One of 2021’s biggest cybersecurity storylines has been the jump in supply chain attacks. (They’ve jumped fourfold this year in some reports.) These attacks turn the breach of a single organization into a massive headache for hundreds of partner companies. One of the most famous examples was the breach of Kaseya in July. That attack eventually enabled the REvil ransomware organization to encrypt the data of hundreds of companies worldwide as the attack cascaded outward from Kaseya to managed service providers (MSPs) to small/medium-size businesses. In a supply chain attack, the threat comes from one of your trusted software providers who hackers turn into a Trojan horse before anyone realizes what’s happening.
In this post, we’ll break down how supply chain attacks happen and what you can do to protect your system from these threats that arrive when your most trusted vendors unknowingly pass a big problem along to you.
In what you might think of as a traditional hack, threat actors target one company and conduct reconnaissance to find vulnerabilities they can exploit. Then the threat actor breaks into that specific victim's computer network to exfiltrate data, launch ransomware, etc.
During a supply chain attack, the threat actors take the same initial steps, but their focus is upstream. They will compromise and infiltrate a trusted vendor that supplies software or IT services to many other companies. In this kind of attack, the goal isn’t focused on data exfiltration or launching ransomware on the vendors’ systems. Rather, hackers intend to sneak malware into the “supply chain” of software updates that the company installs on its customers’ computers. From a hacker’s perspective, these attacks are more efficient and have a greater impact because they leverage IT vendors that already have established and authorized connections into their customers’ network and systems. That means the malware can deploy across hundreds of companies and systems virtually undetected.
Every client of the IT vendor under attack becomes part of the attack. This blows up the “security by obscurity” belief that many smaller companies adopt. They think that because they’re small, they won’t be targeted by threat actors. But with supply chain attacks, tiny companies face just as much risk as big, high-profile enterprises.
To understand these attacks, let’s break down the famous 2021 breach of Kaseya, an IT management software provider that mainly serves MSPs. On Friday, July 2, Kaseya’s incident response team identified a security incident related to Kaseya VSA. Their VSA (Virtual System Administrator) product delivers automated software patching, remote monitoring, and other capabilities so MSPs can seamlessly manage their customers' IT infrastructure. After breaking into Kaseya, the threat actors infected 50-60 MSPs. From there, they infected approximately 1,500 of the MSPs’ clients. The threat actors encrypted the victims’ data, effectively shutting down systems and networks. In Sweden, for example, the supermarket chain Coop closed 800 stores when its cash registers and payment processing systems went down—all because of a breach that was originally two steps removed from Coop’s systems.
The threat actors initially demanded $70 million to decrypt the systems, but later lowered the demand to $50 million. It appears that Kaseya refused to pay the ransom and received a decryptor tool from a third party on July 21 (yes, that’s nearly three weeks after the problem was discovered). With this tool, Kaseya was able to assist victims in restoring their systems and networks.
The SolarWinds breach that dominated headlines in December 2020 was another supply chain attack. Russian hackers, working for the Russian government, injected malicious code into SolarWinds’ IT management tool Orion, which gave the attackers access to thousands of systems when it was deployed. SolarWinds reported that up to 18,000 clients had installed the update with that malicious code. The victims of this attack included both private companies and government agencies, including NASA, the State Department, the Department of Defense, and the Department of Justice. The hackers didn’t demand a ransom, which indicates that this attack focused on espionage.
Supply chain attacks are hard to defend against because they use software updates from trusted vendors. Organizations have always been concerned about infections that come from employees opening phishing e-mails with malicious attachments; clicking links and revealing their login credentials; or plugging a virus-infected USB drive into their computer. Today though, companies must also focus on creating defenses that screen the IT software and service providers who have authorized access into their network.
Threat actors increasingly use supply chain attacks for several reasons:
To mitigate the risk of supply chain attacks, we recommend the following steps:
Pratum’s team can help you create a thorough defense strategy that protects your operations even when threats arrive from your trusted partners. Contact us for a free consultation.
Regular penetration testing provides a key pillar in your ongoing cybersecurity plans. But penetration tests come in a lot of forms, and vendors often put their own spin on describing their work. In simple terms, penetration testing involves a team of ethical hackers proactively looking for exploitable vulnerabilities in your web applications, computer systems and networks. Their job is to identify your security gaps before a hacker does and compromises your system.
To ensure you’re picking a pen test that meets your needs, use this blog to understand the purpose and value of internal penetration testing and external penetration testing. Attacks can come from any direction, so your testing has to probe for weaknesses that come from outside and inside your environment.
This tests security programs by looking at anything with external access, including any device with a public-facing service, IP or URL such as a web application, firewall, server or IoT device. A pen tester may also try to gain access to external-facing assets such as e-mail, file shares, or websites. The pen testers simulate the work of an attacker who, depending on their motivation, may utilize a vulnerability or chain multiple vulnerabilities together in order to gain access to sensitive data. In various parts of the Internet, hackers sell or trade information on zero-day exploits (those not listed in known vulnerability databases) for these purposes.
External pen testing methods include:
During the process, a pen tester gathers information on open ports, vulnerabilities, and the company’s users. Then they attempt to leverage that information for various attacks such as brute forcing passwords, phishing attacks, and precise operating system and service attacks.
The external pen test should reveal any areas that may be compromised and exploited to gain access to your network. The organization should also use the pen test as an opportunity to verify their current process for detecting anomalous activity. In other words, did your defenses pick up what the pen tester was trying to do and stop them?
Once a perimeter is breached, a given pen test’s rules of engagement may allow for using further attacks to gain access to internal network assets, often referred to as pivoting or lateral movement.
Most organizations focus on the perimeter in their security work. But the fact is that those with direct access to an organization’s data pose the most significant threat overall. People (even well-intentioned ones) are often easily manipulated and prone to mistakes. Many times, what happens at the host level goes unmonitored, and many organizations aren’t aware of what is entering or leaving their networks. Many common misconfigurations lead to full network compromise. All of that makes internal pen testing a critical part of your security strategy, even if your external pen testing seemed secure.
If your business has a file sharing system without a password, for example, you should re-evaluate who has access to various levels of content. Not every employee needs access to the same data, and unnecessary access could leave you vulnerable to an attack, whether by an employee with malicious intent or a loyal employee who unknowingly gives their login credentials to a hacker.
The expansion of work-from-home policies has created a new range of internal vulnerabilities to test. That may be private networks such as home WiFi, smartphones, cable and streaming services. Connecting your organization’s network to any of those channels could open it up to external threats.
A threat actor who manages to get in through one of these channels rarely attacks right away. They may move about and gather private data by observing from within. During this quiet period, they may collect data to use later or sell to others. Hackers could lurk in your system for weeks, months or longer if proper internal auditing, patching and testing are not performed on a regular basis. An IBM study shows that, on average, American companies take 186 days to detect a data breach and another 51 days to fully contain it. A breach of Starwood Hotels discovered in 2018 had gone undetected for four years.
During internal pen testing, the assessor tries to find out just how much damage a threat actor or employee could do from the inside the network. A poorly secured domain could lead to total control of a network, but most tests require multiple attack paths to complete the objective. Hackers often pull this off by exploiting relaxed policies that focus on convenience rather than necessary mitigations.
The tester will often use less important, easier-to-compromise systems as a channel for getting to more secure areas with higher levels of protection and more sensitive data and controls. Internal pen testing can also include privilege escalation, malware spreading, information leakage and other malicious activities.
Internal Pen Testing methods include:
Choosing the right security path for your business is not always simple, and there is no “standard” penetration test that works for every organization. No matter how large or small your organization, Pratum can customize a solution that provides value to your organization.
If you’re interested in learning more about the type of pen test that will work best for you, contact Pratum today.
When your cyber insurance coverage comes up for renewal this year, you can plan on a couple of new factors:
The new demands from insurance companies have gotten so rigorous that Pratum has had more than one client call to say, “They’re telling us that if we don’t implement some new cybersecurity policies ASAP, we’ll lose our cyber insurance coverage.”
Clearly, the cyber insurance market is navigating uncertain times. A 2021 AM Best report flatly stated that, “prospects for the U.S. cyber insurance market are grim.” In this blog, we’ll help you make sense of the factors driving changes in your policy and pricing right now. (If you’re just getting started with cyber insurance, read this blog to learn the basics of cyber policies.)
If a run of forest fires torches your area, you expect your homeowners’ insurance to spike in the coming years. Cyber insurance is no different. It’s a fairly recent insurance product, with only a few years of claims to guide insurance companies as they underwrite policies, set premiums and establish their profit expectations. In such a young market, many insurance companies were fairly lax on their underwriting procedures, echoing the days of easy mortgages before the 2008 financial crisis. Throw in constantly changing threats and security plans, and you have all the dry ingredients required to blow a volatile industry sky high.
In the last year, ransomware has been the match tossed into the cyber insurance tinderbox. Ransomware attacks jumped 151% in the first half of 2021, and ransom payments have quintupled from an average of $43,600 in 2019 to more than $220,000 this year.
Hackers have learned how to operate in a world where more victims have cyber insurance. When hackers breach a system, they often run a search for cyber insurance policies, just to find out what kind of budget they’re working with. If a victim balks at paying a ransom demand, the hackers are known to screen shot the victim’s own cyber insurance policy and send it over with a note saying, “Don’t lie about how much you can pay us. We’re looking at your policy’s provisions right now.”
Charts of cyber insurance claims over the last year look like hockey sticks, which means some insurance companies are losing money on their cyber insurance lines as premiums fall behind what they’re paying out in claims. Articles from within the insurance industry are using phrases like “spiraling loss costs” and “existential threat.” A recent report from Howden states, “The cyber insurance market is undergoing one of its most transformative changes since the first cyber policy was underwritten some 20 years ago.”
Earlier in 2021, seven major cyber insurance companies banded together to form CyberAcuView, “a collective effort to enhance cyber-risk mitigation efforts.” In short, the companies will be sharing claim data to make their businesses more accurate and sustainable. Will this teaming up of major players do anything good for customers? Time will tell.
Some industry watchers argue that all this represents a healthy clean-up for the industry. They’re hoping that the trials of 2021’s ransomware surge will mold a new breed of insurance company that uses more accurate underwriting, provides healthy coaching to clients and uses a combination of carrots and sticks to get clients to use better risk mitigation strategies.
As insurance companies work to stave off this seeming existential threat, expect two developments:
Many insurance companies are requiring steps such as implementing multifactor authentication before they’ll renew policies or grant new ones. And unlike in the old days of a year ago, the insurance company may not take your word for it when you say you’re doing all the right things. The insurance company may hire a third-party assessor to confirm you have the right tools in place, or it may ask to run a scan of your system for proof.
While you may find all this heavy-handed, we have to point out that the insurance companies are really just requiring what a wise organization would be doing anyway. In a world overrun with cyber threats, you’re needlessly gambling your job and your company’s future if you ignore basic cyber hygiene steps such as implementing MFA, regularly patching software, etc. And if your insurance company isn’t the one pushing you to take these steps, your industry partners and clients probably will be soon.
If you need help getting started on a set of cybersecurity policies that boost your insurance prospects along with your overall peace of mind, contact Pratum today.