To Defend Infrastructure, Focus First on Obvious Vulnerabilities
This article from James R. Slaby, Acronis’ Director of Cyber Protection, originally appeared in Homeland Security Today on 3 Apr 2019.
In 1966, Robert F. Kennedy delivered a speech that cited an ancient Chinese curse: “May [you] live in interesting times.” He continued, “Like it or not, we live in interesting times. They are times of danger and uncertainty, but they are also the most creative of any time in the history of mankind.”
That measured perspective, simultaneously seeing the glass as half-empty and half-full, is a useful one to adopt when considering infrastructure vulnerabilities in 2019.
Wide array of threats
There has never been a more varied and frightening array of infrastructure attackers out there, from hostile nation-states to rogue terrorist groups to cybercriminals ranging in sophistication from highly-organized gangs of software adepts to hapless crooks with zero skills but access to malware-as-a-service tools. And that’s before you consider the disgruntled employees and contractors hatching dark plots in your midst.
The potential entry points into your systems are many, from zero-day exploits of unpatched OS vulnerabilities to infected USB devices to compromised tech supply chains, as in the recent hijacking of Asus’s software update utility to deliver malware to tens of thousands of laptops.
The most popular attack vector, however, remains the simplest: social engineering of unwary employees via carefully-crafted emails with poisoned attachments or links to malware drive-by download websites. Who needs to batter down the fortified portcullis when you can get an unwitting accomplice to let you in via the back gate?
The big two: ransomware and cryptojacking
The job of identifying the most pervasive threats isn’t hard: most tech vendor security research teams (like Verizon, Cisco and Symantec) have fingered ransomware and cryptojacking as the two giant malware flavors-of-the-moment, largely because both are still novel and effective enough to keep raking in profits for cyber thieves and hungry nation-states. Some tech seers have predicted the demise of ransomware, but recent victims of costly, high-profile attacks like Hexion and Momentive suggest that cyber gangsters are simply choosing larger targets that have more to lose from downtime and thus are quicker to pay up.
Meanwhile, the numbers on cryptojacking continue to soar. It’s a sneakier attack than stealing or locking up sensitive data. It merely tries to hijack your PC or server’s processing, memory, electricity and cooling resources in order to quietly mine cryptocurrency and then not share any of the resulting profits with you. Many victims attribute the resulting drop in computer performance to their aging hardware or the latest OS update, not even bothering to report it to IT, and malware engineers have gotten smarter about setting consumption thresholds at less-detectable levels.
The presence of cryptojacking on your system also likely betides the presence of other threats like ransomware or a credential-stealing Trojan; multi-warhead malware that only activates the weapon for which your system has the weakest defenses is increasingly common.
Education is a key to defense
So one high-ROI tactic in fighting these top-tier threats is educating users to be wary about phishing emails. Regular reminders to think twice before clicking on a link or attachment from an unknown user are a no-brainer. But it remains inevitable that one of your colleagues will fall for some wily phisher’s convincing-looking email, perhaps garnished with details lifted from the target’s social media accounts.
Over time, the prospect of a successful breach is an absolute inevitability, so your anti-malware defenses must be complemented with effective data protection and incident response strategies.
Preparing for the inevitable
In short: defend against the most obvious, pervasive and profitable malware threats, but assume that at some point one of them is going to pierce your armor, and be prepared to remediate accordingly. Some useful questions to ask:
- What are we doing to fight ransomware and cryptojacking? Knock those down, and you’ve taken the two most pervasive malware threats off the board. Conventional anti-virus solutions will catch some strains, but malware developers are getting increasingly clever about defeating signature-based countermeasures. So you’ll also need to deploy behavioral defenses that spot ransomware and cryptojackers by their actions, not their appearance. Artificial intelligence and machine learning are two technologies to watch in this space, as they improve a defender’s ability to spot new variants of malware camouflage.
- How good is our software patching and update discipline? The EternalBlue exploit that spread the notorious WannaCry ransomware attack to hundreds of thousands of systems around the world only breached users still running an old version of SMB, Microsoft’s local printer and file-sharing protocol. Close the obvious backdoors by keeping your OSes and applications up-to-date.
- How is our data protection hygiene? Are we following the basics like the 3-2-1 rule of backup? This is a simple but crucial data protection principal: maintain multiple copies of production data on diverse media types in diverse locations. If your servers are being backed up locally to hard drives, also back them up to an off-site facility (on HDD or tape), and also to cloud storage. Among other benefits, this thwarts the common ransomware tactic of seeking out and encrypting local backups to undermine restoral efforts.
As ever, the tech security arms race is an endless tactical back-and-forth, with the bad guys always having first-mover advantage. We may live in interesting (read: scary) times, but with a little focus on priorities, attention to security basics, and the deployment of emerging tech weapons like AI, it is possible to keep the danger and uncertainty of attacks on homeland infrastructure at bay.