A few days ago, NotPetya came into our purview, and left enterprises globally with many questions.
The WannaCry ransomware started to hit companies worldwide this past Friday, setting off a wave a panic about what to do about it. The reality is this attack will continue to proliferate, and it will likely continue to command attention from CISOs to the boardroom to the media for the upcoming weeks. The attack was first reported to have started to hit companies in Europe and Asia this past Friday, and so far to-date, over 200,000 systems in 150 countries.
You can’t read the news these days without being blasted with yet another Ransomware story. Almost daily, there seems to be a new variant, a new name, and inevitably, new victims. The rise of Ransomware attacks shouldn’t come as a surprise, since its execution is quite simple and the demands on the victims are not onerous.Ransomware is not like an APT (Advanced Persistent Threat) - there is no need for long-term stealth operation, no need to explore the victim’s networks and resources, no need to steal credentials and no need to quietly and patiently exfiltrate sensitive data. With Ransomware, an exploit kit opens the door, and BANG, there it is, your PC is displaying a ransom note with detailed instructions on how to pay.
In the game of whack-a-mole, the player’s objective is to hit a target that keeps popping up in different places. It’s a fun game that exercises one’s reflexes and motor skills.
Unfortunately, similar games are played every day in security operation centers across many organizations, irrespective of their size (which is not fun). What makes it hard for the incident responders is the movement of the adversary – hopping from one endpoint to another, from one workstation to another. This is called lateral movement. There are many reasons why attackers move laterally – they do so to establish another persistence point in the network (the so-called “beachhead”), to steal data from a server, and sometimes to prepare the workstation for the next phase of attack (network enumeration or credentials stealing, for example).
Two very recent defining events are helping the industry see the bigger picture of the state of cybersecurity: the Verizon Business’ DBIR report and the RSA conference. Both the report and the conference reinforce the fact that cybersecurity has now reached boardroom level.
This year, yet again, one common denominator between the two was the message that organizations now do understand that being attacked is not a matter of “if” but “when”1. That awakening is good news.
This video post is one in a series of technical blog posts examining various attack scenarios through video simulations of CounterTack’s Event Horizon platform. Today, CounterTack’s Nenad Kreculj exposes some tactics cyber attackers use to hide their actions.