Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

End of Bibblio RCM includes -->

Can Government Effectively Help Businesses Fight Cybercrime?

From the Biden administration's pledge to take action to INTERPOL's focus on ransomware as a global threat, governments are looking to help businesses cope with cyberattacks. But can it really work?

When Team Cymru's James Shank worked with the Ransomware Task Force to come up with the worst-case scenarios for a ransomware attack, the group focused heavily on impacts: How could attackers endanger people or cause significant damage to infrastructure?

However, the group also focused on vectors - including an exploitation chain that amplifies attacks by compromising the software supply chain, infecting managed service providers and propagating too quickly for defenders to react. In short, the scenarios the group came up with looked very similar to the attack against managed service providers using a vulnerability in the Kaseya Virtual System Administrator (VSA) servers that happened on July 2.

Related Content:

Kaseya Releases Security Patch as Companies Continue to Recover

Special Report: Building the SOC of the Future

New From The Edge: Navigating Active Directory Security: Dangers and Defenses

The ability to use existing update and control mechanisms to propagate an attack is often referred to in military jargon as "force amplification," Shank says.

"That was one of the identified vectors that we explicitly called out, because it has wide-ranging impact," he says. "Force amplification that is one of the things that we explicitly did identify as a technique that should be considered part of the worst case of scenarios."

The attack—along with attacks on oil-and-gas transport network Colonial Pipeline and meat packer JBS USA—highlights the capability of ransomware groups to affect large numbers of people, and the bottom line that attack techniques are evolving. Without any fear of retribution, the groups behind the schemes will likely only get better. Individual companies have little recourse except to improve their defenses, stay on top of the latest techniques, and prepare to minimize business disruption in the event of an attack. 

Yet, governments are hobbled as well. On Friday, US President Joe Biden discussed the attacks with Russian President Vladimir Putin, requesting cooperation and pledging consequences for any inaction, according to reports. What those actions will be are unclear.

"I made it very clear to him that the United States expects, when a ransomware operation is coming from his soil even though it's not sponsored by the state, we expect them to act if we give them enough information to act on who that is," Biden told the White House press.

The Cyberspace Solarium Commission (CSC), a bipartisan group of legislators and cybersecurity experts, recommended more than 80 policy initiatives that aim to improve US cybersecurity in March 2020. Among the foundations of the recommendations, the CSC focused on deterrence to shape rival nations' behavior, deny benefits to attackers, and impose significant costs on any successful attack. 

So far, at least 27 of those recommendations have been turned into US policy, and another 30 are hoped to be introduced as legislation and executive action this year. 

While companies need to better defend themselves, the government can help them by recommending cybersecurity measures and passing along threat information and by taking actions to dissuade attackers, whether it is sanctions against collaborating countries, indictments against individuals, or offensive attacks against the infrastructure used by criminals and their financial windfalls, says Mark Montgomery, senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies (FDD) and the executive director of the Cyberspace Solarium Commission.

"No one of them can solve it alone—you have to do all three," he says. "We need to be working consistently across all three of those lines of effort."

The Ransomware Task Force recommended five policies: Coordinated diplomacy and law enforcement efforts, an aggressive whole-of-government campaign by the United States to dissuade ransomware groups, the establishment of cyber response funds to help business, an international framework for responding to ransomware, and more regulation of cryptocurrency. The recommendations cannot be done piecemeal but need to be pursued all at the same time, says Team Cymru's Shank. 

He has high hopes for such an approach. While companies and nations may seem to be at a disadvantage compared to cybercriminals operating in other jurisdictions, the vast majority of interests lie in solving the problem of ransomware, he says. 

"The attackers—compared to the army of people who have an interest in them not being successful—they are way, way out numbered," he says.

Ransomware as Terrorism

The United States is not the only nation whose government has put a spotlight on ransomware. On July 8, INTERPOL put the threat of ransomware on par with terrorism activity, as a priority for collaborative law enforcement efforts. 

Ransomware for sure is a worldwide problem. WannaCry and NotPetya, two cyberattacks that mimicked ransomware, caused tens of billions of dollars in damage, shutting down operations not only at US companies, but European and Asian firms as well. The vast majority of businesses affected by the Kaseya ransomware attack were outside the United States, with 45% of downstream attack attempts detected by Kaspersky occurring in Italy and 15% in Columbia. The United States ranked second, with 26% of detections of the REvil ransomware payload.

In its annual conference this week, INTERPOL called for tighter partnerships between countries to combat ransomware and other threats.

"A global strategy in response to the threat of ransomware is critical – one where we successfully build trust, see effective exchange of data, and maximize rapid operational assistance to law enforcement agencies," INTERPOL Secretary General Jürgen Stock said in a statement

Companies also need to do more to protect themselves from attacks. As automation and cost savings are implemented, those funds should be reinvested, says FDD's Montgomery. Colonial Pipeline benefited from significant automation of its operations, but it did not invest that into cybersecurity to keep that its oil-and-gas transport network safe, he argues.

"They let go dozens and scores of people when they automated, and when they were attacked, Colonial Pipeline could not have reverted back to the 1960s when their pipeline was manual," he says. "So when you move toward more automation, invest in the security of your operational systems."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
//Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-1142
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use URL decoding to retrieve system files, credentials, and bypass authentication resulting in privilege escalation.
CVE-2023-1143
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use Lua scripts, which could allow an attacker to remotely execute arbitrary code.
CVE-2023-1144
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contains an improper access control vulnerability in which an attacker can use the Device-Gateway service and bypass authorization, which could result in privilege escalation.
CVE-2023-1145
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 are affected by a deserialization vulnerability targeting the Device-DataCollect service, which could allow deserialization of requests prior to authentication, resulting in remote code execution.
CVE-2023-1655
PUBLISHED: 2023-03-27
Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.4.0.