Companies are getting better at detecting breaches – but must be prepared to mount large-scale crisis responses as increasing sophistication amongst cybercriminals blurs the distinction between nation-state attacks and malicious intruders, according to a former career FBI agent who has likened this year’s catastrophic NotPetya malware to the large-scale damage his office had to deal with after the 9/11 attacks on New York City.
“NotPetya was the first crisis response I ever did in the private sector where we sat beside company employees and worked 24x7,” CrowdStrike Services president and chief security officer Shawn Henry told CSO Australia. “You take over a conference room and put white paper on the walls, then brief the executives every 4 hours. You have pizzas delivered, coffees in the morning, and for the first few days you’re sleeping on the couch and don’t leave the building.”
That sort of response may seem far away in the minds of most security specialists, but as increasingly aggressive attackers ratchet up the damage from their malware Henry believes “there will be more of these. The destructive attacks are my primary concern.”
Growing destructiveness is being fuelled by cybercriminals’ appropriation of state-based attack tools that have emerged from breaches such as the suspected CIA hacking tools leaked in a WikiLeaks dump earlier this year, which itself followed a separate release of National Security Agency (NSA) hacking tools by the hacking group Shadow Brokers.
Experts warned years ago about the potential repercussions should NSA’s hacking tools make their way to the public, and Henry believes the massive success of this year’s WannaCry and NotPetya, which leveraged just such an exploit, bodes poorly for things to come.
Increasingly aggressive attacks will test the slowly improving response capabilities of organisations that are, according to a newly released CrowdStrike casebook that describes a number of real-world attacks in detail, getting better at detecting attacks in their environments.
Self-propagation techniques, such as those used in NotPetya, “have added a new twist to ransomware and destructive attacks and their ability to paralyse clients’ operations,” the report warned. “Investigations are seeing malware variants that employ techniques designed to spread once a system is infected. Victim organisations worldwide experienced the repercussions of failing to keep critical systems up to date and relying on ineffective legacy security technologies.”
Average attacker dwell time for the analysed incidents was 86 days, the report found, with 68 percent of businesses able to detect a breach internally. This was an 11 percent jump compared with the previous year – suggesting that companies are getting better at detection – but still reflected a significant period of exposure where attackers can successfully execute a ransomware attack or steal intellectual property, money or personally identifiable information.
Security practitioners should therefore be preparing not necessarily for direct attacks by nation-state actors – which some have warned are relatively rare events that can distract CSOs – but by attacks from commercially-minded actors using tools of the same sophistication and potential impact.
Such attacks “can have a much greater impact not just on companies but on society as a whole,” Henry explained – noting that the move to signature-less and file-less attacks, which comprised two-thirds of detected attacks, had made it more important than ever to be ready to detect such compromises while they are happening, rather than waiting for a post-mortem examination after major damage has been done.
To address this risk, he said, businesses must prepare continuity of operations (COOP) plans – a framework is described in newly released US Department of Homeland Security guidance – to ensure they are prepared to respond in the event such an attack gets through. This may seem extreme for many companies, who often find themselves considering such issues for the first time – but Henry points out that it is just a natural extension of preparations that companies have long made to deal with interruptions from earthquakes, floods, and other disasters.
“If we fail to prepare for this, we are putting ourselves in a grave situation,” he warned. “We prepare for earthquakes and hurricanes in advance, and we must do the same. It’s not pretty, and it is not inexpensive – but it is a way of life. We have to start thinking about it as a precondition to these types of attacks going forward.”