Still in shock, the media is suggesting that there is little that can be done against ransomware attacks, as we saw at Kaseya last weekend. “Not entirely true”, says Piet Kerkhofs, CTO at Eye Security. “When you can detect suspicious behavior, you can also stop these types of attacks in time.”
The first weekend of July, much of the world was in a state of panic. A Russian hacker group known as REvil managed to exploit a vulnerability in Kaseya's software – which provides a tool to manage IT systems remotely – and was able to infect thousands of systems worldwide with ransomware. This vulnerability was accidentally discovered some time ago by volunteers from the Dutch Institute for Vulnerability Disclosure, a volunteer organization that scans the internet for vulnerabilities in digital systems. They were already working with Kaseya to fix the hitherto unknown vulnerability (known as a zero-day vulnerability). Unfortunately, just before the finish line, they were overtaken by REvil's cybercriminals. Kaseya's customers were affected, these are mainly IT service providers who manage their customers' systems remotely. This allowed the ransomware to spread like an oil slick around the world.
“In the media you now see the image emerging that as a company you are virtually powerless against these kinds of attacks,” says Kerkhofs. "But that's not quite true." He explains that technological security systems cannot always easily recognize the new malware. Most systems look for known software code that has been used in attacks before. When cyber criminals continue to develop and send new malware, technological security systems can recognize this code, as long as it resembles malware known in the system. It becomes much more difficult when cybercriminals have written new software code to carry out their attack. This is because it is not yet known in technical systems.
Detect deviance in behaviour
“It is – actually always, but especially in cases like this – important to be able to detect deviant behaviour on business systems. Because cyber criminals are so smart and their methodologies are becoming more and more sophisticated, allowing them to adapt their attacks to the technological measures you have taken. For example, they adapt their malware to the antivirus solutions that run on Windows.” When you know what behaviour is normal on your company network, you can also detect deviations. It is impossible to map this yourself, which is why there are systems that can do this. “Suppose it is half past five and one of your employees has just logged out, but the system sees that within 15 minutes they are logged in again with that employee's data, but then from Russia,
Interplay of measures
Of course 100 percent security does not exist. Kerkhofs is well aware of this, but you are not as helpless as is sometimes thought. “Yes, cyber criminals can tailor their attacks to known security tools, but then you assume that only technological security measures are taken in a company. Your security approach must consist of more than just technology, then you can arm yourself a lot against these types of attacks.” It has already been suggested in the market that the way of distributing updates must also change or that every organization strictly checks an update in advance. "I can imagine that an intelligence agency would set up a team here to reverse engineer an update or run it in a sandbox, but for the rest of all organizations that is not possible."
Hugely limit damage
Kerkhofs draws a comparison with protecting young children. “As a parent, you don't want anything to happen to your child. So we tape off table points, put rubber tiles under the slide and we prefer not to let them climb too high. But the reality is that no child grows up without bumps, scratches, or blood. The trick is to limit the damage. And the same goes for these types of attacks. It is no longer a question of whether you will be affected by cybercrime, but when. But with the right mindset, the right configuration, the best measures and a solid team, you can greatly limit the damage. So make sure you have a security solution that combines technical measures with detection methods aimed at deviating patterns in behavior on your network.”
What does Eye do?
Our customers are protected against cyber attacks day and night with good technology. This software uses Crowdstrike Falcon. This identifies and detects behavior associated with ransomware. The platform then prevents suspicious actions from being performed. This way, ransomware is stopped at an early stage. Learn how Crowdstrike blocked the ransomware used in the Kaseya attack in time.
Security Specialists from Eye Security have observed a rather large phishing campaign using a few interesting tactics that we would like to share.
At the 10th of May, our Security Operation Center got an alert about a blocked Powershell execution on an Exchange server at one of our new customers.
An antivirus programme alone will not protect your company against cybercrime. Read more
Sending a phishing email has a high chance of success, especially with new employees. Read our tips.