With attacks on US critical infrastructure on the rise, ransomware has become a leading threat in national security.
In the past year, bad actors have taken our hospitals offline, prevented us from accessing oil and gas resources, and disrupted our food supply chain. After May 2021’s Colonial Pipeline attack – a cyber threat ending in the payment of a $4.4 million ransom – two things became abundantly clear:
Solarwinds Orion Attack – December 2020
What Happened in the Solarwinds Cyber Attack
During the SolarWinds’ Orion attack, the inclusion of a few seemingly harmless lines of code in a single DLL file posed a major threat to companies in both the private and public sector and eventually led to breaches for many who leveraged the application. The widely-used IT management software application is leveraged across verticals such as the US government and the security industry.
The backdoor, which was hidden in the DLL and consisted of approximately 4,000 lines of code, allowed the threat actor behind the attack to operate freely in compromised networks.
What Happened in the Colonial Pipeline Attack
According to cybersecurity experts, Colonial may not have used cutting-edge safeguards, such as software agents that actively scan networks for irregularities and are configured to detect known threats. As a result, the ransomeware group known as DarkSide leveraged penetration tools to initiate a ransomware attack on the Colonial Pipeline.
DarkSide’s Colonial Pipeline Attack Impact
The Colonial Pipeline transports around 45 percent of the petroleum consumed along the Eastern seaboard. Because of this attack, this vital US pipeline was shut down for days, impacting millions of people who could not get gas for days.
What Happened in the Kaseya Attack
REvil, the notorious ransomware-as-a-service gang, used the forthcoming July 4th holiday weekend to launch a crippling supply chain attack against Kaseya and the MSPs that utilize the software to monitor their customers’ infrastructure, together with the end customer organizations themselves.
According to reports from customers and others, endpoints managed by Kaseya’s VSA on-premises software were acting abnormally. Following that, customer reports confirmed that ransomware was being executed on endpoints.
This is a good thing, as this reporting to/from the private and public sector will increase visibility to these attacks. What this could mean is that the tactics, techniques, and procedures (TTPs) exposed could lead to better protection mechanisms in security controls. It will also lead to speed and accuracy in the remediation of potential attacks.
The new cybersecurity safety board will be co-led by private and public sector individuals. This group will meet after significant cyber events or breaches to learn from these and make recommendations to the public on how to avoid future events. These lessons learned could provide information to strengthen security software code, or change how security analysts interpret events and hunt for malware in the future.
This will result in better coded, more secure software. It also mandates a pilot program to create a certification (comparable to the “energy star” badge) type of label so the government and the private sector can determine whether the software was developed securely, instilling some degree of confidence for the parties investing in the software.
With this program in place, software shouldn’t be shipped with the sometimes “built-in vulnerabilities” we’ve all become used to over time. Of course, this will reduce – not eliminate – cyber incidents in the future.
If this order were passed sooner, it’s possible that the “approved software” rating program might have kept an event like the Solarwinds attack from happening at some point in the future.
Related Reading: Does CMMC Immunize You to Ransomware?
There are a few suggestions in the EO, but no real teeth (or enforcement) for the private sector. Therefore, so long as private sector SecOps teams are treated as Cost Center vs. Profit Centers, it’s likely not much will change.
That said, with the increasing public focus on cybersecurity, companies who make cybersecurity a priority could differentiate themselves in their respective markets. With the rise of third-party risk, partners might feel better about doing business with, and customers having their data stored with companies they knew were more secure.
The other option could be in extending the EO to the private sector. The only caveat here is if the feds mandate something on this side of the fence, they’d most likely have to subsidize those efforts.
While this seems like great idea in theory, a nationwide mandate to enhance our collective cybersecurity hygiene, would be difficult to get passed amidst the partisan gridlock in the US Congress.
With this EO, any vendor supplying software to the public sector will have to raise their game. There will be new security standards in place, and “eliminate” indolent code that leads to security vulnerabilities. There will be a badge or rating for approved vendors letting the public (and private) sector know this software was developed using approved vendors and new standards. If private sector entities purchase from this program, they can be reasonably sure the code will be safe (i.e. not like the recent REvil – Kaseya’s VSA codebase ransomware incident).
Preparing for this shift
Utilizing security frameworks such as the NIST Cybersecurity Framework or CMMC Certification among others to improve your cybersecurity hygiene, you could Lessen ransomware and other malware attacks within your organization. You can also engage with a third-party expert such as Avertium to get an unbiased opinion about your current security posture and remediation roadmap.
The Feds providing mandates and some financial assistance could bring everyone’s security hygiene up to par.
Even for larger corporations who might be able to afford it, the request for SecOps breaks down even in the face of mandates, as no company wants to affect their bottom line. They, like smaller companies, have a finite budget to work within, and enhancing their security posture would possibly go over that budget.
Unfortunately, smaller companies represent low-hanging fruit for the RaaS Gangs and Botnet Operators… so, unless they’ve been very savvy with their security spend, it’s almost not if they’ll get attacked, but when they’ll get attacked.
XDR, Zero Trust, Information Sharing, Enhanced Monitoring and Logging, End-user awareness training, Pen Tests, Scanning – These are but a few steps that can be implemented to increase Cyber Readiness in both the public and private sectors.
Related Reading: A Zero Trust Network Architecture (ZTNA) POV with Appgate
Whether the motives behind cyberattacks are revenue-driven, to steal intellectual property (IP), or to cause disruption within a nation-state, one thing is certain: these attacks will continue for the foreseeable future.
The name of the game in 2021 is prevention. If we don’t get out in front of these attacks, we’ll continue to see cybersecurity breaches flood news headlines, have our critical infrastructure and supply chains disrupted, and pay exorbitant amounts of money in the form of ransoms.
We have the means to reduce these attacks. So, do we want to invest in prevention? Is the price of inaction high enough yet? If not, what’s it going to take? There have been some 21,000 “reported” malware attacks so far in 2021 and we’re just now over halfway through the year. What does the rest of the year hold in store?
If the expertise within your company does not exist, or you simply do not have the cycles to implement, manage, and monitor the proper security controls, Avertium, a Trusted Advisor, can assist with Managed Security and Professional Services to plan and stand up the environment. In addition, Extended Detection and Response (XDR), and Managed Zero Trust Networking can eliminate any complexities to afford protection against ransomware and other malware attacks.