Ransomware, Response Dominate Irish Cybercrime ConferencePrioritize Preparation, Basics and Transparency, Experts Urge IRISSCON Attendees
The specter of the May attack on Ireland's national health service loomed large at the IRISSCON 2021 cybercrime conference Thursday in Dublin.
The event, run by Ireland's first computer emergency response team, the Irish Reporting and Information Security Service, or IRISS-CERT, was launched in 2009 and has run annually ever since, except when it was forced to cancel in 2020 due to the COVID-19 pandemic.
In the intervening time, of course, public discussion over cybersecurity has surged, not least due to the damage being done by ransomware-wielding attackers, said cybersecurity journalist Gordon Smith, who once again served as conference moderator.
"Everyone remembers the attack on the Health Service Executive this year," said Smith. "That's probably not the most technically advanced attack you've come across, but nobody can deny the devastating consequences it has."
The need to interrogate actual cyber harms - versus myths - was the focus of Ciaran Martin, who ran Britain's National Cyber Security Centre from its launch in 2014 until 2020.
With the attack on HSE in May, "2021 is the year cyber harm came to Ireland in a very, very obvious way," said Martin, who's now a professor of practice at the University of Oxford's Blavatnik School of Government.
But HSE wasn't the only domestic ransomware victim this year, said Jen Ellis, vice president of community and public affairs at Rapid7. She named Technological University of Dublin, National College of Ireland, Accenture "and possibly more, because ransomware attacks are massively underreported."
Getting organizations to report such attacks was one of 48 recommendations included in an April report released by the Ransomware Task Force, which she co-chaired. The report, released just weeks before the May attack on Colonial Pipeline, includes 48 recommendations for addressing ransomware, including to "recognize that ransomware is a threat to national security."
Life After 'War Games'
But of course, the underlying threats and risks have been discussed long before public attention focused on ransomware.
Fresh off a viewing of the now nearly 40-year-old film "War Games," for example, Martin said the movie is notable for how many things it got right: backdoors, the risk of taking humans out of any decision-making process, and the risk posed by easily made mistakes.
On the downside, however, "It did set a tone about the catastrophization of cybersecurity that just doesn't match the reality," he said. "It says cyber is about conflict and will be harnessed by nation-states in ways that will cause catastrophic risks … and it infantilizes us." Namely, only a teenager who can escape FBI custody and find a retired technologist with the right knowledge can save the world.
Of course, that's Hollywood, and in the real world, Martin said the imperative with cyberattacks is to ascertain three aspects tied to harm, starting with: "What actual harm are we here to defend against and how likely is it to happen?" In addition: "Who are the harmers?" or "Who should we worry about and why?" And finally, from a harm reduction standpoint: "What strategies will make that happen?"
"It's really easy to inflate threats," Martin said.
'Language of Danger, Fear and Safety'
Indeed, what message does a faceless hacker in a hoodie communicate about cybersecurity? What is the impact of catastrophic-sounding language used by the likes of the FBI? The bureau, for example, has warned that "the collective impact of computer and network intrusions is staggering … ransomware is insidious, and the inability to access sensitive data can be catastrophic."
Victoria Baines posed those questions while presenting takeaways from the research underlying her new book, "Rhetoric of InSecurity," which is subtitled: "The Language of Danger, Fear and Safety in National and International Contexts." A former law enforcement intelligence analyst who is a visiting fellow at Bournemouth University's School of Computing, Baines warns that imagery and language have an impact - not just on consumers and boards of directors but also on the cybersecurity workforce.
"The more people say that the people who work in cyber are superheroes, the more it raises the expectations," she said. "And we know those expectations are unreasonable and are having harmful effects on the workforce."
Social media can of course amplify that trend as well. "We're definitely getting more and more exaggerated," likely because people are limited to the likes of 140 and 280 characters and thus have a tendency to exaggerate for effect, she said.
One audience member asked: Are vendors ever going to stop running advertisements extolling the need to buy their product?
Baines said that of course, the history of advertising, perhaps 100 years of mass marketing and "Marshall McLuhan and everyone with 'the medium is the message,'" shows how vendors have and will no doubt continue to work from the same script, "which is 'buy this now.'"
Calls for Transparency
Multiple conference presenters emphasized better techniques to describe cybercrime and cybersecurity, but also the need for transparency. For example, the HSE attack unfolded at 7 p.m., and by Friday morning, the head of HSE was on a morning Irish television show talking about the ransomware attack, offering details of the response and making clear that HSE would not be paying the ransom demand, said Brian Honan, who leads Dublin-based BH Consulting.
He contrasted that transparency with another ransomware attack, against the health service in the Canadian province of Newfoundland and Labrador, which he said has offered only scant information, and stopped short of saying it's a ransomware attack.
"If it walks like a dog, barks like a dog and looks like a dog, it's a dog. Name it as such," he said.
Knowing how to respond is the basis of a crisis communications strategy - knowing what will be said, and how - which like so many incident response plans works best if developed and practiced in advance, Honan said.
"Have you got a press statement ready now if you get hit by ransomware?" he asked. "Have you got one prepared if you get hit by DDoS? Because if not, it needs to go to PR first, and then legal. So have your crisis and communications plans ready. Have your incident response ready."
In the meantime, ransomware profits continue to flourish during the pandemic. "These COVID times, they accelerated cybercrime and made our life a little more complicated," said Eugene Kaspersky, CEO of Kaspersky, who lambasted other software vendors for not having done enough to give products to their customers that sufficiently protect against ransomware.
Case Study: Ransomware Attack
The benefit of solid preparation - and the downside of having an incomplete plan - was highlighted in a case study shared by Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify, based on an incident he helped investigate after the start of the pandemic, which the victim has allowed him to detail, provided he didn't name the company, where it's located or when the attack happened.
"There's a big difference between incident response and being incident-ready," he said. "In this organization, they had a plan, but they were not prepared when the incident happened."
For example, the organization had no agreement when gathering evidence for the time format they'd use of how files would be named, amongst other challenges.
"This was an IT team who also did security, but they were not security experts," and they had no incident response firm ready to call in an emergency, Carson said. They also had no press statements ready to go, and no relationships with law enforcement agencies, so they'd know who to call for immediate help, he said.
The victim got hit by CryLock ransomware, and the attack came to light after criminals contacted the IT help desk on a Sunday morning. "The investigation found that attackers had two weeks of hands-on keyboard access in the environment," Carson said, but he noted that the very first incident occurred seven months prior to that.
Multiple groups of attackers were involved, Carson said, beginning with a group that gained access and then sold that access to another group. How did they get in?
The answer was via a brute force attack that found an unprotected remote desktop protocol endpoint, he said. While the organization used two-factor authentication and other defenses to protect RDP, unknown to the IT department, during the pandemic, the accounting department needed to give access to an outside accountant, and so gave them unprotected access to RDP. Attackers, using tools to brute-force attack internet-exposed RDP servers, found the unprotected system and gained access.
Experts: Keep Doing the Basics
What's the solution? Law enforcement agencies can help: Multiple investigations have resulted in the arrest of ransomware suspects this year, and these probes continue, Philipp Amann, the head of strategy at Europol's European Cybercrime Center, told attendees.
For defenders, meanwhile, Martin of Oxford University emphasized doing the basics, since that is so often a repeat component of breaches small and large. He also urged preparation. Critical infrastructure organizations such as Colonial Pipeline Co., for example, have long assured the public that their operational technology systems were adequately separated from other systems and couldn't be directly disrupted by online attacks. But the ransomware attack against the company's enterprise IT systems in May led to it taking the pipeline offline.
Martin also talked terminology. "I strongly believe we shouldn't be talking about cybersecurity in militaristic terms," he said.
Defenders: Focus on Ransomware Affiliates
Ransomware, of course, remains one of the most damaging and disruptive types of attacks facing organizations, and continues to evolve. Bob McArdle, director of Trend Micro's Forward-Looking Threat Research team in Europe, delivered a presentation tracing the rise of ransomware-as-a-service groups.
Based on how they operate, he recommended four strategies as a starting point for better blunting those types of attacks, beginning with RDP: "Don't ever expose RDP on the internet for any reason, ever. It ends badly; it always ends badly," he said.
Also, never underestimate the importance of patching. "I know patching is a pain. There are reasons why it's hard, but at the end of the day, some of these vulnerabilities are 4 years old," he said, speaking of flaws being exploited by attackers.
Because of attackers' propensity to use penetration-testing tools such as Cobalt Strike, which he called "the Big Tobacco" of the cybersecurity field, he also recommends organizations "ban hacking and enumeration tools from the network."
Finally, McArdle said, "Make sure you're defending against the affiliates, not the ransomware." His reasoning is that the initial 70% to 80% of a ransomware attack doesn't involve the ransomware, but rather affiliates breaking into a network, using Powershell and other scripting tools and seeking to gain administrator-level access to Active Directory. Only then do the attackers sell this access to others, or use it themselves to deploy ransomware.
Honan, in a presentation devoted to best practices, emphasized that security is not about preventing attacks. Rather, he said, it's about slowing attackers down and detecting them as quickly as possible, to minimize any damage they might do.