Cyber-attacks are more topical than ever in Australia. First there were the well-publicised ransomware attacks on Toll Holdings and Service NSW. Then Prime Minister Morrison held a press conference to announce that Australian organisations are being targeted by a sophisticated state-based cyber actor. He said the activity is targeting Australian organisations across a range of sectors, including all levels of government, industry, political organisations, education, health, essential service providers and operators of other critical infrastructure.
He made a great point that cyber security is a whole of community effort spanning government, industry and individuals. It is critical that everyone is aware of potential threats so that they can spot them and avoid falling victim.
One of the most prevalent types of cyber-attack is ransomware. Ransomware is a class of malware which restricts access to the computer system that it infects, and demands a ransom paid to the creator of the malware in order for the restriction to be removed. Some forms of ransomware encrypt files on the system’s hard drive, while others simply lock the system and display messages intended to coax the user into paying.
It is estimated that ransomware attacks demanded almost US$160 million from Australian organisations in 2020, the cost of which grew to US$1 billion when you take into account downtime. And this is just the attacks that we are aware of!
Two styles of ‘ransomware attacks’ have emerged:
In the first type, criminals typically use an official looking logo to intimidate the victim (such as a local law enforcement agency or a government department) to trick victims into clicking on a link or opening file that unleashes malware that locks their screen so they cannot access their computer until a payment is made. It is a broad brush approach, distributed en masse with the hope that a portion of victims will pay the ‘fine’ or ransom demanded on the locked screen. This scenario does not typically encrypt any files on the victim’s computer (although early examples may have) and is more often just a form of malware, for which most security vendors have tools to assist.
The second type of ransomware is a more targeted and challenging concern. In this scenario, cyber criminals target a particular victim, typically a business or an organisation. The targeted computers are actually hacked and files on the computer encrypted. Without payment, files are inaccessible.
In both cases the malware is often unleashed as a result of phishing – a fraudulent communication disguised as being from a trustworthy entity that tricks the victim into clicking on a link or providing sensitive information such as usernames, passwords and credit card details. Therefore it is critical to educate employees, partners, suppliers and customers to be on the lookout for phishing attempts. But you also need a plan to minimise the impact of a successful ransomware attack.
Think like a crim! Understand the stages of ransomware attacks so that you apply controls at each stage to protect yourself. Here is the typical attack methodology:
The following controls help stop this type of attack:
Look at all the steps in the attack methodology and apply controls for each category of control for each step to help stop the attack. The simplest way of doing this is in a table whereby you map existing controls against each category of controls that protect against the relevant attack phase. Address any gaps urgently. As you do this gap analysis, do not forget controls for people and processes, physical security, disaster recovery and third parties. Mapping your controls to an adversary’s attack methodology, is the best way stop the attack.
The above advice has been purely tactical. Threats will evolve and get worse. The only way to truly protect yourself is to conduct a robust risk analysis of your environment using standards such as ISO 27001, NIST, ISM, etc. and address the issues that are found. Start with a simple health check. Understand your vulnerabilities and address them methodically. Moreover, once you are done, rinse and repeat! The threat landscape and your environment will constantly change and evolve. In order to stay on top of new and emerging threats, you have to stay ever vigilant and reassess your risks regularly.
In addition, engage in intelligence-led security. This is having relevant intelligence about threats and vulnerabilities related to your environment and protecting yourself against them. Import this information along with your vulnerability information into your Security Information and Event Management (SIEM) tool to detect threats faster and much more accurately.
The traditional risk analysis approach looks at strategies from the inside out as you are primarily focused on control gaps inside your organisation. The intelligence-led approach looks at strategies from the outside in (from the attacker’s perspective). The combination of these two approaches can truly give you a well-rounded perspective to risks and threats affecting your organisation.
Read my paper Three Ways to Protect Against Ransomware for more detail on how to employ these three practical steps.