damage in the most effective way possible. When it comes to ransomware attacks, recommended containment actions include isolating compromised machines, blocking communication over ports, and disconnecting shared drives, among other things.
Once you have taken the suggested containment actions, the platform will help you accelerate the recovery and remediation processes, and perform the appropriate post-incident procedure. The post-incident reactions are particularly important when dealing with ransomware attacks, as they play a major role in ensuring compliance with breach notification rules covering these types of cybersecurity incidents, such as the HIPAA Breach Notification Rule in the US.
To conclude, even though preventing ransomware attacks is a major challenge and there is not much that organizations can do in that regard, there are a lot of things they can do to reduce the impact of such incidents and avoid long-lasting consequences, which are usually associated with these types of cybersecurity events.