On Friday evening, I read the report that DarkSide threat group posted on their site they would be shutting down operations. This was in response to the political pressure placed on DarkSide due to their recent breach and ransom demand of Colonial Pipeline. As I read the comments of the article, I observed that many IT professionals were relieved. There was a sense of optimism that this could be a turning point in the current trend of cybercrime. I wanted to get the message out to IT professionals to stay vigilant. Now is not the time to let your guard down. Before I could do so, our firm was contacted for an incident response engagement. Another organization had fallen victim to ransomware.
The better part of my weekend was spent identifying the entry point and remediating the threat. In total, only around five hours was spent on the technical aspect of the issue. Frankly, that’s the easy part. The remaining time was spent communicating with the organization and advising on how to navigate through the recovery. All the while, I continued to see threads and comments rejoicing over DarkSide’s announcement of a shutdown. Since more than 120 other well-funded, highly capable threat groups currently exist, I knew this was a preemptive victory lap. I truly believe these threat actors are exploiting more than technical vulnerabilities. Optimism is exploited before any malicious code is injected into an organization. No one wants to embrace the fact that they’re not as prepared or as vulnerable as they actually are.
Having gained this perspective, I had the thought, “What would I tell the leaders and IT staff of these organizations if given the chance?” The following are three vital messages I would relate.
Listen to that one voice.
There is someone in your organization stating that things are not as they should be. This individual is in the minority. Their input is likely dismissed as paranoia. The solution they propose is either too expensive or inconvenient, therefore easily dismissed. Take that input and consider the ramifications of inaction.
The obstacle is the way.
The security project that appears too complex or disruptive is the one that needs to be prioritized. We all have those lingering projects we never get around to until it’s too late.
MFA is the new RDP.
For those seasoned IT vets, we’ve all configured port forwarding for 3389 on a firewall. If your IT career started in the 1990’s or earlier, you’ve configured this at some point. Everyone from IT generalists to application developers have been tasked with this request, and most have enjoyed the simplicity and convenience of remote access from anywhere. That was until around ten years ago when threat actors began to attack RDP vulnerabilities. As the perimeter of the network begins to disappear, MFA has progressed from a “nice to have” to a necessity. While not perfect, MFA is now a requirement to any external service and to some internal services as well.
While technically simple, these takeaways prove too difficult for the majority of organizations. I want to see these threat groups shut down. The best way to do so is to take an honest assessment of your IT infrastructure. If everyone took this approach, the revenue from these attacks would dwindle. Don’t let these threat actors exploit false optimism before ever launching an attack.