Lessons From The Cyber Front Line

Uploaded on 2022-10-05 in NEWS-News Analysis, FREE TO VIEW

Very few weeks go by without news of another cyber attack or data breach and a quick scan of the BBC news website shows that in most months, there is at least one story that makes the national news headlines. While just a few years ago, many cyber attacks would go unnoticed by the public and quietly swept under the carpet, legal requirements to report breaches along with the power of social media, means that the world gets to know about them.

Like most news, today’s headlines are tomorrow’s chip paper, but for those directly involved it lives on for a long time, while the rest of us should be looking and learning to stop the same things happening again. Below is a selection of some infamous cyber attacks for a quick refresh as to how the criminals managed to wreak havoc and how they could have been avoided. 

SolarWinds 

Very few people outside of the tech community had heard of SolarWinds before late 2019 when cyber criminals gained access to the SolarWinds' network. They spent some time moving around and investigating the network landscape before testing a malicious code injection into the Orion Platform - a network management system used by government organisations and businesses to manage their IT resources. In February 2020, the code known as Sunburst was let loose and the following month, SolarWinds unknowingly sent out Orion software updates, which included the Sunburst malware.

This massive supply-chain attack was installed by more than 18,000 organisations, enabling the attackers to access SolarWinds' customers' IT systems. From that point, they were able to install further malware so they could spy on target organisations and cause major problems. According to SolarWinds, the attack, recovery and ensuing fallout cost $40 million in the first nine months of 2021, while a survey of IT decision makers across SolarWinds customers found that the average financial impact of the attack was 11% of annual revenue or about $12 million per company.

Travelex 

In December 2019, the Travelex foreign exchange company was targeted by the REvil ransomware group. The hacker group encrypted Travelex's network and made copies of 5GB of personal data. If Travelex didn't pay the ransom, they threatened to publicly publish the data. It's likely the cyber criminals were lurking on Tavelex's network before initiating their ransomware, having gained access via an unpatched VPN (Virtual Private Network). Travelex reportedly paid around $2.3M in ransom and the combination of business disruption plus the COVID-19 pandemic forced the world’s largest foreign exchange bureau into administration.

Equifax

For two months during 2017, the American credit bureau Equifax was subject to a massive data theft, where information relating to millions of customers was stolen. The company was initially hacked through a consumer complaint web portal, with the cyber criminals making use of a widely known vulnerability that should have been patched but, due to failures in Equifax's internal processes, wasn't.

The attackers were then able to move to other servers, due in large part because they were able to find usernames and passwords stored in a plain text file that then allowed them access. Data was pulled out of the network over a long period of time so that no large data movements could be detected. In total, the hackers stole the personal information of 147.7 million Americans from 48 Equifax servers over 76 days, before they were detected. The information was also encrypted by the cyber criminals so that its theft was not spotted.

The subsequent financial impact on the organisation has been massive, not to mention the jail term for the CIO who sold $950,000 worth of company shares before the data breach became public knowledge. In February 2020, the U.S. Department of Justice announced charges against four Chinese military-backed hackers in connection with carrying out the attack.

Edward Snowden – the inside job

In 2013, the now infamous Edward Snowden pilfered documents from America’s NSA and gave them to journalists - and probably governments - in an effort, he claims, to expose the U.S. government spying apparatus. According to cyber firm Venafi, as an administrator, Snowden was able to create digital certificates and cryptographic keys undetected by the NSA. Using these keys, he was able to gain access to systems and then locate the files he wanted to steal. 

For exfiltration, Snowden transferred the data over encrypted channels to his own external file share using self-signed certificates. So as far as the NSA was concerned, these signed transmissions were safe and authorised and allowed to pass unquestioned. He was able simply to copy data from the network to removable drives.

NHS 111

Most recently, in August 2022, a cyber attack on NHS supplier Advanced, the firm which provides digital services for NHS 111, targeted the system used to refer patients for care, including ambulances being despatched, emergency prescriptions and out-of-hours appointment bookings. 

The attack was reportedly due to ransomware, thought to have been the result of phishing. Once the ransomware had been inadvertently executed, it may have been operating in the background, exfiltrating data before attackers disabled systems in the network, alerting the company to the attack.

Lessons Learned?

For SolarWinds, since software such as Orion is built using components from multiple sources, a Software Bill of Materials (SBOM) should have been used. This is a way in which all the components may be listed and checked so that rogue components can quickly be identified and removed. In addition, keeping all source code encrypted on a per-file, per-user basis would have blocked any unauthorised hacker from being able to access code files.

In the case of Travelex, patching the VPN would have been a significant block to the cyber criminals, but the ransomware could easily have been deployed using other techniques such as phishing. An ‘allowlisting’ approach to application control would have blocked the ransomware, no matter how well it had been disguised. Application control, which uses allowlisting ensures that a system will only run processes that are on the authorised allowlist. All other processes are blocked. In a business environment, we know exactly what should be running on a machine, so this approach is both simple and highly effective. For SolarWinds customers, the deployment of application control which uses allowlisting would have prevented the attackers from running the malware which they installed after having gained access to each customer’s network.

In the case of Equifax, the consumer complaint web portal should of course have been patched, and no administrator or any other user should have stored usernames and passwords in a freely accessible file. While in most organisations it is highly unlikely that the whole series of errors would all happen, we all make mistakes. Systems cannot always be patched immediately because of conflicting system dependencies; and users - and administrators - sometimes do unexpected things. 

All these examples show the need for comprehensive off-network backups and better cyber security training, but also that we should always assume that a cyber criminal may always gain network access.

So, it’s important to protect the data itself. This means all of the data all of the time, no matter where it is stored or copied. Using file-level encryption to encrypt all data everywhere, the Equifax data breach would have resulted in a story which lasted just a few days, rather than years. If all their data had been encrypted so that when exfiltrated, it remained encrypted, the attackers would have stolen terabytes of completely useless data.

The same approach would have thwarted Snowden. If the encryption system provides each user with their unique encryption key, then Snowden would have been able to do his job - even moving files around - but completely unable to decrypt and access the information.

20:20 hindsight is a wonderful thing but if we are going to gain anything from these cyber attacks, we need to learn from them and look at new ways of protecting our data and not simply carry on building up more layers of defence to prevent people from getting in. 

Nigel Thorpe is Technical Director at SecureAge

You Might Also Read: 

Who Can You Trust With Your Data?:

 

« Why Companies Need A Next-Gen Approach To Business Continuity
Modernising SecOps: It’s Time To Unpick The Complex Matrix »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Zerto

Zerto

Zerto provides enterprise-class disaster recovery and business continuity software specifically for virtualized data centers and cloud environments.

RU-CERT

RU-CERT

RU-CERT is the CSIRT / CERT team of the Russian Federation.

QATestLab

QATestLab

QATestLab is a leading International software testing company offering a full range of software testing services including security testing.

Secure Thingz

Secure Thingz

Secure Thingz focus on developing and delivering advanced security solutions into the emerging Industrial Internet of Things (IIoT) and Critical Infrastructure markets.

SecuGen

SecuGen

SecuGen is a leading provider of advanced, optical fingerprint recognition technology, products, tools and platforms for physical and information security.

National Cyber Security Center (NCSC) - Hungary

National Cyber Security Center (NCSC) - Hungary

The National Cyber Security Center was established in 2015 by uniting the GovCERT-Hungary, National Electronic Information Security Authority (NEISA) and the Cyber Defence Management Authority (CDMA).

CyberFortress

CyberFortress

CyberFortress is an insuretech startup offering a new kind of online business interruption policy designed for small business.

Data Theorem

Data Theorem

Data Theorem is a leading provider in modern application security. Its core mission is to analyze and secure any modern application anytime, anywhere.

Cyber Range Malaysia

Cyber Range Malaysia

With Cyber Range Malaysia organizations can train their security professionals in empirically valid cyber war-gaming scenarios necessary to develop IT staff skills and instincts for defensive action.

Netsurion

Netsurion

Netsurion powers secure and agile networks for highly distributed and small-to-medium enterprises and the IT providers that serve them.

Thoma Bravo

Thoma Bravo

Thoma Bravo is a leading private equity firm with a 40+ year history and a focus on investing in software and technology companies.

Dazz

Dazz

Dazz is the cloud security remediation platform for smart security and development teams.

Island

Island

Island puts the enterprise in complete control of the browser, delivering a level of governance, visibility, and productivity that simply weren’t possible before.

SOOS

SOOS

SOOS is the easy-to-integrate software security solution for your whole team. Build, catch, and fix vulnerabilities with SOOS Software Composition Analysis.

Blackpanda

Blackpanda

Blackpanda is Asia’s premier cyber security incident response group, hyper-focused on digital forensics and cyber crisis response.

RedNode

RedNode

RedNode is a cybersecurity service provider that offers customized security testing solutions to protect any size of business worldwide.