Lessons From The Cyber Front Line
Very few weeks go by without news of another cyber attack or data breach and a quick scan of the BBC news website shows that in most months, there is at least one story that makes the national news headlines. While just a few years ago, many cyber attacks would go unnoticed by the public and quietly swept under the carpet, legal requirements to report breaches along with the power of social media, means that the world gets to know about them.
Like most news, today’s headlines are tomorrow’s chip paper, but for those directly involved it lives on for a long time, while the rest of us should be looking and learning to stop the same things happening again. Below is a selection of some infamous cyber attacks for a quick refresh as to how the criminals managed to wreak havoc and how they could have been avoided.
SolarWinds
Very few people outside of the tech community had heard of SolarWinds before late 2019 when cyber criminals gained access to the SolarWinds' network. They spent some time moving around and investigating the network landscape before testing a malicious code injection into the Orion Platform - a network management system used by government organisations and businesses to manage their IT resources. In February 2020, the code known as Sunburst was let loose and the following month, SolarWinds unknowingly sent out Orion software updates, which included the Sunburst malware.
This massive supply-chain attack was installed by more than 18,000 organisations, enabling the attackers to access SolarWinds' customers' IT systems. From that point, they were able to install further malware so they could spy on target organisations and cause major problems. According to SolarWinds, the attack, recovery and ensuing fallout cost $40 million in the first nine months of 2021, while a survey of IT decision makers across SolarWinds customers found that the average financial impact of the attack was 11% of annual revenue or about $12 million per company.
Travelex
In December 2019, the Travelex foreign exchange company was targeted by the REvil ransomware group. The hacker group encrypted Travelex's network and made copies of 5GB of personal data. If Travelex didn't pay the ransom, they threatened to publicly publish the data. It's likely the cyber criminals were lurking on Tavelex's network before initiating their ransomware, having gained access via an unpatched VPN (Virtual Private Network). Travelex reportedly paid around $2.3M in ransom and the combination of business disruption plus the COVID-19 pandemic forced the world’s largest foreign exchange bureau into administration.
Equifax
For two months during 2017, the American credit bureau Equifax was subject to a massive data theft, where information relating to millions of customers was stolen. The company was initially hacked through a consumer complaint web portal, with the cyber criminals making use of a widely known vulnerability that should have been patched but, due to failures in Equifax's internal processes, wasn't.
The attackers were then able to move to other servers, due in large part because they were able to find usernames and passwords stored in a plain text file that then allowed them access. Data was pulled out of the network over a long period of time so that no large data movements could be detected. In total, the hackers stole the personal information of 147.7 million Americans from 48 Equifax servers over 76 days, before they were detected. The information was also encrypted by the cyber criminals so that its theft was not spotted.
The subsequent financial impact on the organisation has been massive, not to mention the jail term for the CIO who sold $950,000 worth of company shares before the data breach became public knowledge. In February 2020, the U.S. Department of Justice announced charges against four Chinese military-backed hackers in connection with carrying out the attack.
Edward Snowden – the inside job
In 2013, the now infamous Edward Snowden pilfered documents from America’s NSA and gave them to journalists - and probably governments - in an effort, he claims, to expose the U.S. government spying apparatus. According to cyber firm Venafi, as an administrator, Snowden was able to create digital certificates and cryptographic keys undetected by the NSA. Using these keys, he was able to gain access to systems and then locate the files he wanted to steal.
For exfiltration, Snowden transferred the data over encrypted channels to his own external file share using self-signed certificates. So as far as the NSA was concerned, these signed transmissions were safe and authorised and allowed to pass unquestioned. He was able simply to copy data from the network to removable drives.
NHS 111
Most recently, in August 2022, a cyber attack on NHS supplier Advanced, the firm which provides digital services for NHS 111, targeted the system used to refer patients for care, including ambulances being despatched, emergency prescriptions and out-of-hours appointment bookings.
The attack was reportedly due to ransomware, thought to have been the result of phishing. Once the ransomware had been inadvertently executed, it may have been operating in the background, exfiltrating data before attackers disabled systems in the network, alerting the company to the attack.
Lessons Learned?
For SolarWinds, since software such as Orion is built using components from multiple sources, a Software Bill of Materials (SBOM) should have been used. This is a way in which all the components may be listed and checked so that rogue components can quickly be identified and removed. In addition, keeping all source code encrypted on a per-file, per-user basis would have blocked any unauthorised hacker from being able to access code files.
In the case of Travelex, patching the VPN would have been a significant block to the cyber criminals, but the ransomware could easily have been deployed using other techniques such as phishing. An ‘allowlisting’ approach to application control would have blocked the ransomware, no matter how well it had been disguised. Application control, which uses allowlisting ensures that a system will only run processes that are on the authorised allowlist. All other processes are blocked. In a business environment, we know exactly what should be running on a machine, so this approach is both simple and highly effective. For SolarWinds customers, the deployment of application control which uses allowlisting would have prevented the attackers from running the malware which they installed after having gained access to each customer’s network.
In the case of Equifax, the consumer complaint web portal should of course have been patched, and no administrator or any other user should have stored usernames and passwords in a freely accessible file. While in most organisations it is highly unlikely that the whole series of errors would all happen, we all make mistakes. Systems cannot always be patched immediately because of conflicting system dependencies; and users - and administrators - sometimes do unexpected things.
All these examples show the need for comprehensive off-network backups and better cyber security training, but also that we should always assume that a cyber criminal may always gain network access.
So, it’s important to protect the data itself. This means all of the data all of the time, no matter where it is stored or copied. Using file-level encryption to encrypt all data everywhere, the Equifax data breach would have resulted in a story which lasted just a few days, rather than years. If all their data had been encrypted so that when exfiltrated, it remained encrypted, the attackers would have stolen terabytes of completely useless data.
The same approach would have thwarted Snowden. If the encryption system provides each user with their unique encryption key, then Snowden would have been able to do his job - even moving files around - but completely unable to decrypt and access the information.
20:20 hindsight is a wonderful thing but if we are going to gain anything from these cyber attacks, we need to learn from them and look at new ways of protecting our data and not simply carry on building up more layers of defence to prevent people from getting in.
Nigel Thorpe is Technical Director at SecureAge
You Might Also Read:
Who Can You Trust With Your Data?: