As cyber events continue to make the news, it is clear the threat landscape is escalating. And hacker sophistication is growing. Additionally, today’s cyber criminals have found tools and methodologies that are proving fruitful.
As such, the recent Kaseya attack, and the SolarWinds attack before it, demonstrate the need for stronger efforts to protect operational environments from growing supply chain style security threats. We recently connected with Bruce Snell, vice president of security strategy and transformation at NTT Security to discuss the current security landscape – and what steps manufacturers need to take today to better protect themselves from capturing the next headline.
IW: What’s unique about this attack, and what actions should manufacturer take to secure the connected supply chain?Snell: The attack itself is a pretty straightforward zero-day exploit, but what’s unique about this is the choice of targets. This attack targeted organizations managed service providers which gave REvil access to not only the initial targets, but multiple other organizations serviced by the initial targets. It’s like the cyber equivalent of a multi-level marketing scheme.
This attack highlights the need for manufacturers to better examine the security of their supply chain. A lot of work has been done to provide backend connections to partners for order-fulfillment, billing, and logistics, but those connections can also open up avenues for cybercriminals. It’s not unreasonable to question your vendors about what they are doing to secure their connections into your environment. In the future we could be looking at security as a competitive differentiator. If two vendors can supply the same widget for the same price, but one vendor can prove they are doing their due diligence when it comes to security, it would be an easy choice to choose the more secure partner. If your partner doesn’t care about the security of their infrastructure, they certainly don’t care about the security of yours.
IW: Why are we seeing the growth of supply chain and ransomware attacks? What created this perfect storm for hackers?
Snell: We are seeing a growth of ransomware attacks against the supply chain because cybercriminals are seeing the quick returns. When you’re dealing with industries that have calculated the cost of downtime to the second, it is a simple exercise to way the cost of being out of business versus paying ransomware. This may sound controversial, but if it costs an organization $40m a day to have their factory floor shut down and they’re facing a $15m ransom to get things running again, it’s hard to fault them for paying up.
IW: How can companies effectively contain the spread of an attack? And what impact does ransomware have on these efforts?
Snell: Companies need to embrace active defensive technologies like endpoint detection and response (EDR). There’s been a pattern in the security industry of organizations buying technologies that can stop new and unknown attacks but leaving them in passive or “warning” mode. A lot of this has been based on a reluctance to block false positives. Across the board we have seen a dramatic improvement in the accuracy of security tools over the past decade, but still you hear the same concern about potentially blocking the CEO from getting their email or interrupting a web request. In most cases, companies will find that the cost of a false positive stopping a business process is dramatically outweighed by the cost of letting a ransomware attack completely shut down operations. I think ransomware has been something of a catalyst to sway people the move towards active blocking because we are repeatedly seeing the costs organizations have to bear if they don’t isolate and contain a breach.
IW: What do we know about REvil, and do you have any thoughts or insights about the group going offline?
Snell: REvil going offline was certainly a surprising development, but not completely unexpected. An attack of the scale draws a lot of attention and the leadership behind REvil could have simply decided to lay low for a while until they reemerge under a new name in a couple months after they feel the heat has died down enough. Given the recent summit between President Biden and Russian President Putin in which the specifically discussed ransomware, it’s also possible that there was direct nation sponsored action to take REvil offline. However, I think we would have heard by now if that were the case. Another distinct possibility is that another group is attempting to hack REvil and gain access to their systems in hopes of gaining access to their bitcoin wallets. My money is on the REvil leadership taking a break and drinking Mai Tais on a beach while they wait for the heat to cool down.
IW: Any final thoughts?
Snell: The problem of ransomware and attacks against the supply chain is not going to slow down. Groups like REvil continue to be successful and the Ransomware as a service (RaaS) “industry” is continuing to grow. Every industry must take a good hard look at their security strategy and be prepared to implement tools and policies that will help contain any threats that enter your network. If the past few years have shown us anything, it’s not a matter of if you will be targeted, but a matter of when.