Cyber security threats are constantly evolving, but in the last seven months, a calculated and vicious new strain of attack has emerged; sophisticated enough to take down large business organizations.
At Vigilant, one of our leading security partners, they’ve been seeing sophisticated new threat actors that operate in a very systematic way to actually dismantle an organization. These threat actors operate with patience; the attack may take months or even a year. The goal is to quietly learn as much about an organization, so they can eventually turn off all operations and lock down the organization. Once locked down, they hold the company hostage until a sum, sometimes in the millions of dollars, is paid.
How These Attacks Are Carried Out
- Attacker(s) come through an open port on a firewall, or a vulnerability in a system. They can also come through users, clicking on a link.
- The attacker then quickly pivots to another system, and in most cases, deploys an easy to identify virus or malware on the original system as a decoy. This triggers the IT Department of the attacked organization to run antivirus on it or re-image the machine, taking them off the track of the attacker and destroying evidence.
- The attacker then puts hooks in 25+ machines so they can retain consistent control.
- Next, the attacker gains control of key servers, identifies backup systems and where they are stored, file servers, takes over email and learns the financial status of the organization. (This last step may take months and up to a year)
- Once the attacker(s) has taken control of key systems and feels they have learned enough to be able to take the company down, they lock down all networking, firewalls, email servers, file servers, manufacturing lines and authentication servers – essentially taking the company and turning it off.
- The attacker will then hold the company ransom and will leave it disabled until a ransom is paid.
Since the beginning of the year, Vigilant has been approached by eight organizations that were attacked in this manner. In one case, the total consequences included data loss, a significant decrease in customers and great financial loss, including the ransom they paid that was in the millions. Vigilant doesn’t typically recommend paying the ransom, but the threat actor had been in the customer’s network a long time and dismantled the environment pretty successfully. The backups were completely erased, so the customer needed to get back up and running. Vigilant was able to cordon off the infrastructure and allow the client to rebuild everything quickly, in a way that was 100 percent secure. This company was facing significant fines for being down, so time was of the essence. However, this was a good case. Other companies have simply gone out of business.
How To Mitigate These Attacks
- Act now – there isn’t time to find a place in your budget next year, there isn’t time to find a place in a project plan. This is a serious danger that can take you out of business overnight.
- Deploy detection and prevention technology that is not “off the shelves.” Commoditized technology, that is based on widespread accessible technology, will cause you to be behind the attacker because they have access to the same technology.
- Obtain threat intelligence that is curated and specific to your organization.
- Move detection of SIEM and Firewall technologies as these are easily visible and attackable to threat actors.
- Ensure that you have a team of highly qualified analysts consistently hunting and looking at your network and system traffic for threats. I do not mean Artificial Intelligence or automatic detection, I mean actual people investigating. If you can’t afford or do not have the expertise to build a team it is important to outsource to a Managed Security Provider.
Our cyber security partners, such as Vigilant, provide custom technology that can be deployed into your entire organization within 24-48 hours fully configured, and provide a full team of analysts as a service, who investigate all traffic and find threats when they are still small – before your organization is held captive. Cyber security providers investigate in near real-time all layers of communication in your organization, globally, to determine where threats are taking place and to stop them. In addition to a continuous verification of data, companies such as Vigilant record all traffic forensically like a DVR, so the actual network state of your organization can be rewound, paused, and investigated, tracking the threat actor faster than they can move through your organization.
Please reach out if you would like to schedule time with one of our leading cyber security partners to conduct an initial security assessment to identify any gaps and begin the remediation process immediately before your company is held captive.