Expect to see more New Zealand organisations experiencing a full outage of Information Services due to DDOS (Distributed Denial of Service) or ransomware attacks. The most feared attacks will be double extortion exploits, where the malicious actors exfiltrate sensitive data before encryption. The actors’ aim is to release some PII, then issue an ultimation, demanding payment.
The emergence of cryptocurrencies provided an easy, untraceable payment method that changed everything. Not long ago, a ransomware attack threat actor was a well organised group, even a nation state. Now, anyone can purchase Ransomware as a Service (RaaS) kit, wind it up, and let it go. This is scary stuff.
The US FinCEN declared it illegal to pay the ransom in most cases. This comes under the purview of anti-money laundering, especially as most payments are demanded in cryptocurrency. The payments may also violate US Office of Foreign Assets Control regulations. Therefore, should an organisation decide to pay the demand, they may be performing an illegal act.
A ransomware attack can present many on-going difficulties. The backup may be trashed, the files and applications are toast, and the database in no more. If you do pay the demand, there is no guarantee that the key you receive will unlock all the information. The disruption to services will be lengthy.
So . . . what does this mean to us?
How do we secure ourselves from ransomware, and other emerging threats?
DDOS, whilst devastating at the time, can be handled well with good planning, without data loss. Backup regimes utilising one-way data transfer and air-gap methods are important ransomware survival techniques. With ‘Protect, Detect, and Recover’ it is always best to protect and detect, then eliminate.
As we already know, cyber security involves an on-going resource commitment of time, effort and, funding. No effective cyber security posture comes without this investment in cost, as we would expect. The journey is not easy nor straight-forward. However, there are resources that can help an organisation monitor, assess, identify, and then respond to cyber threats.
One of these is information sharing, where threat actor’s tactics, techniques and procedures are presented to the IS community. Findings from post incident analysis often present attack detection, mitigation techniques and prevention procedures. This information is to be valued and communicating these insights should be (and is) encouraged. This information allows the cyber security community to effectively monitor, detect, eliminate, and therefore prevent emergent threats.
Information sharing is perhaps the most effective mitigation technique when presented with threats such as ransomware. An intelligence community, peer-based cyber information sharing network is in place. The GCSB and the NCSC are on the job and are very effective. The information that is shared is threat intelligence.
However, the resource commitment required to effectively source, and action threat intelligence is beyond most SMEs. The Small to Medium Enterprise (SME) business sector is the largest in New Zealand, estimated to be over 500,000 New Zealand organisations. This represents close to 99% of all New Zealand businesses, according to the OECD, with the SME business sector presenting a considerable target to ransomware threat actors.
Therefore, a good solution is to form a partnership with a specialist security provider. Make sure that the security provider understands and commits to ongoing threat intelligence information gathering. Ideally, the provider will be gathering their own real-time data, and will provide three different levels of threat intelligence.
Threat intelligence splits into 3 domains: Strategic, tactical, and operational.
- Strategic threat intelligence is a non-technical analysis of trends and motivations behind attacks. These reports indicate who is behind threat campaigns and why they are interested in your organisation.
- Tactical threat intelligence is a technical report defining the details of a cyber-attack to identify the where and how. The report includes tactics, techniques, and procedures of an actor. Tactical intelligence presents the high-level behaviour and techniques giving detailed descriptions of the behaviour of the threat actor. Procedures are highly detailed descriptions of the techniques employed, giving low-level context of the attack vector.
- Operational threat intelligence consists of data that can be parsed by appliances such as IDS/IPS, SIEM, firewalls and spam filters. This information is often in the form of an ‘indication of compromise’. The SOC analysis team generates this information upon analysis of (close to) real time data, triaging active campaigns and attacks in progress. A good security analyst is very hard to find, as timing is crucial with the dissemination of operational threat intelligence.
Cyber security is a journey through uncharted and dangerous waters, best shared with professionals who have these resources available.
- Perform a risk assessment
- Implement and test your backup recovery plan
- Enable MFA whenever possible
PhD, MISDF (1st Class), MBA
Senior Cyber Security Engineer