With the Kaseya supply chain attack perpetrated by the REvil group, we have seen two major supply chain-oriented attacks in half a year. Between Kaseya and Solarwinds, a huge number of organizations have suffered critical attacks to their infrastructure, pocketbooks, and pride. The worst part is that none of the tools or implementations that we are currently using to detect attacks within a network can foresee these things. Attacks that are served directly from trusted supply chain vendors usually come through expected channels. The security devices do not pick them up. Everything is working as intended. Yet, you are still left on the hook for a huge bill, either in real dollars because your network was encrypted, or in less tangible costs, such as proprietary and private data being stolen. We are fast entering a new era of geopolitical turmoil. Red team tactics have always been prized over defense, and we are suffering for that now.
With cyberattackers around the globe becoming emboldened by repeated major successes, the tempo of major attacks has been increasing in both criticality and frequency. Each new major strike sets new records for dollar amounts and damages. It is clear that the tactics and techniques used by defenders is going to have to change. We cannot solve this by locking our doors tight and hoping the locks we bought are slightly better than our neighbors.
The time has come to move to a proactive approach. A coalition of openly shared threat intelligence organizations who monitor attackers around the globe. By understanding these attackers and their motivations, we can provide actionable data to better prepare companies to the eventualities of the attacks that may come.
Groups like DarkSide, perpetrators of the Colonial Pipeline attack, are a good example of a threat organization whose tendencies we should have been able to forecast based on contextual data. They had made their bones with a “Robin Hood” approach, targeting organizations and then giving some of the money they stole to charities. It was clear that there was something more than financial motivation to their actions, they were looking for validation in the realm of public opinion as well. When that first attempt at public acclaim was widely ridiculed, and the money unilaterally turned down, it was only natural that they would escalate. Who better to attack than organizations that may have a somewhat negative public perception in the first place? Oil companies, and fossil fuels in general, are a topic of conversation as the world discusses the impact of greenhouse gasses and global warming. No matter where you sit on that particular issue, it should be clear that a group that seems to need positive public perception would target organizations that may be controversial, and they already said they only target companies that can afford to pay the ransom. Unless you are Russian, of course.
These connections are the type of subtextual relationships that threat intelligence, when implemented properly, and when shared across organizations, can make. Diffuse connections can create patterns that lead to the ability to begin to forecast these attacks and make intelligent hypotheses as to what organizations are particularly vulnerable to specific threat actors. By focusing on the threat actors most relevant to your organization, you can effectively prioritize your cyber defense, and harden yourself from most of the attacks that you might face.
This post started by discussing major supply chain attacks. The question as to how we address these in longer form, has yet to be answered. It is difficult when you are targeted through no fault of your own. The one consolation at this point, is we know the groups that have the manpower, money, and technical expertise to conduct attacks like that. We can study them, learn, adapt, and eventually find solutions to all these problems. In the military, you would call the tactic battlefield superiority. By directing and combining our efforts, we can make this world a difficult place for the cybercriminal. It is time to be proactive.
https://www.bbc.com/news/technology-54591761
https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/