By Jenny Wu | Senior Incident Response Consultant at LRQA Nettitude
Malware in today’s world is a fact of life. As technology advances and devices are increasingly connected and evolving, so too are techniques and tools used to exploit this technology. With exploitation and malware rampant, the likelihood of your organization experiencing an attack and paying the price is set to increase.
Cyber-attacks and the damage they cause can be very costly to organizations. The costs of cyber-attacks are not limited to the immediate containment and eradication of threats. Operational costs, loss of revenue from downtime, emergency remediation and recovery solutions can exacerbate costs, not to mention the existence of intangible costs such as reputational loss. But what is the real impact of malware on business, and how can organization reduce its impact?
Initial Costs and Malware - Ransomware
When discussing money and malware, most people immediately think of ransomware. Ransomware, as a quick refresher, is malware that renders files inaccessible until you pay the attacker to regain access. This poses a major problem for businesses who need their files to operate, especially if the malware can spread to other machines, effectively holding an entire network at ‘ransom’ until the price can be paid.
According to a study by Sophos, the average cost to remediate a ransomware attack is $732,520 USD for organizations who did not pay a ransom, and $1,448,458 for organizations that did[1]. This number not only includes the initial ransom demand, but all the operational costs and downtime costs caused by the ransomware.
The cost discrepancy is because organizations who paid the ransom still had to make the same changes and suffer the same operational damages that organizations who did not pay did. Every organization is different and has different risk tolerances toward these types of attacks. Whether it is cost-effective to pay the ransom or otherwise, it is up to you and your leadership to weigh the risks and decide the best course of action for your organization.
These types of attacks are becoming more widespread and indiscriminate; malicious actors are aiming for monetary gains where they can. Even if your organization isn’t directly targeted, you could be affected through collateral damage as a result of an attack on a partner or vendor. When it does happen, organizations should be ready to mitigate the risks and harm from the onset.
Limiting an attack’s ability to spread can result in speedier and less costly responses. Part of this can be achieved through segmentation via VLANs, internal firewalls, and air-gapped networks. Regular and consistent maintenance of systems is also key in mitigating attacks. Patching can limit the vulnerabilities that are exploitable by attackers and taking back-ups can facilitate faster recovery times while keeping these back-up files offline can defend against ransomware variants seeking to delete online back-ups. For attackers who take advantage of privileged accounts to spread ransomware, Privileged Access Management (PAM) systems can reduce the ability of the attacker to gain such access.
Phishing, BEC, and Social Engineering
There are other attacks that are just as costly and don’t require malware or direct access to your systems. All it takes is a bit of ingenuity and trust. Business email compromise (BEC) attacks, phishing, spear-phishing, and other techniques are used by attackers to convince users to willingly give up money, gifts, or credentials to corporate bank accounts.
In 2019, the IC3 reported over 23,000 complaints of BEC that totaled $1.7 billion[2] USD in losses in the US alone, and roughly 32% of breaches involve phishing[3] so it stands to reason that if emails are filtered out, then the threat can be significantly reduced.
Most email providers have inbuilt spam filters to protect their users from such threats, and some organizations have taken the extra step to install Secure Email Gateways (SEG) in front of their mail servers for prescreening. Anti-spam and anti-phishing technology is no silver bullet, and scammers are becoming more sophisticated to bypass these controls. Techniques include using validated domains, legacy unused domains, domains similar to the targets and taking the time to establish trusted relationships with their victims before soliciting money often in the form of unregulated and difficult-to-trace currency like bitcoin.
Social-engineering is not limited to emails and could easily be done via phone call (vishing), text message (smishing), physical letters, or even in person. As long as the human element exists, as long as trust is easily obtained, there will be no shortage of these attacks anytime soon. Malicious actors who use these techniques are becoming increasingly more sophisticated, and as such, it is imperative that your users are, too. A well-educated and savvy user-base combined with technologies to filter out the noise can drastically reduce the risk of the organization falling victim to these attacks.
Downtime - DDoS Attacks
As mentioned, upfront extortion is not the only costs organizations could face. Organizations should also consider the costs of operational downtime and remediations as well as intangible costs such as loss of reputation and brand damage. If your business is time sensitive (e.g. banking and finance, e-commerce) where downtime can mean lost revenue, then preemptive solutions should be implemented against threats that would cause these downtimes.
DDoS attacks can bring a halt to your organization’s operations. It is similar to an artificially created traffic jam that prevents legitimate customers from reaching a specific destination. This prevents the destination, in this metaphorical case, a server, from answering any legitimate requests coming through, or it can cause servers to crash as they are unable to handle the excessive loads. These attacks are also sold as services for attackers at less than $10 USD per hour for a 1,000-device botnet, making them accessible to even the lowest skilled attacker[4].
It is ideal to have infrastructure in place to prevent or discourage an attack from occurring depending on the resource you are trying to protect. Solutions such as web-application firewalls (WAF) can do the job of filtering out a majority of these attacks, redundant servers to handle excessive traffic load, or sink holing redundant traffic into unused areas of the network for further analysis.
Zero Day Attacks
A program of proactiveness can reduce the attack surface. This holds true even for undiscovered attacks. Zero-day attacks are the trickiest because they are, by definition, unknown and unpredictable. With the ever-changing landscape of new updates, new technologies, and new code being introduced, new weaknesses will inevitably appear.
So how can an organization defend against what it does not know? Even more worrisome: what if there are unknown vulnerable devices connected to the network to your organization with unknown vulnerabilities?
Luckily, no attack is completely silent. Even if a zero-day attack has not been deployed against your organization, it does not mean your only option is to sit and wait. It means it’s time to build up your team’s awareness and focus on areas in the organization in need of improvement, establishing baselines of normality, and getting appropriate and relevant telemetry on your network that will alert you when something is abnormal and allow you to act quickly. Close monitoring of network activity, maintaining a frequent and repeatable patch management process, having next-generation anti-virus, and regularly reviewing assets on your network will be a great starting point.
Having the appropriate controls, processes, and resources in place can help you respond even if you’ve never seen the attack before. Once these are in place, practicing how to respond to threats can eliminate potential confusion and panic that would normally occur during an incident.
Threat Intelligence
As with many things in life, it is important to understand trends and try to get ahead of the curve. If your organization is at a loss as to what issue to tackle first, threat intelligence may be the way to go.
A threat intelligence program or function in your organization can give you insight into the current malware trends in your industry and help you determine if your organization is prepared to face them. Proactively searching for threats will give you time to prepare and research the full extent of the threats before they occur in your environment.
Additionally, threat intelligence can tell you if you’ve already been attacked or breached. Data dumps are often sold without the knowledge of the victim organization. An IBM study claims it takes an average of 279 days to detect a breach[5]. The longer the dwell time of an attack, the more damage that can be done, and that translates into a more expensive remediation. Therefore, looking for these threats and potential leaks will help reduce the discovery time and allow you to act faster and smarter.
Insider threats
Even after implementing controls against malware and attackers and gaining information on their trends, some organizations often overlook another vector that could cost them just as much as any attack. Negligent and disgruntled employees cause as much damage, if not more, than any malware or attack. According to Observe IT, negligent employees can cause an average of $307k in damages whereas malicious employees cause an average of $756K[6].
Employees are granted legitimate authorization and access to network resources so they can do their work. This is a given as a part of onboarding and provisioning. However, this access is sometimes excessive and unregulated, and with time, there is the possibility of permissions creep (also known as privilege creep, access creep, etc.) whereby an employee who remains with a company long enough and switches roles will steadily accumulate access to resources, often more than necessary.
This excess access can cause security teams to dismiss or overlook activity that would be considered suspicious or concerning under normal circumstances. Employees who work in IT or development teams may be granted elevated privileges which can be either exploited by an attacker or used by the employee to accidentally or intentionally cause harm to the organization. A prime example of this would be an IT manager who uses a domain administrator account for day-to-day operations that do not require elevated privileges.
Proper segmentation of network resources and adherence to the principle of least privilege upon provisioning, and regular access reviews and revocations of excess access should be conducted to will ensure any damage any employee can do (accidental or otherwise) is minimized. This also includes best practices such as regular backups, separate and independent reviews of changes made to the environment by IT or developers, and auditing. There are a number of things that can be done to reduce the harm done by an employee, but without being aware of internal threats, it is often a vector that can come back to haunt you.
Mobile devices
With employees, Bring Your Own Devices (BYOB) policies often bring complications and a new threat vector into the environment. Improperly segregated Wi-Fi and networks can cause accidental exposure from these unmanaged devices.
Since these devices are mobile, they can go anywhere and face threats that traditional network defenses can't protect them against. These devices can connect to virtually any network making them susceptible to having sensitive information siphoned in man-in-the-middle (MitM) attacks. There has been an increasing number of mobile applications laced with backdoors, undesirable trackers, or malware capable of accessing data from other applications without the user’s knowledge.
To combat mobile threats, organizations often deploy a Mobile Device Management (MDM) solution to control the type of activities that can take place on a device. This understandably brings its own set of concerns for users who want to use their personal devices for work-related purposes. For non-company-controlled devices or unknown devices, instead of protecting the devices, it is imperative to protect the resources these devices are attempting to access. Zero-trust solutions and Cloud Access Security Broker (CASB) solutions are examples of technologies that can be used to reduce the possibility of data leaks or malware being introduced to systems. This is, of course, in conjunction with other controls mentioned previously in this article.
Preemptively addressing these issues and protecting the resources these users are connected to is an ideal place to begin implementing controls.
Conclusion
The costs of cyber-attacks can represent millions in damages, both from the onset and from the remediation efforts required to mitigate and recover from the harm done. Even more, organizations are expected to defend against insider threats who, while not always malicious, can bring harm to an organization.
To reduce the damage and subsequent cost of a cyber-attack, organizations may choose to rely on new technologies such as SOC services or SEGs, review their environment for weaknesses through rigorous Pen Testing and Digital Attack Surface Assessment. Instead of waiting for attackers to come and wreak havoc, be proactive and limit their ability to harm your environment, and save your organization the pain of a lengthy and costly attack.
For more information, please don't hesitate to get in touch with our LRQA Nettitude team.
[1] https://www.sophos.com/en-us/medialibrary/Gated-Assets/white-papers/sophos-the-state-of-ransomware-2020-wp.pdf
[2] https://www.fbi.gov/news/stories/2019-internet-crime-report-released-021120
[3] https://enterprise.verizon.com/resources/reports/dbir/2019/summary-of-findings/
[4] https://securityaffairs.co/wordpress/57429/cyber-crime/cost-ddos-attack-service.html#:~:text=The%20experts%20estimated%20that%20the,7%3D%2418%20per%20hour.
