Implications To Businesses
The implications of the 2017 NonPetya ransomware attacks were foreshadowed in the business disruptions of operations from attacks months prior and the online reconnaissance conducted by hackers across the darkweb. NonPetya, while in some ways just another ransomware malware variant, leveraged the Shadow Broker’s release of the alleged National Security Agency (NSA) origin EternalBlue vulnerability. The combination of this relatively unknown (prior to April 2017) vulnerability and the more recently developed NonPetya exploit is but one of dozens of hacker tools released by WikiLeaks in the Spring of 2017 and that will shape the cyber security battlefront for years to come.
We have actively seen the hacker underground working diligently to incorporate these new exploits into their toolkits in an effort to more effectively compromise a network. Given the sophistication of some of the techniques involved, often times there is a delay in attack execution while hackers attempt to reverse engineer the code to figure out what the tool actually does and how it can be incorporated into existing attack planning. All this activity is part of observable reconnaissance behavior if you know where to look. As more cybercriminals and adversarial nation-states customize and understand how to better leverage the capabilities of the leaked government tools, NonPetya will soon be known as simply the second salvo (Petya being 1st) in a new era of cyber warfare.
As these leaked tools become more of a mainstay in the hacker arsenal, the effectiveness of an attack will be felt on a grander scale from business disruptions to supply chain networks around the world. Organizations must be prepared, responsible, strategic and proactive when it comes to protecting themselves from the new reality where the technical barriers to entry continue to lower for new attackers while the toolsets at their disposal quickly proliferate and strengthen. Here are some of the basics that every organization should be doing.
Proactive Threat Mitigation
Outside-In Threat Detection
One of the most effective ways to defeat an attack is to know about it before it impacts your business. Knowing what the hacker underground is discussing, what technologies are currently of interest from an exploitation perspective, and whether your organization is on a target list are all paramount to heading off an attack. Maintaining real-time intelligence on hacker operations and the behavioral trends in which technologies are being targeted is critical to developing advanced warning and indications of attacks.
Inside-Out Threat Detection
In order to effectively know where threats could impact your business, prudent companies must first thoroughly understand their digital footprint – the inventory of hardware and software running across the enterprise, all systems, network segments, as well as their locations and functions. Ask questions such as, “what function does this serve, and is this critical for corporate value capture and creation?”. An up-to-date accounting of all endpoints and devices touching the network, whether they are company-owned, employee-owned, or contractor-provided, is critical to understanding the entirety of the attack surface.
Secure Vendor Initiative
In addition to those threats against an enterprise itself, those coming from outside the digital walls of the organization against its supply chain are often equally to blame for compromises. Continuous monitoring of the supply chain for vulnerabilities in the technologies being used, discussions in hacker forums, and threat trends in an industry provide critical advanced indications and warning of a potential future attack. Working with your members to ensure they maintain effective security controls and up-to-date hardware and software, as well as an awareness that they are of interest to attackers, helps mitigate threats long before it reaches an organization’s digital borders.
Threat Quantification
As threats grow in scale and severity with the proliferation of data-driven technologies, protecting against routine and targeted threats without disrupting operations and growth is a financial imperative. While practices like asset inventory and understanding the extent of attack planning is critical for resource allocation, prevention, and detection of threats, such practices can also serve as valuable inputs to a more precise method of quantifying the financial impact of a successful breach. Using vulnerability information inherent to a network environment combined with valuable intelligence on company-specific threats collected from the dark web and global threat trends, corporate stakeholders can learn of statistically-derived loss scenarios and the financial impact those contingencies may have on financial, operational, and strategic performance. Using innovative threat quantification techniques, companies can develop better awareness of their tailored threat landscape and model probable financial loss should an attack or inadvertent cyber loss event occur.
Incident Response & Remediation
If and when a cybersecurity breach happens, a quick but thorough response is imperative to prevent further damage, especially in the case of ransomware attacks. When an incident is discovered, an organization needs to quickly determine the who, what, when, where, why and how, to have the most effective response and remediation. Attacks progress faster as defenses adapt, so the already narrow time window between detection and response continues to shrink. A system reinstall is commonly necessary as part of an organization’s incident response and business continuity plans. However, recent breaches have shown that re-infection after reinstall is a common characteristic of advanced threats. A partial remediation is not a remediation at all. Attackers will come back stronger often having learned the mistake they made that prevented the full effect.
As always, an ounce of prevention is worth a pound of cure. Proactive threat mitigation, integration of real-time threat intelligence, and cyber security hygiene across all connected assets in an environment will go a long way to prevent an attack, or at least cause an attacker to consider an easier target. Likewise, a proactive security posture will enable a more effective response if and when a cyber breach happens.
ABOUT LIBERTY ADVISOR GROUP
Liberty Advisor Group is a goal-oriented, client-focused and results-driven consulting firm. We are a lean, handpicked team of strategists, technologists and entrepreneurs – battle-tested experts with a steadfast, start-up attitude. Our team, with an average of 15+ years of experience, has delivered over $1 billion in operating income improvement and over 300 M&A deals for our clients. We collaborate, integrate and ideate in real-time with our clients to deliver situation-specific solutions that work. Liberty Advisor Group has the experience to realize our clients’ highest ambitions. This year, Liberty has been named to the 2019 Best Places to Work in Chicago and to FORTUNE’s list of Best Workplaces in Consulting and Professional Services.
