- Jul 27, 2015
- 5,458
Author: Kevin Beaumont
Quote: " Houston, we have a (big) problem.
We are rebuilding entire economies around technology, while having some fundamental issues reducing foundations to quicksand. What we are seeing currently is a predictable crisis, which hasn’t yet near peaked. I’m not sure people generally understand the situation yet. The turning circle to taking action is large. With this post, I hope to lay out the reality, and some harsh truths people need to hear. I also want to state upfront that I’ve seen some cybersecurity vendor industry people beating themselves up about the situation. My take: stop that. People have done amazing work over the years on this subject, and incredible amounts of attacks are stopped due to said work. The reality is, however, the threat is becoming overwhelming and I believe an existential crisis for the security industry, and so their customers. We are stuck in a self eating circle, and it’s time to ask for help.
Before I begin, I do specifically want to highlight this tweet for non-technical audience, to explain what the experience of an organization going through a ransomware attack is like: I want to give a specific example. You’ve all heard of the pipeline attack, where panic buying lead to gas shortages. I don’t want to talk about that one.
I want to talk about hospitals in Ireland. Here’s a photo, provided by one of the impacted hospitals in the past few days, with army officers drafted in to help restore Windows 7 PCs:
That attack happened several weeks ago, caused by the ransomware group Conti, who encrypted systems across HSE — Ireland’s national healthcare system. Those officers are working to restore the system using a decryption key, reportedly provided for free by the Conti gang. You can read HSE’s website describing impacts to patients and staff — for example, Emergency Departments have “significant delays”, and staff are warned that internet access is completely unavailable, and some email systems have been lost. The fact that a nation has their army helping restore Windows 7 PCs for emergency services for weeks should be a wake up call. This example is not abnormal. It is the new normal. In the first 3 days of last week alone, I tracked 23 new ransomware and extortion victims, who are fighting attacks (most have not disclosed to the media). This Monday, I tracked 43 new organised ransomware gang incidents — before mid-day. One is a US law enforcement division. The organizations impacted are across all sectors, including critical infrastructure and healthcare. "
Quote: " Ransomware and data extortion attacks have something in common — money. There is a very well developed money ecosystem, which allows, for example:
Big game ransomware gangs are attracting payment amounts of hundreds of millions of dollars each year. As an example, leading cybersecurity insurance provider CNA Financial itself got hit by ransomware — and paid their suspected Russian attackers a $40m fee. CNA Financial Paid Hackers $40 Million in Ransom After March Cyberattack — Bloomberg
Monetization doesn’t just apply to ‘the bad guys(tm)’:
The status quo is… not quo. "
Quote: " The truth is, while governments are pushing frameworks such as Zero Trust, the amount of orgs who successfully implement these are… not many. Many companies can barely afford to patch SharePoint, let alone patch the the tens of thousands of application vulnerabilities shown in a vulnerability management program, and really struggle with accurate asset lists. A majority of organizations do not have a single person responsible for security still. Truthfully, the situation in the trenches is vastly different from what you’ll read in a management PowerPoint about InfoSec theory. A way to support organizations is to recognize that, perhaps, shouting at companies to “just patch” and “implement Zero Trust” is not actually practical right now. It’s by far the biggest disconnect I’ve seen, and the reality is organisations need support — e.g. international law enforcement action on ransomware, at scale.
IT and cybersecurity being hard, and noisy. For example, business tend to lack robust Disaster Recovery (DR) plans capable of coping with ransomware actors. Most organizations will say they have tested DR — but have they tested it, for example, a malicious actor deleting their DR environment and/or backups? Attackers have got wise that traditional backups and DR can be deleted or bypassed. "
Quote: " With ransomware gangs running around with multi-million dollar budgets, it gives them the ability to buy exploits and tools from exploit brokers at a scale normally reserved for states and nation states. While states take calculated risks in cyber intrusion operations — for example, covert spying — ransomware gangs are driven by operational impacts. In short, it is like giving rocket launchers to teenagers. This problem is not going to suddenly, magically stop. It is going to get worse. The recruitment cycle for more capabilities is accelerating, to the point where small groups of gangs are finding ways around security controls and exploring zero day exploits, which vendors have always struggled to realistically detect. Many remote access broker marketplaces list network access, behind firewalls, to thousands of organizations worldwide. As ransomware gangs continue to scale up, they have an incredibly fertile ground of future victims. Compared to nation states, who maintain global reach in usually an incredibly controlled fashion, these guys are already calling from inside the house of hospitals, police stations, TV networks and more. This is a fast growing problem. "
Quote: " Cybersecurity products need to be as easy to implement and maintain as possible. The best product on paper isn’t always the best for the organization. Customers have a responsibility to vet what they’re buying, and make operationalizing it a key buying factor (“how many people do I really need to run this?”). In short, product owners desperately need to stop sprinting for profit as the primary goal and start sprinting for customers.
Microsoft need to take more responsibility for their products and security landscape. Not as an upsell, but as a product owner. Microsoft’s Security efforts should complement and integrate with their products — security is not a value add for many organizations; it is a fundamental requirement for the customer to exist as a business.
For example, malicious use of macros in Microsoft Office is one of the single largest cybersecurity issues impacting their customers — for decades — and I believe represents a real business risk to Microsoft in terms of undermining customer faith and their security operation. In theory Microsoft are aiming to replace macros with Office Scripts, however the reality is many customers will be using Office 2013, 2016 etc and Office Scripts (requiring complete redevelopment of customer documents to function) are about as real as their customers traveling on Mars right now. It simply isn’t an answer to the problem. How could Microsoft address macros? Scrap Protected View, and add high risk functions — some macro functions shouldn’t be able to run by default in certain areas of documents (for example, AutoOpen). Basically, work the problem with radical engineering — much like Adobe Reader now has high risk functions, for example. Think differently, and radically, as if the product depends on answers about the same old techniques malware authors have used for decades within macros. Any changes should be across all supported versions, and enabled by default.
I’m not saying it would be easy. I am saying it would be right. "
Full source:
Quote: " Houston, we have a (big) problem.
We are rebuilding entire economies around technology, while having some fundamental issues reducing foundations to quicksand. What we are seeing currently is a predictable crisis, which hasn’t yet near peaked. I’m not sure people generally understand the situation yet. The turning circle to taking action is large. With this post, I hope to lay out the reality, and some harsh truths people need to hear. I also want to state upfront that I’ve seen some cybersecurity vendor industry people beating themselves up about the situation. My take: stop that. People have done amazing work over the years on this subject, and incredible amounts of attacks are stopped due to said work. The reality is, however, the threat is becoming overwhelming and I believe an existential crisis for the security industry, and so their customers. We are stuck in a self eating circle, and it’s time to ask for help.
Before I begin, I do specifically want to highlight this tweet for non-technical audience, to explain what the experience of an organization going through a ransomware attack is like: I want to give a specific example. You’ve all heard of the pipeline attack, where panic buying lead to gas shortages. I don’t want to talk about that one.
I want to talk about hospitals in Ireland. Here’s a photo, provided by one of the impacted hospitals in the past few days, with army officers drafted in to help restore Windows 7 PCs:
That attack happened several weeks ago, caused by the ransomware group Conti, who encrypted systems across HSE — Ireland’s national healthcare system. Those officers are working to restore the system using a decryption key, reportedly provided for free by the Conti gang. You can read HSE’s website describing impacts to patients and staff — for example, Emergency Departments have “significant delays”, and staff are warned that internet access is completely unavailable, and some email systems have been lost. The fact that a nation has their army helping restore Windows 7 PCs for emergency services for weeks should be a wake up call. This example is not abnormal. It is the new normal. In the first 3 days of last week alone, I tracked 23 new ransomware and extortion victims, who are fighting attacks (most have not disclosed to the media). This Monday, I tracked 43 new organised ransomware gang incidents — before mid-day. One is a US law enforcement division. The organizations impacted are across all sectors, including critical infrastructure and healthcare. "
Quote: " Ransomware and data extortion attacks have something in common — money. There is a very well developed money ecosystem, which allows, for example:
- The monetization of obtaining initial access to a desktop PC (e.g. an email) or an insecure internet connected service
- The monetization of selling that access — initial access brokers
- The monetization of market places — eBay style websites where anybody can buy access to networks worldwide, many of which feature access to thousands of organizations
- The monetization of selling generic offensive security tools — for example, “macro builder” tools to add malicious content to Microsoft Office documents, “crypter” tools to try to evade anti-virus solutions etc.
- The monetization of selling and reselling remote access trojans and botnets — for example, Locky and Trickbot, providing remote access to endpoints.
- The monetization of selling ransomware software and access to Ransomware-as-a-Service platforms.
- The monetization of hiring developers and staff for marketplaces, developing generic offensive security tools, remote access trojans, botnets, ransomware payloads etc.
- The monetization of hiring ‘pen testers’ to break into organizations.
Big game ransomware gangs are attracting payment amounts of hundreds of millions of dollars each year. As an example, leading cybersecurity insurance provider CNA Financial itself got hit by ransomware — and paid their suspected Russian attackers a $40m fee. CNA Financial Paid Hackers $40 Million in Ransom After March Cyberattack — Bloomberg
Monetization doesn’t just apply to ‘the bad guys(tm)’:
- Some Cyber Threat Intelligence providers scrape, infiltrate and sell access to botnet data, victim data etc.
- Security vendors are booking record sales for technology and services — a minority with bizarre, almost Theranos style claims which overpromise what they can deliver, for huge budgetary sums.
- Some product owners are using security woes in their own products to upsell their security services and offerings.
- Cryptocurrency markets are facilitating transactions and earning transaction fees.
- Some insurance companies offer protection policies for ransomware.
- Specialist negotiation companies exist within the US to facilitate payment to ransomware gangs.
- Cybersecurity companies make many of the ‘red team’ tools reused by ransomware gangs.
The status quo is… not quo. "
Quote: " The truth is, while governments are pushing frameworks such as Zero Trust, the amount of orgs who successfully implement these are… not many. Many companies can barely afford to patch SharePoint, let alone patch the the tens of thousands of application vulnerabilities shown in a vulnerability management program, and really struggle with accurate asset lists. A majority of organizations do not have a single person responsible for security still. Truthfully, the situation in the trenches is vastly different from what you’ll read in a management PowerPoint about InfoSec theory. A way to support organizations is to recognize that, perhaps, shouting at companies to “just patch” and “implement Zero Trust” is not actually practical right now. It’s by far the biggest disconnect I’ve seen, and the reality is organisations need support — e.g. international law enforcement action on ransomware, at scale.
IT and cybersecurity being hard, and noisy. For example, business tend to lack robust Disaster Recovery (DR) plans capable of coping with ransomware actors. Most organizations will say they have tested DR — but have they tested it, for example, a malicious actor deleting their DR environment and/or backups? Attackers have got wise that traditional backups and DR can be deleted or bypassed. "
Quote: " With ransomware gangs running around with multi-million dollar budgets, it gives them the ability to buy exploits and tools from exploit brokers at a scale normally reserved for states and nation states. While states take calculated risks in cyber intrusion operations — for example, covert spying — ransomware gangs are driven by operational impacts. In short, it is like giving rocket launchers to teenagers. This problem is not going to suddenly, magically stop. It is going to get worse. The recruitment cycle for more capabilities is accelerating, to the point where small groups of gangs are finding ways around security controls and exploring zero day exploits, which vendors have always struggled to realistically detect. Many remote access broker marketplaces list network access, behind firewalls, to thousands of organizations worldwide. As ransomware gangs continue to scale up, they have an incredibly fertile ground of future victims. Compared to nation states, who maintain global reach in usually an incredibly controlled fashion, these guys are already calling from inside the house of hospitals, police stations, TV networks and more. This is a fast growing problem. "
Quote: " Cybersecurity products need to be as easy to implement and maintain as possible. The best product on paper isn’t always the best for the organization. Customers have a responsibility to vet what they’re buying, and make operationalizing it a key buying factor (“how many people do I really need to run this?”). In short, product owners desperately need to stop sprinting for profit as the primary goal and start sprinting for customers.
Microsoft need to take more responsibility for their products and security landscape. Not as an upsell, but as a product owner. Microsoft’s Security efforts should complement and integrate with their products — security is not a value add for many organizations; it is a fundamental requirement for the customer to exist as a business.
For example, malicious use of macros in Microsoft Office is one of the single largest cybersecurity issues impacting their customers — for decades — and I believe represents a real business risk to Microsoft in terms of undermining customer faith and their security operation. In theory Microsoft are aiming to replace macros with Office Scripts, however the reality is many customers will be using Office 2013, 2016 etc and Office Scripts (requiring complete redevelopment of customer documents to function) are about as real as their customers traveling on Mars right now. It simply isn’t an answer to the problem. How could Microsoft address macros? Scrap Protected View, and add high risk functions — some macro functions shouldn’t be able to run by default in certain areas of documents (for example, AutoOpen). Basically, work the problem with radical engineering — much like Adobe Reader now has high risk functions, for example. Think differently, and radically, as if the product depends on answers about the same old techniques malware authors have used for decades within macros. Any changes should be across all supported versions, and enabled by default.
I’m not saying it would be easy. I am saying it would be right. "
Full source:
The hard truth about ransomware: we aren’t prepared, it’s a battle with new rules, and it hasn’t…
I’ve talked about ransomware and extortion attacks on organizations for about a decade. I recently spent a year at Microsoft in Threat…
doublepulsar.com