Lessons From The Cyber Front Line

Very few weeks go by without news of another cyber attack or data breach and a quick scan of the BBC news website shows that in most months, there is at least one story that makes the national news headlines. While just a few years ago, many cyber attacks would go unnoticed by the public and quietly swept under the carpet, legal requirements to report breaches along with the power of social media, means that the world gets to know about them.

Like most news, today’s headlines are tomorrow’s chip paper, but for those directly involved it lives on for a long time, while the rest of us should be looking and learning to stop the same things happening again. Below is a selection of some infamous cyber attacks for a quick refresh as to how the criminals managed to wreak havoc and how they could have been avoided. 

SolarWinds 

Very few people outside of the tech community had heard of SolarWinds before late 2019 when cyber criminals gained access to the SolarWinds' network. They spent some time moving around and investigating the network landscape before testing a malicious code injection into the Orion Platform - a network management system used by government organisations and businesses to manage their IT resources. In February 2020, the code known as Sunburst was let loose and the following month, SolarWinds unknowingly sent out Orion software updates, which included the Sunburst malware.

This massive supply-chain attack was installed by more than 18,000 organisations, enabling the attackers to access SolarWinds' customers' IT systems. From that point, they were able to install further malware so they could spy on target organisations and cause major problems. According to SolarWinds, the attack, recovery and ensuing fallout cost $40 million in the first nine months of 2021, while a survey of IT decision makers across SolarWinds customers found that the average financial impact of the attack was 11% of annual revenue or about $12 million per company.

Travelex 

In December 2019, the Travelex foreign exchange company was targeted by the REvil ransomware group. The hacker group encrypted Travelex's network and made copies of 5GB of personal data. If Travelex didn't pay the ransom, they threatened to publicly publish the data. It's likely the cyber criminals were lurking on Tavelex's network before initiating their ransomware, having gained access via an unpatched VPN (Virtual Private Network). Travelex reportedly paid around $2.3M in ransom and the combination of business disruption plus the COVID-19 pandemic forced the world’s largest foreign exchange bureau into administration.

Equifax

For two months during 2017, the American credit bureau Equifax was subject to a massive data theft, where information relating to millions of customers was stolen. The company was initially hacked through a consumer complaint web portal, with the cyber criminals making use of a widely known vulnerability that should have been patched but, due to failures in Equifax's internal processes, wasn't.

The attackers were then able to move to other servers, due in large part because they were able to find usernames and passwords stored in a plain text file that then allowed them access. Data was pulled out of the network over a long period of time so that no large data movements could be detected. In total, the hackers stole the personal information of 147.7 million Americans from 48 Equifax servers over 76 days, before they were detected. The information was also encrypted by the cyber criminals so that its theft was not spotted.

The subsequent financial impact on the organisation has been massive, not to mention the jail term for the CIO who sold $950,000 worth of company shares before the data breach became public knowledge. In February 2020, the U.S. Department of Justice announced charges against four Chinese military-backed hackers in connection with carrying out the attack.

Edward Snowden – the inside job

In 2013, the now infamous Edward Snowden pilfered documents from America’s NSA and gave them to journalists - and probably governments - in an effort, he claims, to expose the U.S. government spying apparatus. According to cyber firm Venafi, as an administrator, Snowden was able to create digital certificates and cryptographic keys undetected by the NSA. Using these keys, he was able to gain access to systems and then locate the files he wanted to steal. 

For exfiltration, Snowden transferred the data over encrypted channels to his own external file share using self-signed certificates. So as far as the NSA was concerned, these signed transmissions were safe and authorised and allowed to pass unquestioned. He was able simply to copy data from the network to removable drives.

NHS 111

Most recently, in August 2022, a cyber attack on NHS supplier Advanced, the firm which provides digital services for NHS 111, targeted the system used to refer patients for care, including ambulances being despatched, emergency prescriptions and out-of-hours appointment bookings. 

The attack was reportedly due to ransomware, thought to have been the result of phishing. Once the ransomware had been inadvertently executed, it may have been operating in the background, exfiltrating data before attackers disabled systems in the network, alerting the company to the attack.

Lessons Learned?

For SolarWinds, since software such as Orion is built using components from multiple sources, a Software Bill of Materials (SBOM) should have been used. This is a way in which all the components may be listed and checked so that rogue components can quickly be identified and removed. In addition, keeping all source code encrypted on a per-file, per-user basis would have blocked any unauthorised hacker from being able to access code files.

In the case of Travelex, patching the VPN would have been a significant block to the cyber criminals, but the ransomware could easily have been deployed using other techniques such as phishing. An ‘allowlisting’ approach to application control would have blocked the ransomware, no matter how well it had been disguised. Application control, which uses allowlisting ensures that a system will only run processes that are on the authorised allowlist. All other processes are blocked. In a business environment, we know exactly what should be running on a machine, so this approach is both simple and highly effective. For SolarWinds customers, the deployment of application control which uses allowlisting would have prevented the attackers from running the malware which they installed after having gained access to each customer’s network.

In the case of Equifax, the consumer complaint web portal should of course have been patched, and no administrator or any other user should have stored usernames and passwords in a freely accessible file. While in most organisations it is highly unlikely that the whole series of errors would all happen, we all make mistakes. Systems cannot always be patched immediately because of conflicting system dependencies; and users - and administrators - sometimes do unexpected things. 

All these examples show the need for comprehensive off-network backups and better cyber security training, but also that we should always assume that a cyber criminal may always gain network access.

So, it’s important to protect the data itself. This means all of the data all of the time, no matter where it is stored or copied. Using file-level encryption to encrypt all data everywhere, the Equifax data breach would have resulted in a story which lasted just a few days, rather than years. If all their data had been encrypted so that when exfiltrated, it remained encrypted, the attackers would have stolen terabytes of completely useless data.

The same approach would have thwarted Snowden. If the encryption system provides each user with their unique encryption key, then Snowden would have been able to do his job - even moving files around - but completely unable to decrypt and access the information.

20:20 hindsight is a wonderful thing but if we are going to gain anything from these cyber attacks, we need to learn from them and look at new ways of protecting our data and not simply carry on building up more layers of defence to prevent people from getting in. 

Nigel Thorpe is Technical Director at SecureAge

You Might Also Read: 

Who Can You Trust With Your Data?:

 

« Why Companies Need A Next-Gen Approach To Business Continuity
Modernising SecOps: It’s Time To Unpick The Complex Matrix »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Tufin

Tufin

Tufin enables organizations to automate their security policy visibility, risk management, provisioning and compliance across their multi-vendor, hybrid environment.

EfficientIP

EfficientIP

EfficientIP helps organizations drive business efficiency through agile, secure and reliable network infrastructures.

CyberArk Software

CyberArk Software

CyberArk is an established leader in privileged access management and offers the most complete set of Identity Security capabilities.

Thinkst Applied Research

Thinkst Applied Research

Thinkst is an Applied Research company with a deep focus on information security.

Hivint

Hivint

Hivint is a new kind of Information Security professional services company enabling collaboration between our clients to reduce unnecessary security spend.

OpenText

OpenText

OpenText is a leader in Enterprise Information Management software and a portfolio of related solutions for Information Governance, Compliance, Information Security and Privacy.

Ignyte Assurance Platform

Ignyte Assurance Platform

Ignyte Assurance Platform™ is a leader in collaborative security and integrated GRC solutions for global corporations in Healthcare, Defense, and Technology.

Aujas Cybersecurity

Aujas Cybersecurity

Aujas has deep expertise and capabilities in Identity and Access Management, Risk Advisory, Security Verification, Security Engineering, & Managed Detection and Response services.

Uniwan

Uniwan

Uniwan is an IT services company specializing in networking and security.

Kasm Technologies

Kasm Technologies

Kasm Browser Isolation - Protect your organization from malware, ransomware and phishing by using zero-trust containerized browsers.

DeepView

DeepView

DeepView delivers a unified platform for managing risk on digital platforms. One interactive secure portal allowing employees to engage their networks securely and compliantly.

Antares NetlogiX

Antares NetlogiX

Antares Netlogix are a leading Austrian service provider for IT security, critical infrastructures and managed security services.

Security Risk Management (SRM)

Security Risk Management (SRM)

SRM provide a comprehensive security risk management service encompassing people, processes, technology, governance, compliance and risk management.

Silence Laboratories

Silence Laboratories

Silence Laboratories is a cybersecurity company that focuses on the fusion of cryptography, sensing, and design to support a seamless authentication experience.

MadWolf Technologies

MadWolf Technologies

MadWolf’s mission is to deliver enterprise-quality managed services and focused applications to organizations operating in the non-profit, association and international development sectors.

runZero

runZero

runZero delivers the most complete security visibility possible, providing you the ultimate foundation for successfully managing exposures and compliance.