Revisiting the Security Threats That Marked 2019 and How They Were Managed
Wow, what a year it has been! Security attacks in 2019 were marked by a resurgence of Ransomware attacks, business email compromise (BEC) attacks, and the discovery of painful blind spots in existing security programs for our new, and in some cases older, clients.
Ransomware Attacks: Due to the resurgence in Ransomware attacks in 2019, and the ever-increasing threat to those organizations still using simple passwords for authentication to access core business solutions, our Incident Response (IR) services consultants saw a dramatic increase in business this year. For those faced with ransomware challenges, the common issues we encountered were an overreliance on legacy endpoint protection solutions that offer little buffer to these new variants of ransomware and incomplete visibility in the environments.
Additionally, when it came to restoring services, very few organizations had tested their backup solutions or, more importantly, had not worked with the business side of their organization to design solutions that would meet their demands or needs for redundancy or restoration. In several cases, the ransomware impacted the backups as well.
In these scenarios, our consultants were able to identify and remediate the problem, and help get our customers back to business as usual.
- As part of the initial IR service, besides handling the overall event with the customer, we typically work with the organization to deploy a next-gen EDR solution (along with other visibly solutions) so we can get visibility into what is occurring in the environment and also detect and prevent further spreading of the ransomware.
- When it came to the restoration issues these customers faced, our compliance services consultants were able to routinely identify a key disconnect within these organizations: the expectations of the business-side of backup and restoration often did not match the capabilities of the solutions or investments they had made. In some cases, they had not invested in the necessary solutions at all. We performed Cybersecurity Roadmap and Tabletop engagements with these clients to uncover their restoration issues and identify a path forward. The earlier you can identify these issues, the more effectively you can ascertain your organization’s ability to withstand a significant security event.
Business Email Compromise (BEC) Attacks: Both our MSP analysts and IR consultants have seen a steady increase in BEC attacks since December 2017, when 1.4 Billion cracked passwords were made available online. The largest contributing factor to the success of these attacks ultimately comes down to an organization’s lack of visibility into their cloud or local-based email services, and not enforcing multi-factor authentication for all users.
- Utilize Multi-Factor Authentication: From our penetration testing consultants’ perspective, the best thing you can do for your organization is roll out multi-factor authentication. Technology is way too advanced for organizations to still be using just usernames and passwords. Due to the volume of ongoing attacks we see and perform, it is no longer a matter of “IF” your organization will have a compromised account, but a matter of “WHEN” it will occur and how long it will take your security team to spot that a compromise has occurred.
- Validate Email Controls: From an IR services perspective, we cannot recommend enough that someone validate immediately that your audit logs and policies have been enabled in your email solution – do not wait to validate this control. The lack of preexisting logs makes it very difficult to establish a timeline of activity and movement of email/data from a compromised account, which means your organization will have to assume a lot of the liability based on exposed data or a loss of control of that data based on disclosure requirements.
- Continue Monitoring: Once you’ve established some level of visibility into your email solutions, the obvious next challenge is to make sure you can handle the ongoing requirements to monitor the activity of your accounts. Continued monitoring is critical for spotting any potential compromised account activity. Our managed services and solutions can assist you in meeting this challenge.
Discovery of Painful Blind spots: Our IR services team saw a lot of clients that found out the hard way that they had gaps or blind spots in their security solutions coverage or their security visibility. In 2019, DirectDefense implemented a new Connected Systems practice to address Industrial Control Systems, including Supervisory Control and Data Acquisition (SCADA), IoT, IIoT, and embedded mobile devices and systems. Some of our most interesting customer feedback came from the launch of this new practice area.
- Regardless of industry, nearly every organization has some form of SCADA/ICS/IoT solution deployed in their networking environments. While performing assessments and compliance standards gap reviews, our Connected Systems team routinely found a lack of segmentation between these networks and normal IT networks, which is very troublesome due to the rather insecure or insulated nature with which a lot of these solutions are configured by default. In many cases, third parties had access to these systems without oversight from the system owner.
- Security vulnerabilities in these SCADA/ICS/IoT networks have real business impact. Our consultants routinely found security issues that would impact manufacturing production goals and quality requirements; they could have caused outages of the environment’s primary functions, and could have significantly impacted the business’s ability to restore its production levels.
- IoT devices are more prevalent than ever, and several vendors are now producing the same devices with only small variances. Not only did our security consultants identify significant security issues in the products they tested, but they also assisted in helping the business illustrate its competitive advantage over the competition by having our consultants review and test the security in their products. This review includes testing devices for manufacturers to illustrate how they outpace their competition.
- ICS/SCADA owners are responsible for the health of their ecosystems. They need to decide whether the devices and vendors involved are good or bad for the ecosystem and put controls in place prevent things like Vendor Transmitted Diseases. If you need help with this, consider our ICS/SCADA Security Operations Center real-time monitoring offering.
Since we’ve started DirectDefense, it has always been our aim to assist our clients and their organizations in meeting both their security and business goals. If 2020 brings new vectors or rehashes some old attack vectors, we’re here to enable your organization to:
- Be Informed: Our Penetration Testing and Connected Systems teams are here to help you identify your security gaps and develop strategies to remediate those issues.
- Be Strategic: Our compliance services team is here to help you establish your security program benchmarks and measure your compliance and risk requirements.
- Be Secure: Our MSP and IR services teams are here to help you monitor and respond to threats in your environment in a timely and proactive fashion.
Happy holidays – see you in the new year!