The threat actors behind phishing and ransomware attacks are becoming increasingly sophisticated and their attack surfaces are far and wide. It’s important to prepare for the worst and expect the worst.
Quartz Network Executive Correspondent Britt Erler sat down with Allen Ohanian, Chief Information Security Officer for Los Angeles County Department of Children and Family Services to discuss the latest trends and patterns in phishing and ransomware attacks.
Allen shares insight into:
- Which sectors are the most victimized and why
- Recent trends among cyber attack vectors
- Preparing for and responding to a ransomware attack
Quartz Network: What are some major cybersecurity risks and are certain sectors hit the hardest?
Allen Ohanian: My answer to that question always is, everybody who has data, everybody who manages data and has some sort of access to a computer or works on an information system is a target, regardless. Now, of course, there are industries, depending on the size and cyber hygiene, that get attacked the most. For example, small businesses, where in the past, were not so much investing in cybersecurity, because bigger entities, financial organizations, or even media corporations were a target. Now we are seeing a lot of small businesses getting attacked because it’s an easy target. It’s a fantastic use case for bad guys to attack small businesses because they don’t have as many security measures as a bigger corporation with potentially bigger funds.
If you’re following the bitcoin trend, it’s a huge deal out there with Tesla, and lots of other companies and organizations investing in bitcoin. That created a whole slew of site-organized cybercrime, where people go after individuals, try to compromise their data, potentially hold them hostage, and ask for bitcoins. So, it’s a financially driven marketplace for the most part. Of course, there’s your adversaries, nation states, different countries attacking the United States and others for obvious reasons of getting proprietary information. Sometimes it is for denial-of-service attack and disrupting services. However, most of them are financially driven motives. They come from our entities who do have those two in mind.
Quartz Network: How can companies help employees identify that there is a cyber attack happening?
Allen Ohanian: It’s become very sophisticated. One of the easiest ways is the phishing emails that come in. In addition to the phishing emails, which usually have a link or a payload that users click on and install on their computers, are social media accounts. We are all working from home, right? So, what do people do out of boredom? Social media is one of the avenues that people try to reach out to friends, and kind of virtually be present, even though you’re physically kind of trapped. That’s another platform.
Then there’s mobile devices. Do you know anybody that doesn’t have a cell phone, a computer and a handheld device? Not many these days. So, these are, again, all attack vectors. Bad guys sometimes compromise legitimate websites. People don’t know if they’re compromised. There’s a malicious payload, people click on it, and then install it.
It happens with applications, even mobile apps. In today’s world, Apple has done a pretty good job on vetting all the apps. So does Google, to an extent. But it doesn’t discount the fact that I can still go and install a third-party app. So bad guys also tackle that because everybody’s using a smartphone these days.
Overall, the nature or the anatomy of these attacks are almost similar. That is, once you install a bad code and malware on your computer, it has become very stealthy and sophisticated to be detected by traditional ways of antivirus programs. So, they install, the system gets compromised, nobody knows about it. The average time between some big organization or even your own system to detect is about three to six months, because they use lot of zero days. They go really deep down into the operating system. It’s very hidden and not very obvious to the network detecting tools so they can’t really detect it as quickly as possible.
Imagine three to six months. They try to navigate your network. They try to navigate your computer and potentially make a copy of the data somewhere else. They call it a command and control center. So, there is a bad guy sitting somewhere else, probably in another country, monitoring all your traffic, monitoring what data you have. Once that’s completed, they try to find their way into a different network, and the cycle continues. Once they have everything they need, such as credentials and information that is sensitive to your organization or yourself, then they start encrypting your data. That’s when they asked for ransomware.
There’s a recon process, and there’s stealthy mode with bad guys coming in searching the area to assess the ecosystem and see how much information they can extract. Once they’re pretty solid on what they find, that’s when they start encrypting the files and asking for ransomware.
Quartz Network: What effects have you seen from these types of attacks?
Allen Ohanian: Most companies, if you’re following the media, do pay ransom because they don’t have a backup of their copies. They have no idea what’s compromised and what’s out there. Obviously, they have to pay the ransom, including some law enforcement agencies.
The very recent attack was on SolarWinds. SolarWinds is a security firm, in a way. They provide tools to private and government entities, including law enforcement. So, they were attacked. They didn’t know anything about it until six months later. With that being said, it basically causes companies a significant amount of financial loss. That’s just one element.
Let’s say, I want to go after a big company. We will call it Company A. They have a lot of resources, a lot of fun, so it’s hard for me to get into their data or potentially compromise their employees. What I do? I go over and search to see what this company is contracting with, such as other supply chain entities. I go over this small businesses, again, that we talked about earlier. So let’s say, I know who its contractors are such as HVAC system. It’s very simple.
With Target, who was hacked recently, that was how they were able to compromise their network. They figured out who Target had as a third-party contractor, and they compromised that contract. They don’t have proper security measures. They figured out their way into Target’s network. They got into the terminal where people were sliding their credit cards. So it’s a very complex and convoluted ecosystem. Bad guys are always a step ahead. They’re trying to figure out a smarter way to get into networks and potentially compromise data because it’s a lucrative business.
Quartz Network: You said that a lot of companies, a lot of organizations end up paying the ransom, because they don’t know what else to do. Is that what you personally recommend? Or is there a better way to deal with it?
Allen Ohanian: Absolutely not. The rule of thumb is do not pay the ransom because there’s absolutely no guarantee that you will get your files back. Even if you get your files back, there is absolutely no guarantee they don’t have a copy of your data already. So, if you go to underground cyber forums, sometimes you see a lot of credential dumps. Obviously, you don’t know where the sources are coming from, but that’s what happens for the most part.
There was a case that I was working at a private entity. They were compromised. Their data was breached. Then, law enforcement was involved. When we were doing our research in our part to see what went down and what happened, the bad guys promised them they don’t have a copy of their data. Would I bid with that? Absolutely not. The bad guys don’t follow the same ethical rules that we do. For me, prepare for the worst and expect the worst.
Quartz Network: Who are the threat actors behind these attacks?
Allen Ohanian: There’s organized cybercrime because again, as I talked about Bitcoin, that has created even more incentive for people to start compromising and asking payments in bitcoin for financial gains. We have threat actors from nation states coming in—China, Korea, Russia, sometimes even within our United States. We see sectors that do commit crime and are leveraging resources at a homeland.
Quartz Network: What can organizations do to not only prepare for this type of attack, but if it does happen, to recover quickly?
Allen Ohanian: There are a few things that, in my opinion, every organization can do. These are low hanging fruits, and you can easily pick out a few of these. It really goes a long way.
Make sure access to your jewels, your corporate data, at minimum, uses a multi factor authentication. Such as if you log in, there’s some sort of a code that gets sent out, or some sort of a message or some sort of secondary device or tool allows you to get into your corporate data. That’s one.
I can’t emphasize this more. Training. It goes extremely far. So, what I have been doing is obviously continuous training—rigorous training—depending on what’s going on in nation and what’s going on our environment.
On top of that, phishing campaigns. Everybody now is going through the vaccination process. We know this is going on. So we craft our phishing campaigns according to what’s happening today. Very recently, we crafted a phishing campaign that talked about Coronavirus vaccination appointments available. It was amazing. A lot of people were reporting them back to us now. So that, to me, gauges the success rate of our people—vigilant or not. Training is critical.
One element within the training is what we do. We go after people who failed the training or failed the campaign, not necessarily to punish them—not at all—we want to see what caused them to click on a link. I would rather see people fail on the phishing in phishing campaigns than the real ones. For me, it is very important to know what caused them to click on it. Didn’t they have the knowledge? Didn’t have the tools to verify? Or was it just pure negligence? So that helps me to redesign or reshape the next training that’s going to come up.
Next one, which I can, again, emphasize more on this one, is incident response plan. It’s like getting ready for an earthquake, getting ready for a natural disaster. You always have to have a plan. Because when that happens, at the time of crisis, it’s not the time to plan the plan, it’s the time to execute the plan. I’ve seen across many organizations, believe it or not, they don’t have an incident response plan. Something bad happens, they don’t even know where to start. They don’t have the contact people. They don’t know what to look for, who to inform. So that is critical. Once you have that incident response plan, make sure you’re practicing that, just like an earthquake. Not just within the IT or technical folks, but across the organization. When we do earthquake drills, the whole organization is involved. So it should be an incident response for cyber attacks.
The list follows on making sure your systems are patched. Again, this is another low hanging fruit. A lot of companies sometimes miss it, especially during pandemic when people are working from home. They may use an outdated system, which is not supported or even their phones. Malware spread is not just to your laptop, desktop, or server, now it’s within your phone because it’s a target. So patching is another element.
Another one that I have seen a lot is supply chain, or as I was talking about, the contractors. Let’s say, we do everything in our power within our organization, but when we contract and we entrust others with our data, are they also protecting our information? Or is their security posture kind of lacking? That’s another important element to follow. Of course, with all that comes from risk assessment, know what you have. Understand what your low hanging fruits are, so you can tackle them. Some of these basic things can go really far.
For more industry best practices and insights from leading IT executives like Allen, join Quartz Network.