Above: Illustration by macrovector/DepositPhotos.com

BitDepth#1382 for November 28, 2022

In a conversation with IT professionals on November 02, Marcelo Ardiles, cybersecurity consultant at Hitatchi Systems, explained what he described as the cyberkill chain of a ransomware attack.

Between 2021 and 2022, ransomware attacks rose from 22 per cent of all companies to 35 per cent and is now the greatest threat to companies and organisations.

The term comes from Lockheed-Martin’s adaptation of the military breakdown of a successful attack.

Lockheed-Martin breaks out the cybersecurity equivalent of a killchain into seven distinct phases, reconnaissance, weaponisation, delivery, exploitation, installation and action on objective.

During reconnaissance, hackers are looking for information that can be used to break into computer systems.

Techniques include harvesting email addresses and personal information from press releases, contracts, conference attendee lists, reviewing breached and leaked data and through discovery of the company’s servers on the internet.

Once an entry point is identified, it is weaponised, usually with an attempt to deliver a decoy document with software embedded in it that will install a malware payload in the intended target.

Cleverly written and designed phishing emails are favoured, an attack vector that represents 70 per cent of the risk associated with compromised systems (unpatched software is second at 56 per cent).

Malware can be hidden on a USB flash drive and supply chain attacks, bring infected software components from external services and suppliers during a scheduled software update.

Websites can also deliver malicious code during browsing, which downloads files to a computer.

While antivirus software will scan downloads, modern malware is often encrypted, which these tools cannot inspect.

Social engineering techniques, such as embedding malware in an official looking document with an accompanying password increase the confidence of the unwary while bypassing antivirus tools entirely.

Once the code is in the system, it establishes a connection to the infiltrator’s computer and transmits information gathered from its initial beachhead.

The initial malware is normally a small package of code that installs a webshell on the computer to establish a backdoor for communication, which it uses to download a command and control tool that will take full control of the compromised computer.

To establish persistence on the compromised system, the malware will install routines that launches the code on startup and will masquerade as part of a standard operating system installation.

With the command and control tool in place (Covenant C2 is a popular .NET attack tool), the infiltration will attempt to increase access to more of the computer network.

As it gains greater access, it moves laterally through the network, collecting and exfiltrating data, destroying systems and corrupting or overwriting data.

The end goal of most ransomware attacks is double extortion, first downloading company data, corrupting or deleting available backups and then locking access for a fee.

How do companies respond to these threats, which are often mobilized with an agility that few IT departments can match?

The most effective intervention happens at the very start of the cyberkill chain by training employees to understand the nature of cybersecurity threats.

This awareness training must be conducted continuously, updating users of new phishing exploits and coaching them in the identification of often persuasive fake emails.

Implement multifactor authentication (something you know, something you have) for all users, even managers who complain that it’s a hassle that doesn’t apply to them.

Network administrators should scan their systems for vulnerabilities and penetration points and fastidiously apply updates and patches to server infrastructure.

These preventive efforts should also analyse events and alerts on the network.

Users should have the lowest level of privilege required to do their jobs, and all software installations should be approved and monitored.

Assume that systems are already compromised. Monitor internet traffic, particularly data that is going to unknown URLS or domain name servers and unusual downloads. Continuously update monitoring tools that analyse networks for malware.

Plan for the worst possible scenario and operate on the assumption that you will be hit by a ransomware attack.

Develop an incident response plan that details the steps to be taken once a compromise is revealed and then test it, running the exercise regularly. Test backups and the recovery process.

For small and medium businesses, consider, at the very least, a hardware firewall to monitor outgoing and incoming data flows.

Firewalla (firewalla.com) offers a range of devices that are designed to simplify this measure of protection, but setting up most firewalls may require a networking professional.

According to Daniel Ehrenreich of Secure Communication and Control Experts, industrial control systems – including SCADA (Supervisory Control and Data Acquisition), a widely used category of software applications for controlling and monitoring industrial processes in the oil and gas industry – should be managed with particular care.

Hacks on such systems may take up to 200 days to be detected, Ehrenreich warned, urging businesses to map the landscape of risk, design effective incident response, prepare for business continuity and create an architecture for disaster recovery planning.

Trinidad and Tobago’s businesses could generally benefit from more collaboration on cyberthreat intelligence and private sector organisations should encourage networking and information sharing on this aspect of institutional cybersecurity response.