3 ways to respond to any data hacker

No industry is safe from a cyber attack. In the past year alone, we’ve seen it all from gas pipelines for large swaths of the United States shut down to breaches of hospitals’ data around the world during a global pandemic. This is fact, not fiction.

The computerised equipment managing a U.S. based pipeline was hacked on April 29th, 2021. Cybersecurity experts believe the entry point for this attack was made possible through a “single compromised password.” While that was how the hackers got in, the oil organisation left itself wide open by not using multi-factor authentication on its VPN account.

The true origins of these attacks are widely debated but whether foreign or domestic, companies need to know how to protect their most sensitive asset—their digital information worlds.

What lessons can be learned from these incidents to help organisations protect themselves against future hackers?

Did you know?

Did you know that you can help to contain a breach by focusing on multiple layers of a network’s defenses?

Fast fact:

In Verizon’s 2021 Data Breach Investigation Report, 80% of data breaches come from poor or reused credentials

Foreign or Domestic: Is There Really a Difference?

State-sponsored hackers tend to have deeper, ongoing financial resources to carry out their campaigns. As a result, such campaigns can often infiltrate organizations' vulnerable IT systems for long periods. During that time, various "back doors" may be installed by the hackers in an effort to extend their reach within a network, all while avoiding major detection.

Unfortunately, state-sponsored cybercrime is a form of digital warfare that is not going away. In a 2015 F-Secure speech, Mikko Hypponen, chief research officer of Finland-based F-Secure Corporation, even called it an "online arms race."

Motives aside, the methods used by foreign or domestic actors to infiltrate systems are not so different. The practice of spear phishing played a significant role in recent political hacks. When users responded to messages disguised as official Google emails, they were tricked into revealing their login details.

As IBM reports, a form of wiper malware was used in the case of the motion picture studio. This type of malware is able to copy any data it finds on a network; it can also be used to "wipe" all data from any disk drive it targets.

Copying and holding an organization's data hostage is not a unique concept. After all, ransomware requires a monetary ransom to release the impacted data. But the use of any of these types of destructive malware attacks reveals the need for organizations to focus their security efforts in two areas: containment and protection.

Containment: Slowing the Army at the Gates

In the days before everyone was interconnected, organizations considered it sufficient to maintain hardened firewalls to protect their perimeters. Today, anyone involved in IT security knows that a firewall is no longer good enough. Employee education can go a long way toward preventing users from responding to suspicious-looking emails, but it can't fully prevent any breach from occurring.

In his speech, Hypponen summarizes this reality as follows, "If you have enough workstations and servers, you cannot protect them all at all times. Every single Fortune 500 company has a breach in their network right now."

While organizations can't prevent every potential hack, several actions can help you to contain a breach or "slow" it from spreading and causing further damage. One method: Focus on multiple layers of a network's defenses, especially the application layer, as G. Mark Hardy suggests in a SANS Institute whitepaper. According to Hardy, the application layer (Layer 7) is the subject of most attacks. Therefore, you should make an extra effort to secure the application layer and resolve specific application-level vulnerabilities.

Containment: Part Two

In order to avoid a Wiper attack, David McMillen, senior threat researcher at IBM, recommends that you keep critical IP isolated in hardened networks accessible only via privileged connections. The second part of this recommendation also speaks to the common pathway used by many hackers: the potential hijacking of administrative privileges.

In a SANS Institute case study, better control of the use of administrative privileges was one of many critical security controls that author Gabriel Sanchez believed could have minimized the impact of the movie studio hack.

Pairing Containment With Data Protection and Disaster Recovery

In Sanchez's list of the top 20 critical controls, he also mentions the need for robust data recovery. This includes frequent, automatic data backup and fast system recovery processes that allow you to recover a clean set of the impacted data as well as the associated application software and underlying operating system. The ability to restore your data to prior versions before the hack is also important.

This advice extends to physically securing or encrypting stored backups, especially during network transport or with remote or cloud-based backups. This echoes McMillen, who stresses the importance of using "off site data backups for critical information." In light of the potential damage of wiper malware, McMillen also recommends that organizations "implement an emergency business continuity/disaster recovery plan and test [it] at regularly scheduled intervals."

Both foreign and domestic hacks remain unpredictable. Are you ready to respond to a data hacker who sets his or her sights on your business?