How to survive a cyber attack
For her
Be part of something bigger, join the Chartered Institute for IT.
Early Sunday morning we saw entry into the system via patterns detected using the AI capabilities of our SIEM. We watched the perpetrator leap around our newly erected firewalls, attempt to use a number of now-disabled profiles, and then use stored toolsets to remove an encrypted password file with an elevated authority service profile, presumably for future decryption.
We now knew the break-in point, had seen the toolsets used and the extraction method. It was obvious that the hacker noticed the changes in the environment and knew we were on their trail, so we prepared for the ransom demand – but it didn’t come.
Less than two hours after the monitored intrusion, all of our data was released behind a prepared online article in a US-based hacktivist magazine, along with a 21-page manifesto by an individual claiming to be Phineas Fisher. There were very detailed descriptions of what they had done and why.
Behind the idea of protecting the poor from evil, corrupt governments and financial institutions, it was necessary to make a splash to cover their tracks. They offered the next bank hacker a prize of $100,000. This caused our systems to light up and overwhelmed all of our logging.
Search the logs
At this point, we analyzed the data we had securely stored in our SIEM and compared it to our systems’ original logs. The first, most notable feature was that our original logs contained no information about the hack.
Our virus, anti-malware, firewall and intrusion detection systems (IDS) also remained silent. Although we physically observed the attack in real-time, none of our systems showed a single trace of this activity just minutes after they left. It was as if they had never been there.
The silence of our antivirus and IDS program was strange. They were both high end products and installed in the last 12 months. We were very curious, to say the least.
These were managed via a web-based console hosted by the software manufacturer. These were hacked entirely separately and our policy changed to make them unusable. The IDS had changed its policy to ignore bogus PowerShell commands and the antivirus/malware system was changed to only rate files/programs with a new date stamp.
This meant that malware tools were clearly visible in directories with intentionally altered date stamps. Even more troubling was that the policies were changed within a month of our creation and there were no change logs in the vendor systems.
The nature of the hack becomes clear
We were a very early victim of a supply chain attack. At least three external systems had been hacked separately and in a coordinated manner. This left us vulnerable, and once the beachhead was established, the hackers began investigating: monitoring communications, reading procedural manuals, and reacting to changes in the security environment. This gave the perpetrators a clear view of our systems and their potential.
Furthermore, the source of the very original seeding intrusion was identified as a commercial firewall that had a bug in its firmware that allowed it to be remotely put into console mode, where the firmware could be updated. The hacker had installed modified firmware that performed the original functions but also had passwords used on this firewall for remote access mirrored on a remote site.
This captured a privileged access password, which was then used to gain legitimate access to the system and establish a bridgehead that stayed open with no additional effort, as long as they entered the system and updated their passwords once a month.
The firewall itself reverted to its original firmware when cycled, but significantly, the flaw in the code that made this possible survived all patches by the manufacturer and could still be performed in a lab some four years after it was originally done are reported.
What did we learn?
We became a very introverted organization with almost zero external trust. We also layered our systems significantly so that a reporting system would never give us an answer in isolation; We had different opinions as they had different methods to ensure safety.
We also distributed systems and data in such a way that it was never apparent which parts needed to be reconstructed to make anything meaningful, and we used two-factor authentication and encryption everywhere, again in multiple layers. We also learned that security is impossible without a reactive SIEM.
Beyond the technology, we had to accept that ultimately we couldn’t have prevented the break-in. That sounds like a very dramatic statement, but the coordination and sophistication exceeded the defensive capabilities we could reasonably have deployed.
The time and effort that went into hacking into our tiny bank for no monetary reward was not done by a backroom hacker, but by a sponsored group with infinite time and resources, seeking no financial reward.
Given the available capacity, the motivation can be anything from reputational damage, to collecting a very small amount of information, to some sort of financial denial of service where the organization cannot afford the right remedy. It is not always about financial damage for the customer. Neither our customers nor the bank lost money directly.
In the recent attack on the Solarwinds supply chain, said Ciaran Martin, former head of Britain’s National Cyber Security Centre The registry: “A lot of government-sponsored hacking work basically consists of picking the lock, opening the door, and then trying to figure out what you just found. This contrasts with the widely held belief that fiendish adversaries select their targets with ruthless precision and then perform a cyber-surgical attack to get what they seek.”
Cyber security is no longer about if you get hacked, it’s about when. We don’t necessarily need to detect every hack, we need to spot it early and slow the intrusion sufficiently. If we do this, we can buy time to act on information. It’s about surviving attacks financially and emotionally.
So accept the claim that anything can be compromised, at least for a period of time, if the adversary is determined enough. Then we have to deal with digital systems. We should try to wrap measures around them. The most vulnerable will be those that are open to the public internet. We should also start thinking about the increasingly influential crypto space now.
Nothing is insurmountable. But the final message here is to expect and plan for the worst. We are entering an era where nothing is immune from attack. That feeling of being able to keep everything out needs to be seriously challenged, and attitudes need to change accordingly.