Why security teams should prepare to slay the three-headed dragon [Q&A]
Governments, utilities and other key industries are prime targets for attack including from nation state actors and cybercriminals seeking to extract a ransom.
But David Anteliz, technical director at Skybox, believes that given the increase in tensions across the world threat actors will evolve their tactics with the use of a 'three-headed dragon approach' that goes beyond the probing we have seen so far.
We spoke to him to find out more about what this approach involves and how to combat it.
BN: What is the three-headed dragon approach?
DA: This three-step approach involves a cybercriminal or group doing the following:
- Announce they have successfully infiltrated an organization's networks and obtained sensitive employee and/or customer data. Verizon describes this as 'Actor Disclosure' in its 2022 Data Breach Investigations Report (DBIR). According to the report, over 50 percent of ransomware attacks observed by Verizon were discovered when the actor reveals themselves in the form of a ransomware note, on a forum, etc.
- Hold this data for ransom.
- Threaten to share the stolen data publicly if the ransom is not paid in the allotted timeframe.
BN: How have the tactics of cybercriminals evolved to utilize this approach?
DA: The abundance of ransomware attacks seen today is in part due to cybercriminal groups replicating the playbook of state-sponsored attackers. These methods are highly effective when leveraged against unsuspecting private and public organizations without playbooks of their own. Using the three-headed dragon approach, attackers have ramped up the ability to profit from cyberattacks in addition to disrupting services.
BN: Is this approach specific to ransomware, or are there other examples of how attackers are using this approach?
DA: When most people think of ransomware, they think of encryption and disruption that causes a shutdown of services. However, cybercriminals don't necessarily have to hijack a network to demand a ransom. They can gain access to confidential information and threaten to leak it unless a ransom is paid -- the outcome of that being public backlash, economic harm, and reputation damage.
In 2020, an attack involving US military contractor Westech International, which at the time played a significant role in the country's Minuteman III nuclear deterrent, compromised the company’s network, encrypted the computers, and stole sensitive employee data. The data was then leaked in underground internet forums. The nature of the incident, combined with quality of data that was leaked by the attackers, raised concerns that the criminals responsible had stolen classified military information that would be shared with hostile nations unless the ransom was paid.
BN: What is fueling the continued growth of ransomware?
DA: The pandemic showed ransomware attacks could be highly profitable. Colonial Pipeline and JBS Foods both suffered ransomware attacks in 2021 and paid the ransom to the tune of millions of dollars. There has been a proliferation of for-profit ransomware groups like DarkSide, the group behind the Colonial Pipeline attack, who went as far as releasing a statement saying they only wanted to make money, not cause a disruption. Many of these groups have salaried workers and HR departments -- they have transformed ransomware into a full-scale business. The three-headed dragon approach is at the core of these attacks, and these attackers' business models, because it's effective, replicative, and profitable.
In 2021, the Skybox Research Lab published a report that uncovered 20,175 new vulnerabilities in 2021 -- the most vulnerabilities ever reported in a single year. The total number of vulnerabilities published over the last 10 years reached 166,938 in 2021, which is a three-fold increase. The same report indicated a 42 percent increase in new ransomware programs in the same year. This is primarily in the Operational Technology (OT) sector -- think energy, water, transportation, environmental control systems, and other vital assets that can inflict severe economic damage and endanger public safety if disrupted. The data demonstrates threat actors are becoming more efficient at weaponizing the latest vulnerabilities in both breadth and speed.
Another reason for the continued growth of ransomware is organizations using obsolete vulnerability prioritization approaches that rely solely on measuring the severity of vulnerabilities by CVSS (a common vulnerability scoring system). This system takes an extremely narrow approach to measuring vulnerabilities and fails to consider the organization's unique circumstances before providing a score. Cybercriminals know companies are using this one-size-fits-all approach and use this lack of visibility into vulnerabilities to increase their success.
BN: How can companies predict and prevent this type of attack?
DA: Companies are typically reactive because of an internal absence of resilience. They're expending resources on legacy measures that are increasingly becoming more futile. In doing this, they are inadvertently leaving security teams completely unable to keep pace with a threat landscape that’s in a constant state of evolution.
What companies should be doing instead is concentrating on designing a thorough security posture management program that extends throughout the entire enterprise. This approach needs to seamlessly integrate IT and OT environments in addition to optimizing the security planning, implementation, and remediation processes. This level of visibility can only be achieved by implementing a network model rooted in the aggregation of essential data from security, cloud, and network tools. This comprehensive approach to network modeling enables security teams to conduct simulations and evaluations that are aligned with every device and configuration within the security environment.
Organizations must start by taking proactive control over their security posture to stop attacks before they turn into the next headline-grabbing catastrophe. They should adopt tools and create standardized processes that evaluate the overall effectiveness of security controls, procedures, and compliance strategies. Once they have this data, they can proactively identify ways to bolster security efficacy to lower risk of exposure. The aim should be complete visibility across IT and OT systems, discovering and prioritizing exploitable vulnerabilities, then linking this data with distinctive network configurations and security controls to establish if the system is exposed.