Picture the scene: you sit at your desk and try to open the essential files you’ve been working on all week, but this time access is denied and your computer is asking you to send a Bitcoin payment to unlock them. You’ve been hit by Cerber, Ryuk, or any one of the myriad ransomware attacks that are constantly looking for a way into the network.
So, do you pay the ransom? If you do, will you get your data back or just be asked for more money? Are the files just encrypted or is sensitive information being taken from your organisation? Malicious code (malware) is always out there, looking for an opening – all it needs is a door into the network it can push open, and once it’s inside it can wreak havoc.
This is not a new phenomenon by any means, but the nature of malware attacks is constantly changing. That is why cybersecurity policies and controls need to be regularly updated, reviewed and audited. It is vital to understand the effectiveness of the cybersecurity measures an organisation has implemented, and often that insight only comes from a concerted attack on its systems. You only know how secure a safe is when you try to crack it.
“I get a lot of satisfaction from throwing the kitchen sink at a particular parameter of a company and not getting in.”
“I’m the troublemaker who puts himself in the shoes of the attacker,” says William Rimington, managing director of cyber risk at Kroll.
The job of Rimington’s team in Europe and the Middle East is to test just how secure a client’s systems are by trying to break in. His aim is to find where the vulnerabilities lie and whether the controls in place are up to the task of preventing and detecting cyberattacks.
“I try to break in through a range of simulated attacks and I think of dastardly plans for our clients,” he explains. “I get a lot of satisfaction from throwing the kitchen sink at a particular parameter of a company and not getting in. Our approach is informed by our incident response team, which helps clients respond to new cyberattacks, so we are up to date with the malware that is out there.
“We also do collaborative exercises with security teams, helping them to identify what triggers to look out for if, for example, ransomware is spreading through the network. We break down the steps in an attack and replicate them. We run the bots or simulations to test the controls, so that we can give the board a perspective on the risks specific to their organisation.”
Crime pays
A key part of Kroll’s approach is learning from successful malware attacks, often ransomware that has penetrated a system and forced companies to pay out, whether or not they carry cyber insurance. Each month, it deals with dozens of types of ransomware, learning how they get in and, once inside, how they operate.
There are many members of the ransomware family, including Ryuk, which is reported to have generated just under $4m in Bitcoin since its first appearance in 2018. While ransomware is often distributed using large spam mailouts, Ryuk has a more focused attack vector, targeting large companies and using military algorithms to encrypt files. Then there is Clop, which again encrypts files and demands payment. One of the more recent pieces of ransomware to emerge, it blocks hundreds of Windows processes and can disable several Windows 10 applications to prevent companies from protecting their data. Another is Cyborg, which is delivered in emails instructing users to install updates to their Windows operating system. Again, it encrypts all of the user’s files and programmes before holding them to ransom.
Cerber, Dharma, PewCrypt, SamSam, Katyusha – the list goes on. All too frequently new names are added. These attacks can be blunt and encrypt everything on the system before demanding a ransom, or they can be subtle, sitting on the network for a while, identifying the most important data before encrypting or exfiltrating it. “As long as the ransomware business model works, why would they stop doing it?” Rimington asks. “The delivery model may change but the goal is always the same – getting cash out of a business.”
Attackers could use what they know is a valid email address and try a brute force attack, repeatedly guessing a password until they find the right one. More often, however, they know they have the right login details because that information has been handed to them willingly, but unknowingly, through a successful phishing attack.
Gone phishing
What Rimington and his team have observed in their attempts to crack the systems of Kroll’s clients is that individuals are the biggest vulnerability. Compromised email and password credentials – or, in most cases, phishing – are often the ways in.
In a phishing attack, cybercriminals attempt to obtain sensitive information – credit card details, passwords and usernames – by sending out emails or text message that appear to be from a reputable organisation such as a bank, a utility company or the tax inspector. They ask the user to confirm their login details or make a payment and, instantly, have the key to that user’s bank account or office network.
“In more than 50% of the cases we deal with, phishing is the attack vector,” Rimington observes. “It is here to stay and it won’t go away. It is clearly profitable because we see it happening every month. Malware may get into the network and it is not cost-effective to build big walls to keep everything out.
“The key is to detect it early and respond appropriately,” he continues. “The threat intelligence about how particular actors behave is already out there, but it needs to be turned into practical steps that the security team can take, or it needs to be included in the risk register so that an organisation can decide to either accept the risk or manage it. Kroll puts that decision within people’s control.”
Effective cybersecurity is partly about implementing the right technical controls to keep cyberattacks outside the walls of the network. It is also about monitoring the network to spot malware that has made it through. Security teams need to be able to spot anything unusual in the network so that it can be traced, scooped up and thrown out. Furthermore, they must focus on protecting the most valuable data the organisation holds, while accepting that less critical data may be more at risk.
“Many organisations have been conscious of cyberattacks for years and have invested in cybersecurity,” says Rimington. “We test that so that we can show the vulnerabilities but not to pull down their pants in public. It is more pragmatic to work with the security team and translate the technical nuances so they can be measured against the company’s risk appetite.”
Perhaps the most important part, though, is making sure that everyone in the organisation who has access to the network – at every level – knows what part they play in implementing cybersecurity controls. A key part of Kroll’s service offering is, therefore, training. It helps people to spot suspicious emails or other unusual behaviour. It also helps senior management to make people within the organisation understand not only what the company’s cybersecurity controls are, but also why they are in place.
Some controls may present logistical challenges by introducing more steps in the login and verification process, which may take up valuable time. Understanding why this additional layer of security is necessary will help to prevent employees trying to circumvent it by, for example, keeping copies of important files outside the firewall for more convenient access.
In Rimington’s experience, training really works – especially when awareness of cyber risk becomes instinctive. “The best analogy is viral hygiene, which is something everyone can understand right now,” he says. “Doing the basics can have a massive impact on infection rates. After all, security is a team sport, so everyone needs to be involved.”