Takeaways From Notable Law Firm Data Breaches

Law firms collect sensitive and privileged data, making them prime targets for cyberattacks. Unfortunately, some of these attacks succeed and the news of a law firm data breach becomes part of the public domain.

This is why law firms need a strong cybersecurity posture to defend against modern threats. This blog discusses specific threats, what happens when law firms get attacked, and what are some best cybersecurity practices.

Why is the Legal Sector Targeted?

The global market for legal services is expected to surpass one trillion dollars by 2025. Cybercriminals like industries where the impact on the reputation of the target is disproportionately high, as there’s more likelihood the victim will pay a ransom.

Aside from the fact that legal firms typically store details about trade secrets, intellectual property, mergers, and other lucrative information on their computer systems, threat actors perceive these organizations as unlikely to prioritize cybersecurity. A 2021 survey of law firms reinforced this perception when it found that just 36% of respondents had a formal incident response policy for cybersecurity events.

Looking at some of the most high-profile law firm data breaches underscores just how persistent cyber threats are to the legal industry.

Campbell Conroy & O’Neil

Campbell Conroy & O’Neil, a large law firm practicing across 11 different locations in the United States, clients included Ford, Honda, and Boeing. In February 2021, malicious actors infiltrated Campbell Conroy & O’Neil’s IT network and installed ransomware, which prevented access to important files.

A data privacy incident disclosure released by the firm indicated that sensitive information about individuals was compromised, including financial account information, Social Security numbers, passport numbers, and payment card information. The firm offered affected individuals 24 free months of credit monitoring, fraud consultation, and identity theft restoration services.

Grubman Shire Meiselas & Sacks

With a client portfolio that includes musicians such as Lady Gaga, Madonna, and Drake, Grubman Shire Meiselas & Sacks (GSMS) is another law firm that boasts a high profile reputation. The company, which serves media and entertainment clients, had 756 gigabytes of private documents and correspondence exfiltrated from its network in May 2020 during a ransomware attack.

The threat actors behind the attack on GSMS were part of the notorious REvil gang. Before their eventual arrest in 2022, REvil members racked up a considerable list of ransomware victims. REvil demanded a $42 million ransom from GSMS. After an initial $21 million demand went unmet, REvil members posted 2 gigabytes of stolen data about GSMS’ clients on the dark web to further incentivize payment.

Jones Day

First founded in Cleveland over hundred years ago, Jones Day is the fifth-largest law firm in the US and one of the top 15 highest-grossing in the world.

The Jones Day attack resulted from a software supply chain vulnerability in the Accellion file transfer system that impacted a total of 100 organizations. Supply chain attacks often have far-reaching, downstream consequences that impact hundreds of companies and potentially millions of people from a single vulnerability.

Common Attack Vectors Leading to Law Firm Data Breaches

While the cyberthreat landscape is ever-changing, there are some clear trends in the attacks that lead to big law firm data breaches. Here are some of the main methods, attack vectors, and tactics that hackers deploy to target businesses in the legal sector:

Ransomware

Ransomware attacks use encrypted systems and/or stolen, exfiltrated data as leverage to extort large payments from law firms. Industry sources indicate that smaller law firms are increasingly impacted by ransomware. The threat of ransomware is not going away despite several high-profile recent arrests targeting ransomware gangs.

Ransomware can bring significant costs to a law firm after a data breach, not just from the damage done to encrypted systems, but also from regulatory penalties due to inadequate protection of sensitive client data. In March 2022, UK criminal defense firm Tuckers Solicitors received a £98,000 fine in the wake of a ransomware attack that compromised sensitive criminal court information.

To address the risk of ransomware attacks, law firms should securely backup systems and data, deploy advanced endpoint and email security, monitor threats on a 24/7 basis, and implement multi-factor authentication.

Phishing

Phishing campaigns are becoming more common for law firms as hackers improve their skills in crafting convincing emails that persuade law firm employees or their clients to unknowingly take dangerous actions, such as clicking a malicious link, revealing private information, or installing malware. Phishing has morphed in recent years to not just target email but also smishing (text messages) and vishing (phone calls).

Threat actors often hit law firms with more targeted spear-phishing campaigns in which they either target or impersonate a very specific individual within that company. In one recent instance, a new Finance Manager at a law firm transferred £60,000 to an individual impersonating a trusted supplier.

Attacks Against Remote Workers

With hybrid work policies becoming a mainstay of how many law firms operate, many cyberattacks try to exploit potential security gaps in remote work technology. One example is trying to compromise or brute force entry into remote desktop protocol (RDP) connections from which law firm employees log in and work remotely.

A successful compromise of an RDP account can give threat actors the keys to a corporate network. Hackers can also try to get into a law firm’s network through VPN accounts, unsecured public Wi-Fi connections, and even through IoT devices.

Software Vulnerabilities

Cybercriminals will try to exploit security vulnerabilities in software used by law firms, such as general IT software or specialized legal software. Jones Day was a prime example of the impact of this type of attack. Australian firm Allens was another legal sector victim from the Accellion fallout.

Hackers can also exploit vulnerabilities in third party libraries and other components that provide functionality to applications. These so-called software supply chain attacks can simultaneously affect thousands of businesses. The recent Apache Log4j vulnerability was a software supply chain attack.

Cybersecurity Best Practices for Law Firms

Many law firms lack the IT resources to make security a priority and might feel intimidated by the prospect of strengthening their cybersecurity practices in light of today’s high-volume, sophisticated threat landscape. But becoming more secure doesn’t have to break the budget by hiring dozens of expert security specialists. Quite often, even the most high-profile breaches stem from entirely preventable security errors and could have been mitigated by following some basic best practices.

Here are some recommendations to improve your law firm’s cybersecurity and prevent your organization from being the next law firm data breach.

Draft a Security Policy

Even in 2022, 17% of respondents surveyed report their law firm does not have any security policies and another 8% do not know about their law firm’s security policies. This is a basic requirement that any legal firm should have in place regardless of its size. Draft a security policy that at a minimum covers BYOD, emails, data retention, and an incident response plan, if you were to be attacked.

Prioritize Patch Management

Incidents like the zero-day Accellion supply chain breach are difficult to do anything about because a zero-day software breach, by definition, hasn’t yet been patched with a security update. Still, patch management often is low on the priority list in terms of security prioritization – and this shouldn’t be the case. There are many vulnerability management solutions available to firms’ needing assistance in prioritizing.

The attack on GSMS highlighted pervasive patch management issues in the legal sector when a post-mortem of the incident revealed it all started with hackers exploiting unpatched Pulse Secure VPN servers. A patch for these servers was available for at least four months prior to the breach.

Protect your Endpoints

With cyberattacks often originating on endpoint devices, such as laptops and workstations, it’s imperative to step up endpoint security. Ideally, you should seek out a solution that effectively detects suspicious processes and behaviors on endpoints, such as using a comprehensive Endpoint Detection and Response (EDR) solution.

Secure Account Logins with Multifactor Authentication (MFA)

Passwords are no longer strong enough to secure access to employee accounts. New York City’s law department knows this all too well⁠—a 2021 incident saw hackers using an employee’s stolen password to infiltrate the department’s network. A recent Microsoft survey of their customers using Azure AD, showed 78% are still only using passwords without other strong identity authentication protections. It is critical to implement multifactor authentication (MFA) for access to key IT services, including Microsoft 365, remote desktop protocol, VPNs, cloud services, and even workstation logins.

Cloud Security

Law firms are increasingly using the cloud to store data and relying on cloud-based applications to operate their practices. Since cloud platform providers, like AWS, only take responsibility for securing their cloud platform, law firms must implement best practices for securing their data in the cloud by monitoring logs, scanning for vulnerabilities, and implementing other security controls to ensure unauthorized users cannot gain access to sensitive documents.

Identity Management

Law firms must prevent unauthorized access to sensitive data or core systems. Steps to reduce the risk of credential theft include using strong, unique passwords, multi-factor authentication, and fine-grained access controls that allow administrators to set employee permissions based on their roles and responsibilities. Monitor for high rates of authentication failures on service accounts for Windows. 

Continuous Monitoring for Compliance Issues

A host of diverse regulations aim to protect different types of sensitive data stored by law firms about their clients. For protected health information, there’s HIPAA, the CCPA protects data privacy for Californian residents, the GDPR protects data belonging to EU citizens and residents. Noncompliance with any regulation risks costly penalties, and it’s critical to meet all forms of regulatory oversight that apply to your firm.

Simple steps, such as continuous monitoring enables you to rapidly detect compliance risks before they become serious security issues and log analysis and reporting enables better visibility. If this is something your firm is unable to do in-house, there are options to outsource to cybersecurity specialists, such as a Managed Detection and Response provider.

Improve Incident Response

When a security threat is detected, law firms must respond quickly to reduce the risk of a security breach. However, many law firms do not have the resources to respond to high priority alerts on a 24/7 basis and sometimes internal processes can slow up response actions. By instantly blocking an attack or containing a threat, automated response solutions provide time for investigation and remediation before a law firm’s security is compromised.

A dedicated incident response plan is critical for any law firm that suffers a data breach, as it addresses what happens once hackers get past your perimeter security controls.

The incident response plan establishes processes for detecting, containing, investigating, and recovering from security incidents that have already infiltrated your environment. It’s highly recommended to include ransomware preparedness as part of this plan with a clearly defined set of steps to take if your firm’s network gets hit by a ransomware attack (ex. should you pay?).

Without any semblance of a plan in place, cybersecurity incidents easily lead to panicked decisions that make the problem worse. While incident response plans and functions can be challenging to put in place, the cost of a data breach at a law firm makes the effort worthwhile.

Closing Thoughts

Downtime, loss of billable hours, and reputational harm are outcomes that no company wants to face, but they are entirely within the realms of possibility from any law firm data breach. However, following some simple best practices will help your firm get on the right track. For those struggling to get the resources in-house, looking to partner with a security provider offers an affordable, scalable, and efficient way to address security gaps for law firms of all sizes.

To learn how Proficio to find out how we can help your law firm improve its cybersecurity defences, contact us.

Increased Cybersecurity Risks from Russian Cyber Attacks Resulting From the Russia Ukraine Conflict

A barrage of sanctions from the U.S. and E.U. continues to rain down on Russia following Vladimir Putin’s decision to invade Ukraine. The damage inflicted by these sanctions poses concerns about possible retaliation measures against Western nations.

Given Russia’s significant capabilities and history of cybercrime, it appears likely that Russian cyber attacks, particularly against critical public sector infrastructure, may be on the agenda. These attacks have already begun against Ukraine and very likely will turn to the Western nations next.

Let’s take a look at some plausible risks, scenarios, and targets if Russia decides to turn to cyber attacks against Western nations during the ongoing conflict, so you can stay protected.

Russian Cyber Attacks Preceding the Physical Invasion of Ukraine

Before the Russian military stepped over the physical borders of Ukraine, there was an escalation in cyber attacks carried out by the country’s extensive cyber units, as their banks and government websites were targeted with data-wiping malware and DDoS attacks. These actions confirmed that cybercrime is a central component of modern hybrid warfare.

According to the United States Congressional Research Service, Russia has a history of deploying cyber crime during wartime. During its 2008 war with Georgia, a large-scale DDoS attack crippled electronic communications at several government and financial institutions.

The escalation in cyber warfare is a continuation of attacks on Ukraine stretching back to Russia’s annexation of Crimea in 2014. A quick recap of some of these incidents serves as a reminder of what type of attacks Russia’s cyber units engage in during war times and the damage they can cause:

  • In December 2015, a complex, multi-phase attack took down Ukraine’s power grid leaving over 230,000 consumers without power.
  • A year later in December 2016, websites and payment systems belonging to the Ukrainian Ministry of Finance and State Treasury were taken offline by Russian malware.
  • In June 2017, Russia targeted Ukraine with a variant of the Petya ransomware (NotPetya), which hit Ukrainian ministries and banks, and even took down a radiation monitoring system at the Chernobyl nuclear plant.

Russian Cyber Attacks on Western Nations

While the attacks against Ukraine are proof of Russia’s cyber power, what conclusions can we draw about Russian cyber attacks on Western nations? Pertinent examples from in recent years help us to predict who Russia might target in the West, possible tactics they may use, and what the consequences could be.

  • Russian cyber unit Fancy Bear was implicated in the July 2016 hacking of the Democratic National Committee. Using tactics such as spear-phishing emails, keylogging software, and privilege escalation, the hack resulted in an email leak that stoked divisions in the Democratic party. The attack was seen as a Russian effort to weaponize information and interfere in the US Presidential election.
  • The NotPetya malware that hit Ukraine in 2017 spread to organizations in several Western nations, including Great Britain, France, Germany, and the United States. Maersk, the world’s largest container ship operator, suffered $300 million in damages from NotPetya. FedEx suffered similar costs to Maersk as a result of its subsidiary TNT Express being impacted by the ransomware strain.
  • The SolarWinds data breach is the most infamous recent example of Russian cybercrime against a Western nation. In this supply chain attack, Russian threat actors managed to modify software updates for Orion, a SolarWinds network monitoring software used by the U.S. federal government. Malicious Orion updates installed on federal IT systems gave Russian threat actors undetected access to those systems for up to nine months.

Federal Government Warnings and Advisories

The recent history of Russian cyber warfare clearly paints a worrying picture for Western nations. A diverse range of past attacks impacted critical public services and infrastructure, , especially and as new sanctions get imposed daily, Russian cybercriminals could easily look for new targets. The possibilities include:

  • Russian threat actors deploying similar attacks on Western nations to those that hit Ukrainian banks and government websites.
  • Cyber incidents spreading from Ukrainian businesses to organizations in other countries due to globally interconnected networks.
  • Standalone attacks on carried out as a direct response to ongoing Western sanctions damaging the Russian economy.

The highest levels of Western government assess the cyber risk landscape as an increasingly dangerous one if recent advisories and publications are anything to go by. The UK’s National Cyber Security Centre called on organizations to bolster their cybersecurity defenses in light of heightened cyber threats following Russia’s invasion of Ukraine. Recommended actions include patching systems, verifying access controls, and ensuring proper incident detection and response.

In the US, CISA director Jen Easterly indicated the agency was, “working with our federal partners, our state and local partners, and our industry partners to make sure that they’re aware of the potential threats of a potential cybersecurity crisis.” The FBI Cyber Division’s David Ring reportedly echoed similar sentiments during a call when he asked state and local leaders and business executives to think about how the provision of critical services could be disrupted by ransomware.

Meanwhile, in an address to the nation on February 24, 2022, President Joe Biden claimed that “If Russia pursues cyberattacks against our companies, our critical infrastructure, we’re prepared to respond.”

These warnings, comments, and advisories show that there is a clear perception of increased cyber risk. The public sector and operators of critical infrastructure appear to be particularly vulnerable targets, so those operating in these sectors should continue to be on high alert.

Potential Upcoming Russian Cyber Attack Campaigns

It’s unclear how likely a Russian cyber attack on a Western nation is right now. The past actions of Russian cyber units indicate anything is possible. What is clear is that countries such as the United States and the United Kingdom are taking steps to prepare. Here are some potential upcoming Russian cybercrime campaigns to watch out for:

  • Targeting critical infrastructure: Statements from government officials in recent weeks have persistently referred to critical infrastructure. Cyber attacks on industrial control systems or even healthcare organizations pose threats to health and safety in addition to the monetary costs involved.
  • Data leaks: Russia has shown its willingness in the past to use information as a weapon. Threat actors lurking undetected in federal or other public sector networks may decide to leak confidential information in an attempt to sow discord. Spear phishing campaigns on public sector employees may provide new entry points into public sector IT networks.
  • Supply chain attacks: Russian cyber units may use existing footholds in software supply chains to initiate an attack that mimics SolarWinds and leads to widespread data breaches of government data.

While the risk of attack in the current environment may be high, there are steps you can take to be better prepared and stay protected against potential threats. We recommended you prioritize the following (in this order):

  • Patch / remediate any critical internet facing vulnerabilities that could be leveraged by an attacker to gain a foothold within the environment
  • Make sure that all endpoints have up-to-date endpoint protection, preferably an up-to-date EDR agent installed on all systems
  • Patch internal vulnerabilities that are commonly used by attackers to compromise an endpoint.
  • Geo-block Russian IP address ranges on the NGFW if you do not do business with this region

Closing Thoughts

If and when Russia decides to strike back against the West using its cyber attack arsenal, public and private sector organizations face the challenge of detecting potential cyber attacks quickly and responding before they spread and do serious damage. While proper cyber hygiene is a great start, you need around the clock monitoring to ensure you’re catching attacks before they cause damage.

Proficio’s managed detection and response service provides 24/7 investigation and incident remediation capabilities to help organizations manage threats and reduce businesses in this potentially dangerous new cybersecurity landscape. To better protect our clients in these uncertain times, Proficio is deploying additional, targeted monitoring solutions to detect and respond to these attacks. To learn more about how Proficio can help keep your organization secure, contact us.

7 Major Cyber Attacks in 2021 and Lessons Learned to Strengthen Your Defenses in 2022

Cyber attackers continued to successfully target organizations in all sectors and of all sizes during 2021. The biggest cyber attacks in 2021 resulted in damaging financial, reputational, and even societal consequences. Security leaders and teams should use the lessons learned from high-profile attacks to improve their organization’s security posture. Let’s look at 7 major cyber attacks in 2021 and the key lessons to learn from them.

The 2021 Cyber Attack Landscape

Threat actors continued to take advantage of additional security vulnerabilities created by the rapid pandemic-induced change to remote work. When remote work was a factor in data breaches during 2021, one study found the cost per breach increased by $1 million per incident.

37-Percent-Ransomware-2021-Cyber-AttacksRansomware remains one of the most significant cybersecurity threats with targets ranging from critical infrastructure to large enterprises to police departments. According to one report, 37 percent of organizations surveyed were hit by ransomware attacks in 2021.

Ransomware gangs now regularly use double extortion techniques. Not content with just encrypting important files or endpoints, in double extortion attacks, adversaries exfiltrate sensitive data before delivering ransomware payloads. The added incentive to pay the ransom comes from the threat of sensitive data being published on the Dark Web.

Another worrying trend in several 2021 cyber attacks was a focus on disrupting or infiltrating supply chains. Malicious actors target supply chains because they know that the downstream effects can hit multiple organizations or even result in supply shortages of critical goods and services.

2021 Cyber Attacks That Shook the World

Bearing this landscape in mind, here is a run-through of seven high-profile incidents that made global media headlines.

1. Colonial Pipeline

The Colonial Pipeline 2021 cyber attack concerned the information security community, consumers, and government agencies. Colonial Pipeline transports diesel, jet fuel, and gasoline across a 5,500-mile journey starting in Houston and terminating in New York. In May 2021, an Eastern European ransomware group known as DarkSide managed to infiltrate Colonial Pipeline’s billing system.

Darkside-Ransomware-Darth-Vader

Fearing an eventual lateral movement traversing the boundary between IT and operational technology (OT), the company halted all pipeline operations to contain the attack. The operational disruption lasted five days while Colonial Pipeline responded to the incident.

Part of the response involved paying a $4.4 million ransom to the ransomware gang. The FBI managed to recover a portion of this ransom in the aftermath. The concern around this breach was elevated by media images of panicked motorists queueing to stock up on gasoline because they feared an extended fuel shortage.

Subsequent investigations into the cyber attack on Colonial Pipeline found that the initial attack vector was a stolen password used to log in to a legacy VPN. The threat actors likely found the stolen password in a Dark Web leak list from a previous data breach. The Colonial Pipeline’s CEO, Joseph Blount, had to testify in front of the Senate Homeland Security and Governmental Affairs Committee about how the company handled this attack.

Lessons Learned:

  • Multifactor authentication is critical: In his testimony, Mr. Blount said that the hacked VPN account only had single-factor authentication. In today’s threat landscape, depending on passwords alone to secure access to accounts is very risky.
  • Poor password hygiene is still common: hackers used stolen credentials to log in to a VPN account. Aside from highlighting the vulnerabilities in relying on passwords, this attack shows how poor password hygiene, such as using passwords across multiple services and apps, remains commonplace. Better cyber awareness and training can combat this issue.
  • 24/7 monitoring is key: detecting events like suspicious use of VPNs, credential abuse, and policy violations around the use of remote access applications helps prevent compromises.

2. Accellion

Accellion provides file sharing and team collaboration tools to organizations that are reported to include Morgan Stanley, Shell Oil Company, Kroger, Health Net, Stanford University, and many others. In December 2020 and January 2021, one of the company’s legacy tools, Accellion File Transfer Appliance (FTA), became compromised with multiple zero-day vulnerabilities exploited by UNC2546 and UNC258, two threat actors with links to the Clop and Fin11 ransomware gangs.

In healthcare alone, over 11 organizations were impacted by this supply chain attack. A zero-day attack is particularly challenging because it exploits previously unknown vulnerabilities for which no fix yet exists.

Lessons Learned:

  • The importance of vulnerability management and patching: Speed is critical in patching zero-day vulnerabilities with known exploits. Risk-based Vulnerability Management tools and services can help organizations prioritize patch assets based on priority and context.
  • The need for data exfiltration protection: In addition to double-extortion ransomware attacks, this supply chain attack demonstrated that threat actors see data exfiltration as the ultimate prize. It is important for organizations to detect precursors of data exfiltration and behavior anomalies and automate containment actions to prevent loss of data.

3. JBS

JBS is the world’s largest meat processor with reported annual sales of $50 billion and over 230,000 employees.

On Sunday, May 30, JBS USA discovered it was the victim of a ransomware attack that affected some of the servers supporting its U.S., Australian and Canadian IT systems. The company suspended all affected systems, then contacted law enforcement.

JBS Cyber Attack Ransomware

Assistance from the FBI helped to confirm that the prolific REvil ransomware operation was responsible for the JBS meat cyber attack. In a statement made to the media, JBS announced the payment of an $11 million ransom to REvil in an attempt to mitigate the risk of sensitive stolen data being published online.

Since the attack did not affect JBS’ backup data or core systems the company was able to recover from the attack in a few days with minimal disruption to the supply chain. JBS issued press releases on May 30, June 1, June 2, and June 3 to keep customers and the public apprised of the status of the incident.

Lessons Learned:

  • Backup strategies still work: Some security commentators argue that backup strategies are redundant in a world where data exfiltration is the main goal of malicious actors. However, the ability to restore normal operations quickly after a cyber attack is imperative, particularly in critical industries such as meat processing upon which much of the world depends for survival. Just backing up systems and data is not sufficient. You also must take steps to protect your backup files from attempts to delete them.
  • Early detection and response: More detailed investigations into the JBS attack found that data exfiltration began after leaked credentials were exploited as far back as February 2021. Early detection and response could have played a crucial role in thwarting attackers while they were in the network. Perimeter-focused controls are no longer sufficient for defending against attacks; security teams lacking internal resources can turn to managed detection and response.
  • Incident Response Plan: Having a written Incident Response (IR) plan and routinely practicing the process makes a difference. JBS effectively engaged the appropriate government entities and third-party consultants who assisted with the forensic and mediation work.

4: Brenntag

In April of 2021, Brenntag, a German chemical distribution company, became yet another victim of DarkSide ransomware. Brenntag employs more than 17,000 people worldwide, and the company reported over $14 billion of revenue in 2019.

Ransomware PaymentIn yet another double extortion attack, DarkSide managed to exfiltrate 150 gigabytes of data from the North American division of Brenntag’s network. After data exfiltration, the Brenntag ransomware payload encrypted multiple devices and files on the company’s network using the Salsa20 file encryption algorithm.

The immediate response to the Brenntag ransomware attack focused on containing the threat by disconnecting affected systems from the network. The company also paid a $4.4 million ransom in return for both a decryption key and not having sensitive data belonging to 6,700 individuals published online. The sensitive data included birthdates, Social Security Numbers, driver’s license numbers, and health data.

 

Credential theft appeared to play a prominent role in this attack. A ransom note seen by security researchers at Bleeping Computer alluded to the fact that threat actors “bought access to the network”.

Lessons Learned:

  • Stolen credentials are a big problem: Initial network access via stolen credentials was a common theme in several 2021 cyber attacks. Mitigation requires a multi-pronged approach that includes multi-factor authentication, ongoing cyber education, and regularly mandating password changes.
  • The paradox of cyber attacks: Threat actors often deploy sophisticated tools and techniques to evade detection once inside networks, however, the methods they use to gain initial access often exploit incredibly basic cybersecurity flaws.

5: Volkswagen and Audi

VW Audi logos

Volkswagen has consistently been one of the top-selling automotive brands. In June 2021, details emerged of a significant data breach both at Volkswagen and Audi, one of the Volkswagen Group’s luxury line of vehicles. The breach exposed information belonging to 3 million customers.

For the majority of customers, the leaked details were basic and non-sensitive. However, at least 90,000 people were contacted about sensitive data exposure, including driver’s license numbers, Social Security numbers, and dates of birth.

A spokesperson indicated the Volkswagen data breach stemmed from a compromise at a third-party vendor used by the company. Vice magazine reported that a hacker obtained the data by scanning the Internet for unsecured Microsoft Azure Blobs, which are used to store unstructured data in the cloud.

Lessons Learned:

  • Third-party risks: Volkswagen trusted another vendor with its valuable customer data, but that same vendor failed to implement such a basic practice as securing all data stored in the cloud. Third-party risk management is crucial to avoid breaches like this one.
  • The need for data visibility: You cannot protect sensitive data when you do not know where it is stored or how it is secured. Comprehensive data visibility may have mitigated the possibility of this Volkswagen data breach from happening.

6: HSE Ireland

The Health Service Executive runs Ireland’s public health system. Over 67,000 direct employees help to maintain the health of Ireland’s populace. Several severe Covid-19 outbreaks stressed Ireland’s health system in 2021, and a ransomware attack in May came at the most unwelcome of times.

The installation of a ransomware payload by Conti threat actors completed a two-month operation that severely impacted the HSE’s IT infrastructure. The immediate aftermath of the HSE cyber attack resulted in healthcare professionals losing access to IT systems, including patient information systems, clinical care systems, and laboratory systems.

Equally as severe as this disruption to important health services was the exfiltration of sensitive healthcare data belonging to 1,000 patients. During negotiations about a ransom, Conti gang members began leaking patient data for up to 520 individuals on the Dark Web.

A detailed incident report found that the HSE cyber attack started in March 2021 when an employee clicked and opened a malicious Excel attachment. This attachment provided remote access to the HSE’s IT environment. Threat actors used Cobalt Strike, a penetration testing tool, to escalate their privileges on the originally compromised workstation.

Lessons Learned:

  • The need for threat intelligence: Robust threat intelligence and discovery helps detect tools like Cobalt Strike and stop similar incidents in their tracks.
  • The danger of phishing: Phishing emails with malicious attachments provide low-hanging fruit for adversaries to infiltrate your network. Robust email security software and employee training reduce the risk of malicious attachments or users being enticed to visit infected websites.

7: CNA Financial

Last but not least in our overview of 7 of the major 2021 cyber attacks is an attack that resulted in one of the largest ransom payments. CNA Financial, one of the biggest insurance companies in the United States, was hit by a March 2021 ransomware attack that encrypted up to 15,000 systems. The threat actors used a ransomware strain known as Phoenix CryptoLocker.

phoenix-cna-ransom-note

The attack began when an employee downloaded a fake browser update from a genuine website onto his/her workstation. Additional malicious activity helped to elevate privileges from the workstation to get network-wide administrative access. The final ransomware payload took down so much of the company’s IT infrastructure that executives felt they had no other option but to pay for the decryption key. The $40 million CNA Financial ransom payment set a record at the time that remains today.

  • The value of detection and response capabilities: With seemingly no functioning backup strategy in place to restore encrypted devices and files, this incident underscores the value of detection and response capabilities. By emphasizing defense-in-depth, businesses can detect and respond to cyber attacks much faster and limit their effects.
  • Some companies still pay: Despite government admonitions against paying ransom demands, several large companies paid substantial sums to hackers in 2021; none were more substantial than the $40 million that was the CNA Financial ransom. It is recommended that IT leadership prepares for this possibility by discussing options with management and their cyber insurance provider.

2021 Cyber Attacks Conclusion

There are many lessons to take forward from this list of seven major cyber attacks in 2021. Basic security flaws can provide hackers with an easy route into networks; even those belonging to the largest enterprises with the highest security investments. Despite the ease of initial entry, a common thread here is that detection and response capabilities are critical to detecting and preventing breaches.

Businesses stand to gain a far more robust security posture by investing in managed detection and response (MDR). Ready-made expertise in threat intelligence, detection, and response awaits businesses that allocate some of their security budget to MDR services.

Contact Proficio today to see how our leading MDR solution helps businesses like yours defend against cyber threats.

Best Practices for Endpoint Security

In today’s highly technical world, endpoint devices are everywhere. Endpoint devices, such as employee workstations, laptops, tablets, and smartphones, connect to and communicate with an organization’s network. Because they are intertwined within an organization, it often only takes successfully exploiting one endpoint for threat actors to carve a path through an organization’s network to cause harm.

Studies show that 61 percent of businesses have 1,000 or more endpoints users on their networks. They are a critical part of daily business and are also targets to a wide range of cyberthreats, which is why endpoint security should be a priority for all organizations.

As often is with cybersecurity, the best defense of endpoints is a good offense. But where do you start? We’ve put together a guide for endpoint security best practices so you can better prepare your organization.

Why Prioritize Endpoint Security?

If you think of endpoints as entryways into your network, it’s clear that securing every endpoint against malicious actors is important or you could be leaving the back – or even front – door open to cybercriminals.

For those organizations offering flexible work options, the increase in mobile working and remote employees introduces greater security risks to endpoints. As users connect your company’s network and access business resources from off-premises devices or in the cloud, traditional network perimeter controls are no longer sufficient to protect your company’s information.

A recent study found that 68 percent of surveyed companies experienced one or more endpoint attacks that successfully compromised data and/or IT infrastructure. Cybercriminals and nation-states carry out increasingly sophisticated attacks on endpoints to:

  • Access valuable assets, including trade secrets or intellectual property
  • Exfiltrate data
  • Disrupt important services

The financial and reputational impacts of cyberattacks make it imperative for companies to take a comprehensive approach to endpoint security and use effective measures that combat modern cyberthreats.

While there are many different threats to endpoints, both internal and external, here are some of the most common:

  • Ransomware/Malware
  • Unpatched Vulnerabilities
  • Fileless Attacks
  • Compromised User Accounts

Following some endpoint security best practices puts the foundations in place to protect your networks from the range of cyber threats that inundate companies daily. These include:

  • Consistent Updates
  • Endpoint Security Tools
  • Employee Awareness
  • Detection and Response

Download the full Securing the Endpoint Guide below

 

Why An MDR Service Provider for Healthcare Organizations Makes Sense

Healthcare organizations collect and process a lot of sensitive data, making them a prime target for opportunistic cybercriminals. Managing security in-house is a complex undertaking, which is why many healthcare organizations look to outsource some or all of their security needs. Here are our top three reasons partnering with a managed detection and response (MDR) service provider for healthcare organizations makes sense.

#1: Security Expertise

According to ISACA’s State of Cybersecurity 2021 report, over half of surveyed organizations still have unfilled cybersecurity positions, indicating the cybersecurity skills shortage shows no sign of slowing down. By partnering with an MDR service provider, healthcare organizations can take advantage of expert 24/7 security monitoring, threat detection, alerting, and response services that they need to deal with constant threats like ransomware, without having to build an in-house security operations center (SOC).

Partnering with an MDR service provider for your healthcare organization is a more cost-effective way to have 24/7 monitoring of your networks and continuous access to security professionals. And a provider with extensive healthcare security experience will be able provide recommendations on how to quickly improve your security posture, incorporating practices such as setting up business context modelling, creating segmentation with trusted network zones and controlling access to critical medical devices and infrastructure.

By outsourcing your security monitoring, you don’t have to worry about these staffing challenges; you only have to focus on the actionable alerts sent by your provider and can spend the rest of your time on other priorities.

#2: Advanced Threat Discovery and Response

Due to the sensitivity of healthcare files and the critical nature of their services, cybercriminals use a wide range of techniques, including ransomware, phishing and web application attacks to target healthcare organizations. Compounding the problem is that healthcare organizations have complex IT infrastructures, often with multiple locations, diverse departmental applications and legacy systems, plus patient and physician web portals.

Choosing an MDR service provider for healthcare organizations can provide advanced threat discovery by combining expertise with industry best practices such as the NIST cybersecurity framework to ensure your data is protected.

Threat Detection Use Cases

An MDR service provider for healthcare organizations means you get access to their expansive industry knowledge as well as their already built large library of threat detection use cases. This library typically includes support for a range of security tools and vendors and looks for specific indicators of attack or suspicious behavior to better detect threats. A good security team will send you actionable alerts for any critical threats and provide you with recommended next steps and have more confidence you’re keeping your networks secure.

In addition, an MDR service provider’s use case library is constantly changing, with new content being added to keep up with the ever-evolving threat landscape. Best practices also suggest that outdated content gets removed or updated, to make sure logs are only being run through relevant and useful use cases.

It would be highly challenging for an individual organization, starting from scratch, to build up a matching use case library – and unless there’s a dedicated team working on adding and updating the content, there’s still a high probability of missing new threats. Modern MDR service providers have a team specializing on keeping their fingers on the pulse as new threats constantly emerge.

Threat Hunting

Many MDR service providers also have a dedicated team for threat hunting, so they can be quick to react to any new threats in the wild. A team that operates globally provides additional benefits as the teams in each region can communicate information about threats local to their environment that may help hunt down new threats before they gain a foothold in another region. This is an added benefit of an MDR service provider for healthcare organizations that wouldn’t be feasible with a small local team.

For example, the local team in Asia may find a healthcare organization in their region is the target of a specific ransomware attack. The team can communicate information about this attack to other regional teams who can proactively, and extensively, search their clients’ network for any sign of the same threat.

Automated Response

For quick containment of credible threats, MDR service providers may offer a Security Orchestration and Automated Response (SOAR) solution that provides further protection of your critical assets. Automated response solutions are created to look for high-fidelity threats and can stop attacks before they expose sensitive patient information or bring down critical IT systems, mitigating a potentially devastating data breach.

The MDR service provider continually tunes and refines their rules to make sure they can detect the most relevant threats. Automated actions may include blocking an IP address or a compromised device from outbound communication, forcing a password reset on a compromised account, quarantining a device from your network, or proactively blocking newly detected attackers found in other networks via threat hunting.

#3: Compliance

For healthcare organizations, ensuring continued compliance with relevant industry regulations like HIPAA creates additional challenges and workload for internal teams. Failure to pass a compliance audit can result in hefty fines and data breaches invariably lead to high legal costs, patient harm, and reputational damage. Research indicates that healthcare organizations incur the highest breach costs of all industries at $499 million per record breach.

A compelling reason to consider an MDR service provider for healthcare is that you can partner with a company that fully understands these specific data protection regulations and requirements. For many, the HIPAA requirements for data storage and paper trails are numerous and ambiguous; partnering with an expert can provide your healthcare organization with best practice guidance and audit preparation for HIPAA compliance so you’re better prepared.

In addition, many MDR service providers for healthcare organizations will also follow industry standard compliance practices, like SOC 2, that demonstrate that they follow strict information security policies and procedures. Partnering with a certified MDR service provider gives you added confidence your data is protected.

Conclusion

Choosing an MDR service provider for healthcare organizations may not be an easy choice for everyone. But in a world of ceaseless attacks, sophisticated threats, and high data breach costs, outsourcing your security monitoring to a dedicated team of professionals who can protect your patient information 24/7 often makes sense. By finding the right partner, you can find a cost-effective security option that will reduce your information security risks and strengthen your cybersecurity posture.

See how Proficio can help secure your healthcare organization.

Lessons Learned: Ransomware Attacks in 2021

While ransomware attacks in 2021 never cease to stop, several high-profile occurrences in the first half of the year gained swift notoriety for either the scale of damage they inflicted or the targets they focused on. Here are four of the biggest attacks, and the lesson that can be learned from each.

Colonial Pipeline

A natural place to begin is with the most severe cyber-attack to ever target critical infrastructure in the United States. Instigated by the DarkSide ransomware group, this has been one of the most newsworthy ransomware attacks in 2021, targeting the IT environment tied to a pipeline system that extends from Texas to New York.

Hackers used a VPN account and a leaked password to gain access to the Colonial Pipeline network. The attack was noticed on May 7, 2021, when an employee saw a message on a computer screen in the control room, demanding a cryptocurrency payment. An operations supervisor decided to respond to the attack by taking the unprecedented step of shutting the entire pipeline down.

Colonial Pipeline decided to make the ransom payment of $4.4 million in bitcoin – and as a positive turn, with the help of the FBI, part of the payment has been recovered. The disruption to the pipeline lasted five days before normal operations resumed.

Takeaway: Use multi-factor authentication so that even if a password becomes compromised, hackers need to provide an additional category of evidence to access a resource on your network.

Acer

Taiwanese computer manufacturer Acer became the victim of another notable ransomware attack in March 2021. It’s believed a Microsoft Exchange vulnerability provided an entry route into Acer’s network.

The REvil ransomware group demanded a $50 million payment to return stolen data, releasing samples on the dark web. It’s not publicly known whether Acer paid the ransom.

 Takeaway: Hacking groups don’t keep a 9-5 schedule. It’s critical for organizations to use 24-7 monitoring solutions that constantly seek out new types of attacks, critical vulnerabilities, and suspicious behavior on your network. A dedicated security operations team can provide 24-7 incident monitoring, detection, and response.

Sierra Wireless

Among several high-profile technology companies hit by ransomware attacks in 2021 was the wireless communications equipment designer and manufacturer, Sierra Wireless. The attack targeted both the company’s internal IT systems and corporate website.

Production at the company’s manufacturing locations was temporarily halted while the company quickly initiated measures to counter and contain the damage. While the internal network and corporate website remained affected for a few days, any customer-facing products and services weren’t impacted.

Takeaway: The swift response during the Sierra Wireless attack is critical for rapid threat containment. Fast action can make the difference between an attempted hack and a devastating breach, which is why automated response solutions are essential for modern organizations.

Scripps Healthcare

Finishing things off is one of the most targeted industries – healthcare. In May 2021, a hospital in our own backyard was taken offline for almost a month due to a sophisticated ransomware attack.

While not much is currently known about this attack, during the same timeframe, we saw a similar attack take down Ireland’s Health Service Executive. This attack was due to an employee that unknowingly clicked a malicious link, and the cybercriminals demanded almost €15 million to return 700 gigabytes of confidential patient data.

Takeaway: Opportunistic hackers don’t take ethical or moral considerations into account when looking for targets to exploit. Knowing the signs of a ransomware attack in its early stages is key to stopping cybercriminals before they get into your networks.

 

Conclusion

While the ransomware attacks in 2021 that make media headlines often involve public infrastructure, health services, and large corporations, these incidents can happen just as easily on small to medium businesses. As we often say – it’s not a matter of if you’ll be attacked, but when – so regardless of the size of your company, preparation is vital to staying safe.

#HowTo: Identify and Appoint the Right Security Partner for Your Organization

This article originally appeared in InfoSecurity Magazine

In the field of cybersecurity, finding a partner you trust can be daunting. It’s an area that still creates uncertainty within many organizations, so it’s no wonder many cybersecurity executives may be hesitant to make this move.

But given the mounting list of CISO challenges, from justifying resource requirements to demonstrating a team’s effectiveness, more and more organizations are looking into outsourcing some, or all, of their cybersecurity.

So, how do you know if partnering is right for you?

The Advantages of Partnering with a Security Provider

Many people wait until after they have suffered an attack or been dinged on a compliance audit to look for a partner, putting them in a rushed situation to make a selection. However, creating a symbiotic relationship takes time – and if done correctly, is a great way to help improve your cyber posture in both the near and long-term…

Read More

The Cybersecurity Acronym Overload

What is the difference between an MSSP and an MDR service provider (and everything in between)?

As any industry evolves, it is common for new categories of products and services to proliferate. In the case of cybersecurity services, many of the new services have been introduced to respond to the evolving threat landscape or to support new technologies – but in some respects, it’s also become a way for vendors to differentiate themselves.

So, it is not surprising that questions like, “what is the difference between an MSSP and an MDR service provider,” and “what is a SOC-as-a-Service provider” are some of the top managed security services Google searches.

As a co-founder of Proficio I have a unique perspective on how this proliferation of labels came about and what the future holds.

People, Process and Technology

These three pillars are the building blocks of a security operations. People, process, and technology are the threads that run through MSSP, MSS, SOC-as-a-Service (SOCaaS), MDR, and XDR services. However, many organizations are constrained by a limited budget to achieve desirable cybersecurity outcomes which is why the managed security services industry exists.

Let’s quickly put some context around each:

People: Cybersecurity-Skills-Gap

The difficulty of hiring and retaining cybersecurity experts is one of the primary motivations behind outsourcing security operations to service providers. People challenges are due in part to the cyber skills gap and in part a function of scale. Large organizations are better able to staff a 24/7 SOC (requires a minimum team of 10 to 12 people) and train their teams on technologies like AI, next-generation endpoint software, and cloud infrastructures. Medium-sized organizations (and smaller) are often not be big enough to dedicate headcount to specialist roles like SIEM Administrator, Content Developer, Incident Responder, or Data Scientist.

Process:

Process is the glue that ensures consistent and effective action. Process encompasses the definition of roles and responsibilities, workflow, policies and procedures, and more. The time and effort needed to harden and document processes is frequently underestimated. Look back in time at some of the largest security breaches and you will find process issues in many cases. The 2013 data breach of the retail giant Target is a prime example. While multiple issues related to this breach, the fact that Target’s SOC did not respond to FireEye alerts resulted in the breach being undetected. How an indicator of compromise is investigated and remediated is fundamentally a process issue.

Technology:

Technology is the third building block supporting security operations. Building and managing a technology stack for cybersecurity is challenging and doubly difficult for organizations with limited resources. The complexity of Security Information and Event Management (SIEM) software is often sufficient reason for businesses to turn to managed service providers. SIEM systems collect event logs from an organization’s network, endpoints, cloud infrastructure and security tools. Log data is analyzed and alerts are generated for further investigation and remediation. However, the quality of security alerts is only as good as the data ingested by the system, alongside the rules and use cases used to filter and prioritize the alerts. While there are tips to maximizing the value of your SIEM, time erodes the efficacy of a SIEM; products and log formats will change, new threats make old rules irrelevant, and the experts that originally set up the SIEM often move on to greener pastures.

What is a Managed Security Services Provider (MSSP)?

The role of an MSSP starts with log management, as collecting and retaining logs is a requirement for compliance mandates like PCI and HIPAA. But before centralized log management, the event data collected from each security device was siloed. As a result, if a firewall engineer saw an alert for a port scan and a Windows administrator saw failed login attempts followed by a successful login, they may not realize that the same host is involved in both events. Minimally, an MSSP is responsible for alerting their clients to threats and suspicious events with the goal of reducing the risk of a security breach. MSSPs offer a wide range of capabilities including vulnerability management, incident response, and pen testing.

According to Wikipedia, “the roots of MSSPs are in the Internet Service Providers (ISPs) in the mid to late 1990s. Initially, ISP(s) would sell customers a firewall appliance, as customer premises equipment (CPE), and for an additional fee would manage the customer-owned firewall.” Today, MSSPs continue to manage security products such as firewalls, IDS/IPS, and WAFs on behalf of their clients. The management of security devices typically includes making configuration changes, patching, tuning, and health and performance monitoring. Managed Security Services (MSS) has been used to connote both device management and the security monitoring functions offered by MSSPs.

The terms fully managed and co-managed describe the service models used by MSSPs. Fully managed applies where security technologies, like SIEM software, are owned and operated by the MSSP and used for the benefit of their clients who are users of security information. A co-managed approach provides the client more control, for example a SIEM owned by the client where the MSSP and the client share administrative responsibilities.

What is SOC-as-a-Service? Difference-between-MSSP-and-MDR

The term SOC-as-a-Service was created “to describe how clients benefit from 24/7 monitoring and the same advanced threat detection technology that is used in sophisticated SOCs serving large enterprises and governments.” In 2010, Software-as-a-Service (SaaS) was already a significant industry with adoption being driven by the advantages of an on-demand, subscription model with no dependency on the existing IT infrastructure.

SOC-as-a-Service or SOCaaS is a logical extension of the SaaS where SIEM software is delivered as a service, and instead of staffing up an in-house SOC, multiple clients share the capabilities of a 24/7 SOC responsible for threat detection, altering, and response.

The goal for many SOC-as-a-Service providers, like Proficio, is to provide businesses the same quality of service that a large enterprise receives in-house, at an affordable price. This requires a true partnership with clients and the flexibility to act as an extension of their IT security team.

So how does SOC-as-a-Service differ from the offerings of an MSSP and what sort of business should use it? SOC-as-a-Service focuses on fully managed cloud-based services which are ideal for small to medium-sized organizations. Vendors providing SOC-as-a-Service are less likely to work with client-owned SIEMs and manage security devices, but this is not an absolute rule.

While SOCaaS providers offer many of the same capabilities as MSSPs, they are less likely to manage security devices and may not support as broad a set of log sources.

What is the difference between an MSSP and an MDR service provider?

MDR service providers offer more advanced threat detection and response capabilities than MSSPs. Key capabilities to expect from MDRs include:

When Gartner issued their first Market Guide for Managed Detection and Response Services, they categorized MSSPs as being more focused on monitoring perimeter security and lacking threat detection capabilities for the cloud and endpoints. Gartner also posited that MSSPs are more focused on meeting compliance requirements than MDRs. Fewer MDRs manage security devices – a service offered by many MSSPs.

MDRs must continue to adapt to new challenges to meet the demands of a Next-Generation MDR Service Provider.

What is an XDR Service

XDR is a new evolution of MDR, that includes threat detection and response capabilities. The X stands for eXtended capabilities, that go beyond EDR. XDR integrates multiple security control points (endpoint, network, cloud, email, authentication) to automate threat detection and response. The concept of XDR has been promoted by leading industry analysts (notably Gartner) and is starting to be adopted, and perhaps hyped, by vendors.

You might ask, how is XDR different from SOAR? Both approaches apply use cases to log data to trigger automation and orchestrations. However, XDR will have broader integration among security controls using native APIs. For example, where an event might result in SOAR triggering containment of an endpoint and even orchestrating a remediation workflow, XDR could also automate responses from other layers of security such as blacklisting the source of malware at the perimeter.

One challenge for prospective users of XDR is they risk being locked into a single vendor solution. Most enterprises have multiple existing security vendors and unless they are already budgeted for a broad refresh, adopting this approach may be a protracted and expensive process.

Proficio and others are addressing the shortfall of XDR with Open XDR. Like XDR, Open XDR  integrates multiple layers of security while also supporting more than one vendor for each control point to provide customers with more flexibility and security.

What Does it All Mean? MSSP and MDR business person question marks

When you think to yourself, “what is the difference between an MSSP and an MDR service provider?”, it’s obvious there is no clear-cut answer. There continues to be some fluidity around the labels used to describe the providers of managed security services or security tools. Buyers of these services need to assess if the core capabilities of a prospective partner complement their existing capabilities and align with their goals.

 

Here are 5 areas to explore:

  1. Compliance

If your organization must adhere to one or more compliance mandates, validate the service achieves that goal. Can your MSSP or MDR retain logs for the required period? Does your MSSP or MDR support industry specific requirements such as file integrity monitoring in the case of PCI? These are important criteria to discuss before selecting a partner.

  1. Threat Discovery

Effective threat detection is a precondition to protecting your organization from damaging cyberattacks. Understand how the provider uses threat intelligence, security analytics, and automation for cost effective threat discovery and what expert human resources are applied to event investigations and threat hunting. Determine what is important for you and realistic within your budget.

  1. Response Automation

The ability to rapidly contain a threat is a good reason to select a specific MDR service provider. Some MDR providers support third party SOAR products and others offer automated response using native capabilities in their threat management platform. But don’t assume anything – you should always validate that the MDR provider supports your preferred endpoint and firewall vendors. Before implementing, it is also important to check that you have organizational buy in to automating changes to endpoints or network configurations.

  1. Technology Stack

Whichever label your vendor uses to describe their services, they will come to you with a predefined technology stack. This will affect how well your existing and planned technologies integrate with your provider. For example, your provider may support one or several SIEM vendors or they may have developed their own threat management platform. Ask if your vendor requires you to install a hardware sensor or add endpoint agents; these requirements can create network clutter and negatively impact performance and compactivity. Not all vendors are able to parse data from critical points of telemetry in your environment or support automation and orchestration for your existing security products.

  1. Control

Ask yourself how much control you need of the infrastructure and data involved in security operations. Do you want to use your own SIEM or do you prefer a platform hosted by your managed security service provider? Will this change in the future? Do you need to own the log data that has been collected? How important is it to have the ability to do granular searching and run reports with the providers system? Conventional wisdom is organizations are willing to devolve control to reduce cost and complexity, but this should be a conscious decision.

Final Thoughts

Choosing a cybersecurity partner is a major decision. Proficio has been acting an extension of our clients’ team to help them achieve their cybersecurity goals for over 10 years. If you’re currently using, or considering using, an MDR Service Provider, download our MDR Checklist to ensure you’re getting an effective service. Tune into our video podcast series called Cyber Chats to hear industry experts discuss cybersecurity issues and best practices. If there’s anything more we can do to help, please let us know.

 

2020 Threat Hunting Campaigns and the Lessons Learned

Society has learned a lot of lessons in 2020. While many may focus on the covid-19 pandemic, it’s fair to say that cybersecurity faced its share of challenges too – especially with many organizations being thrust into a remote working environment.

For Proficio’s Threat Intelligence team, we had to face a slew of new threats, all while battling some familiar faces as well. We spent the last year doing extensive threat hunting campaigns, learning and improving along the way.

Here are three things we’ve learned this year and how you can use them to improve your cybersecurity in 2021.

1.    Old Threats, New Faces: Malware and Phishing Continue to Endure

In 2020, malware, often in the form of a ransomware attack, continued to be incredibly prominent. The most popular variants we encountered were those that exfiltrated the victim’s data as a way of threatening victims who refuse to pay their ransom, such as REvil/Sodinokibi and DoppelPaymer.

Also popular are phishing attacks, which continue to be a key technique utilized by all classes of attackers. This was especially noticeable when many cybercriminals took advantage of COVID-19 as a topic to lure victims, but there have also been other varieties of phishing campaigns with different contents and formats to trick victims. As hackers adapt to a reality where cloud service offerings like Office 365 are increasingly used in corporate environments, one very common tactic we observed is the use of fake Microsoft login pages. We have been able to identify a significant number of these during our threat hunting campaigns, like the one seen in this HTM spear-phishing email campaign.

There have also been multiple attack campaigns that utilized unpatched vulnerabilities in widely used software. Some examples of campaigns that we have investigated include attacks on the Citrix vulnerability (CVE-2019-19781) as well as the Zerologon vulnerability. There are also campaigns that exploit software updates instead of a vulnerability in the software, and compromise victims via the compromised updates. Some examples of this include the GoldenSpy campaign and the recent SolarWinds Sunburst campaign.

Below is the breakdown of threat hunting campaigns we have conducted throughout 2020. It also highlights where we had identified and escalated incidents of true positive hits to our clients.

Threat Hunting Campaigns with Escalations Chart

While attackers will continue to use these avenues to exploit victims, there are still some common precautionary measures that can be taken to further safeguard you and your organization:

  • Keep your anti-virus software / EDR solutions and other security tools installed on the systems updated for detection and prevention from the spread of ransomware.
  • Performing regular backups on critical files and systems.
  • Keeping your operating systems up to date on the latest security patches.
  • Make use of network segmentation alongside the zero-trust model.
  • Close unnecessary network ports to reduce entry points for attackers.
  • Apply content filters on email gateways and email systems to prevent malicious content from reaching users and reduce the chance of a possible compromise.
  • Educate your employees and users to improve cybersecurity awareness.

2.   The Constant Evolution: Handling Increasingly Disparate Threats

Given the ever-evolving threat landscape, Proficio’s Threat Intelligence Team is constantly on the lookout for the newest cyber threats. We keep a close eye on the news and initiate threat hunting campaigns for threats are likely to have an impact on our clients. Throughout 2020, we conducted a significant number of threat hunting campaigns based on this research as well as threats found within our clients networks. We continually are looking for ways to improve how we conduct our threat hunting campaigns, as well as how we store and share information of interest with our internal teams and clients, to maximize our efficiency and make sure we give our clients the best protection possible.

When our team was first established, most threat hunting campaigns were self-contained within the Threat Intelligence team. As time progressed, and threats became increasingly complex, we found ourselves working with other internal teams, such as Security Advisors or Project Managers. We find collaborations can make us more effective and ensures all teams within Proficio are able to quickly and efficiently take appropriate actions when required, ensuring consistency of our security operations.

In addition, the structure and methodology we used for carrying out our threat hunting campaigns grew increasingly more robust throughout the year. We are better able to conduct rapid-response research and data collection efforts, with a clear plan of actions and priorities for every campaign we embark on. Depending on the extent of the hunt and the platforms used for searches, the amount of time taken to provide our clients with our investigation findings can vary from a few days to over a week; However, these efficiencies and improved methodology have allowed us to decrease our turnaround time.

In order to adapt to the more complex threat landscape, our threat hunting campaigns must continue to evolve; we have gone from using simple IOCs, like file hashes and IP addresses, to tactics, techniques and procedures tied to that of our adversaries. We have also transformed the way we document our threat hunts. We found that by enhancing our investigation write-ups with threat diagrams, attack maps and incorporating the MITRE ATT&CK classification framework, we are better able to organize our findings to create a library. We also take inspiration from documentation produced by other well-established security organizations sharing information such as JPCERT.

Creating a library of your threat hunts over time is a great way for any organization to better track the adversaries your organization is dealing with. In addition, the cybersecurity community has a tremendous amount of open source tools to take advantage of, that will better help us all defend against cybercriminals.

3.   Outside Looking In: Synergizing Efforts to Create Maximum Value

As a team, we are always looking for ways to synergize everything we do as force multipliers that help  make a big impact on all our clients.

We keep up with threat news and developments in cybersecurity on a daily basis, sharing those that we found to be potentially relevant on our official Twitter account. We also have a Threat Intelligence page, where you can sign up to receive a weekly threat digest with the top threat news each week.

These tools play a big part in our ongoing data collection efforts, allowing us to better track trends in cyberattacks across different industry sectors as well as document known threat group activities. The data collected also plays a big role in terms of our decision to initiate threat hunting campaigns, with the goal of identifying potential attacks or existing compromises that might have slipped past the cracks.

One of the greatest things about the cybersecurity community is that they are open to sharing knowledge in our joint efforts to combat cybercriminals. We recommend you join communities and follow along with the latest trends – and if you’ve found something, we encourage you to also share what you learned, so others can benefit from your research! That’s how we make the community stronger, one threat hunting campaign at a time.

While the Threat Intelligence team observed numerous new cyberthreats throughout 2020, we have no doubt the uphill battle on cybercrime will continue into 2021 and beyond. We will continue to conduct high-quality investigations for our clients for any relevant threats and share these findings, both with our clients and the community as a whole, in hopes to do our part in this war on cybercrime.

Key Takeaways from the SolarWinds Compromise

FireEye has recently released a detailed report on a global supply chain cyber-espionage campaign that utilizes compromised Solarwinds Orion software updates to distribute a backdoor codenamed “SUNBURST” by FireEye.

This particular campaign was announced by FireEye to be associated with a breach reported earlier on the 8th of December 2020, where it was revealed that attackers have gained access to FireEye’s environment, attempted to obtain information relating to certain US government customers and stole some of their Red Team tools.

FireEye isn’t the only organization using SolarWinds Orion software, with the malicious updates being pushed to 18000 other customers of the SolarWinds Orion platform, including Microsoft, the US Treasury and Commerce Departments, the Department of Energy and the National Nuclear Security Administration Of course, not all organizations affected were actively targeted and breached by the threat group, with majority of the targets located in the United States and the rest in seven different countries; Canada, Mexico, Belgium, Spain, United Kingdom, Israel and the UAE.

At this time, it is too early to say that we have a full understanding of the scope of the SolarWinds compromise. The number of organizations impacted is based on very limited visibility with an expectation that we understand all the compromise routes and adversary command and control capabilities. We do not know that to be true and more time is needed before we can say that we have a complete idea of the scale and scope of the compromise. Everything we know at this time relates to cyber-espionage and US national security institutions and there are no indications that most customers of SolarWinds Orion are actively breached by the threat group.

There are also no indications that the SolarWinds compromise was the only way in which the adversary could have gotten to their targets. The Cybersecurity and Infrastructure Security Agency has evidence that there are initial access vectors other than the SolarWinds Orion platform. As mentioned previously, we recommend following the remediation measures recommended by CISA. Even if your organizations aren’t active targets of this threat group, there are no reasons to leave a backdoor into your network lying around if you are using the affected versions of SolarWinds Orion. https://us-cert.cisa.gov/ncas/alerts/aa20-352a

Some Interesting Details

Proficio has issued several advisories regarding the SolarWinds compromise and will be issuing more advisories as we learn more about the compromise. We are also in the midst of conducting an ongoing threat hunting campaign. Here are some of the interesting details that will shed light on the lessons we can draw from this campaign thus far.

  1. SolarWinds hackers did a test-run of the spy operation in Oct 2019, when malicious SolarWinds files were first downloaded by customers. That version did not contain a backdoor, but indicates that the hackers were dwelling in SolarWinds network in 2019, if not earlier.Code with the word password in red stolen credentials Solarwinds
  2. FireEye first discovered the breach when hackers utilized stolen employee credentials to register their own device to FireEye’s MFA system so as to receive the employee’s unique access codes. FireEye’s security system sent an alert to the employee and to the company’s security team saying a new device had just been registered to the company’s MFA system as if it belonged to the employee, prompting FireEye to investigate. FireEye uncovered the SolarWinds breach into their network while trying to determine how the hackers obtained the employee’s credentials to register their device.
  3. The SUNBURST backdoor is only an initial persistent entry point used to deploy other tools to take root and subtly compromise the network configurations to allow future accesses. Remediating the SolarWinds breach is only the first step to be taken.The SUNBURST backdoor is known to distinguish between malleable detectors (services modified and tracked in the config file) and dealbreakers (running processes that will make SUNBURST abort immediately). Malleable detectors include several AV/EDR agents, while dealbreakers include several generic and specialized forensic tools, one of those being Sysmon. The distinction between the buckets of target system processes/drivers for evasion purposes is pretty important. Upon encountering one of the 8 malleable detection product families, SUNBURST takes a backup of SCM ACL for the service, modifies the ACL to take ownership and disables the service. Before going dormant, SUNBURST restores the original ACL and settings. This means that:
    1. Dealbreaker drivers installed prevents execution of SUNBURST completely.
    2. Dealbreaker processes at RUNTIME prevents Job Execution at that time.
    3. The 8 AV/EDR products would not have been very effective at preventing actions taken by SUNBURST unless anti-tampering settings are cranked up.

Lessons to Take Away

The SolarWinds compromise is a good case study of the impact, scale and scope of a supply chain compromise by a serious and capable adversary. It is important for us to draw the right lessons away from chasing buzzwords and what is popular and trendy.

  1. Most organizations should not shift all their focus to supply chain attacks. Most organizations do not have sufficient visibility, network segmentation, administrative tiering, insider threat programs, sufficient detection and response, backups and asset management capabilities and those pose far more risks in terms of actual impact on most organizations. Supply chain compromises are incredibly serious, but they are far from being the only way organizations get hit by serious cyber-attacks.
  2. Prevention is increasingly a no-win game. Well-orchestrated supply chain compromises are almost impossible to prevent. However, where prevention can fail, detection and response can succeed and did succeed in this case. FireEye was able to detect and respond correctly to the actions of a capable nation-state adversary. Organizations should look to beef up their detection and response capabilities either internally or with a managed detection and response partner like Proficio. Contact Proficio
  3. The success of detection and response actions depends significantly on basic visibility and monitoring. DNS logs play a key role in identifying if a breach has taken place, and other activity indicators include file-write events to the ‘SolarWinds Orion DLL config file’, as well as changes to services in registry while using anyone of the 8 AV/EDR families tracked by the SUNBURST backdoor.
    1. In fact, the adversary does not even attempt to infect your network if it looked like you were watching the machine with something as simple and as effective as Sysmon. This means that the adversary knows that such dealbreakers work very effectively against them.
    2. That is not to say that FireEye and other organizations do not have monitoring in place, but it simply may not have been tools in the list of SUNBURST dealbreakers.
  1. Make use of defence-in-depth principles when crafting a detection strategy. When it comes to visibility, logging and detection and response capabilities. EDR and NDR solutions provide the ability to detect and rapidly contain threats, and should be complemented with solutions focusing on complete visibility and logging like Zeek and Sysmon. Reach out to Proficio to find out more about how we can help you create a more complete detection strategy.
  2. Make use of multi-factor authentication where possible and ensure that you have a robust asset management program. FireEye first discovered the breach when hackers utilized stolen employee credentials to register their own device to FireEye’s MFA system, and that requires both robust asset management and the use of multi-factor authentication.
  3. Enhance actual detection and response bandwidth and capability by reducing noise and excessive alerting. Reach out to Proficio to understand how we can help you enhance your existing capabilities by helping you to focus on what matters most.