Work Anywhere Means Cyber-Attacks Anywhere

Don't Invite the Cyber Criminal Home with You

It is easy to think that the SARS-CoV-2 (COVID19) pandemic has disrupted everything. The worst effect has of course been the tragic loss of life and health difficulties suffered by those who have caught the disease, and the resultant grief and loss felt by those left behind. On top of all that has been the economic fallout as travel, supply chains, and working models have been disrupted, dismembered, and reshaped. Not everything though has been disrupted; as work forces (and schooling) have shifted to home offices cyber criminals have continued to find new victims and new paths to reap havoc. If anything the pandemic has made the attacker’s goals easier.

Really it should come as no surprise that work anywhere has meant cyber attacks everywhere. The networks we secure have expanded from inside the cyber walls and moats we’ve long relied upon out to include the kitchen tables, bedrooms, and sometimes even the closets of employees as they found somewhere to park their laptops and power on through.

On top of that we found ourselves craving for updates regarding the world outside our quarantined walls. The local case numbers, new health rules, and a real yearning for news and (let’s be honest) distraction.

IT and security systems and processes built on the assumption that the majority of workers would be connecting to the network from a known location, typically inside the corporate firewall were suddenly not fit-for-purpose. Day to day management and support functions for employee machines like software updates, antivirus signature updates, and helpdesk support were rapidly stretched to their operational and architectural limit. Downloading antivirus signatures to a central server from where they can be pushed across the LAN to all corporate machines works OK in an office-bound world. Not so much when every employee is connecting through the VPN, one that by the way was built on the assumption that no more than 25% of the employees would be working remotely at any given time. And by the way, who relies on AV signatures any more?

Monitoring this mess has become also become more difficult; the remote workforce behaves very differently to the office workforce, accessing the network at unpredictable hours as they balance the demands of work and family. As a result, network traffic patterns have changed beyond recognition. Defenders must adapt monitoring systems and trigger points, or risk leaving opportunity for threat actors to use the atypical patterns to mask infiltration attempts.

By the numbers ¹; 78% of the over 3,500 Security & IT leaders interviewed by VMware reported that attack volumes increased as a result of home working. 79% reported that attacks have become more sophisticated. 82% reported they had suffered a material breach (including breaches that must by law be reported, and those that involved the theft of highly sensitive information).

Critical to dealing with this though is the fact that even as COVID-19 vaccination rates reach critical mass leading commentators including Deliotte™, Gartner™, and PWC™ find that remote working has in general been a success in terms of employee productivity ². Therefore the truly excellent job that IT and Security teams did, at speed, during the early days of 2020 to make it work now needs to be future-proofed for the new normal. It is one thing to rise to the occasion and deliver a heroic outcome in a matter of days and weeks, and another to build a scalable and security employee connectivity fabric that is operationally sustainable for the years ahead.

Recognising this we see planning underway to replace legacy security architectures built for office working with a new model that follows the principles of zero trust. The assumptions underlying zero trust simply means a recognition that no material part of the data path between the user and the workload can be inherently and natively trusted. No longer do we have the “secure and trusted” network zone inside the corporate firewall plus the “Wild West and untrusted internet”. The internet is the network.

Where to start? Firstly cloud native needs to be your guiding principle. No central-server push models to distribute updates to network connected machines. Everything needs to managed and secured directly from the cloud. Always evaluate user behaviour after they’ve initially authenticated, and where the risk profile calls for it re-authenticate. Most importantly from an authentication point of view; Passwords have no place. Multi-factor authentication is the only game in town. Networks flows between workloads need to be segmented (micro-segmentation), rather than just relying on edge firewalls. On top of that; encrypt data in motion and data at rest (before the ransomware gangs steal your data).
With those foundational blocks to future proof your environment for this new world don’t forget detection. Work on the principle that attackers are doing their best to get in regardless of everything you’ve done to keep them out. Hunt for threats on endpoints, workloads, and in all network flows. In short, always verify even if there are no obvious indicators of compromise.

Despite all the suffering and stress that the pandemic has wrought I have personally enjoyed the personal and productivity benefits that home working has afforded me. I find I am able to put in a solid day that helps customers and colleagues alike, and at the end I sleep well in the knowledge that by following zero trust principles my working environment is secured for the future. I’m working at home, but the cyber criminal hasn’t been able to follow me here.

I WANT 5 MILLION DOLLARS IN UNMARKED BILLS

The current state of ransomware & other modern attack campaigns

1989 was a historic year. George H. W. Bush became the 41st President of the United States, the first of 24 GPS satellites entered Earth’s orbit, and Fijian Cricket legend and former Governor Ratu Sir George Kadavulevu Cakobau GCMG GCVO OBE passed away. In that same year the first instance of ransomware, the “AIDS Trojan”, was released into a world as yet unsuspecting of just how crippling and common this new form of cyber-attack would become.

In the more than three decades since, ransomware has evolved from that first, floppy disk, simpleencryption enfant terrible to a global network of criminal gangs creating, maintaining, and leveraging ransomware attacks at an industrial scale. Today ransomware infrastructure is now available as-aservice, available on-demand to any miscreant with funds sufficient, and morals insufficient. Such ‘as-a-service’ (RaaS), first seen in 2015, now comprises 14% of all ransomware attacks on a global basis ¹ .

For many years the go-to, final line of defence against ransomware has been a well architectured and executed strategy toward data and system backups. Any organisation with recent and complete backups could elect to not pay the ransom demand, and instead restore. Of course ransomware gangs adapted to this development by ensuring that their cyber weapons also targeted for encryption any and all backup locations that could be found connected to the network; while we defenders adapted by ensuring that backups are stored in data vaults isolated from the network.

As this game of cat and mouse continues the ransomware gangs have again evolved in two other hugely significant ways. Understanding these latest changes in attacker behaviour is crucial if you are to defend your organisations against the disruption, downtime, and extortion that ransomware delivers.

Firstly; ransom is no longer only demanded as payment before your encrypted data is released. Before encrypting your data ransomware attackers once in your network will lay low, spending time to discover and steal copies of your most interesting and valuable data. The time attackers remain with access to your network is called ‘dwell time’, and attackers will also use it to establish various methods to re-access your network should you initially discover them and kick them out. The longer the dwell time, the more deeply attackers may infiltrate into your systems.

If you refuse to pay the ransom to release your encrypted data (because you assume you can just restore from backup) then the attackers will still hold you to ransom, threatening to release or sell the stolen copy. Regardless of whether you pay at all the attackers can and will sell that stolen data, in effect guaranteeing themselves reward for their criminal behaviour. 40% of all ransomware attacks now involve this “double extortion” approach ². Backups are no longer enough!

Secondly; ransomware is no longer only introduced into your environment through phishing attacks, physical media (“Oh look! I’ve found a 64Gb USB stick. Let me put that in my machine to see what interesting files are on it”), or by exploiting vulnerable and unpatched systems. In July this year the ransomware gang known as REvil launched an attack that leveraged software vendor Kaseya Limited’s VSA (Virtual Systems Administrator) solution, and their MSP (Managed Service Provider) ecosystem to push ransomware down to up to 1500 downstream victims. This is an example of an “island hopping” attack; one which steps across multiple, intermediary victims that ultimately lead to the attacker’s ultimate prize. Even your most trusted systems can be a route in for the ransomware gangs.

Each of these evolutions by ransomware gangs require you to adapt your own defensive strategies.

Firstly; you must assume attackers are in your environment and preparing to launch an offensive. Don’t wait for them to pounce. Hunt for the subtle breadcrumbs that attackers leave behind as they look for data to steal and prepare for their next stage of attack. The tools needed in your arsenal for such Threat Hunting include ‘Endpoint Detection (and) Response’ (EDR) and the skills and discipline to recognise the attacker’s trail. Critical too is a baseline knowledge of what ‘normal’ looks like in your own network. By understand normal it becomes easier to recognise unusual, more easily recognise attacker behaviour, and reduce the overall length of the attacker’s dwell time.

Secondly; begin today to plan your journey to Zero Trust ³. Zero Trust is not a single product you can buy nor implement. Any vendor which tries to tell you otherwise should themselves be treated with zero trust. Zero Trust is an architecture (codified as it happens in NIST 800 SP 27). Designing to a ZT architecture requires continual baselining of the security posture of all the endpoints and workloads in your environment, as well as your network architecture, and rethinking how and when you grant user (and API) access to critical data stores and applications. A ZT architecture makes it significantly more difficult for an attacker to gain an initial foothold in an environment, or then move from one machine to another.

Ransomware is here to stay. Criminal gangs both small and large are banking their ill-gotten rewards as they target organisations which have not kept up with the continued evolution in the tools, techniques, and procedures attackers deploy at scale.

The time to evolve your defence is now. When the attacker next demands $5,000,000 in unmarked, untraceable crypto-dollars be ready to say “Not today”.
 

---

¹ VMware Carbon Black 2021 Global Security Insights Report - Extended enterprise under threat (https://www.vmware.com/resources/security/global-security-insights-report-2021-index.html)
² VMware Carbon Black 2021 Global Cybersecurity Outlook Report
³ https://www.vmware.com/au/solutions/zero-trust-security.html