theDocumentId => 1341518 Can Government Effectively Help Businesses Fight ...

Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/13/2021
11:00 AM
50%
50%

Can Government Effectively Help Businesses Fight Cybercrime?

From the Biden administration's pledge to take action to INTERPOL's focus on ransomware as a global threat, governments are looking to help businesses cope with cyberattacks. But can it really work?

When Team Cymru's James Shank worked with the Ransomware Task Force to come up with the worst-case scenarios for a ransomware attack, the group focused heavily on impacts: How could attackers endanger people or cause significant damage to infrastructure?

However, the group also focused on vectors - including an exploitation chain that amplifies attacks by compromising the software supply chain, infecting managed service providers and propagating too quickly for defenders to react. In short, the scenarios the group came up with looked very similar to the attack against managed service providers using a vulnerability in the Kaseya Virtual System Administrator (VSA) servers that happened on July 2.

Related Content:

Kaseya Releases Security Patch as Companies Continue to Recover

Special Report: Building the SOC of the Future

New From The Edge: Navigating Active Directory Security: Dangers and Defenses

The ability to use existing update and control mechanisms to propagate an attack is often referred to in military jargon as "force amplification," Shank says.

"That was one of the identified vectors that we explicitly called out, because it has wide-ranging impact," he says. "Force amplification that is one of the things that we explicitly did identify as a technique that should be considered part of the worst case of scenarios."

The attack—along with attacks on oil-and-gas transport network Colonial Pipeline and meat packer JBS USA—highlights the capability of ransomware groups to affect large numbers of people, and the bottom line that attack techniques are evolving. Without any fear of retribution, the groups behind the schemes will likely only get better. Individual companies have little recourse except to improve their defenses, stay on top of the latest techniques, and prepare to minimize business disruption in the event of an attack. 

Yet, governments are hobbled as well. On Friday, US President Joe Biden discussed the attacks with Russian President Vladimir Putin, requesting cooperation and pledging consequences for any inaction, according to reports. What those actions will be are unclear.

"I made it very clear to him that the United States expects, when a ransomware operation is coming from his soil even though it's not sponsored by the state, we expect them to act if we give them enough information to act on who that is," Biden told the White House press.

The Cyberspace Solarium Commission (CSC), a bipartisan group of legislators and cybersecurity experts, recommended more than 80 policy initiatives that aim to improve US cybersecurity in March 2020. Among the foundations of the recommendations, the CSC focused on deterrence to shape rival nations' behavior, deny benefits to attackers, and impose significant costs on any successful attack. 

So far, at least 27 of those recommendations have been turned into US policy, and another 30 are hoped to be introduced as legislation and executive action this year. 

While companies need to better defend themselves, the government can help them by recommending cybersecurity measures and passing along threat information and by taking actions to dissuade attackers, whether it is sanctions against collaborating countries, indictments against individuals, or offensive attacks against the infrastructure used by criminals and their financial windfalls, says Mark Montgomery, senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies (FDD) and the executive director of the Cyberspace Solarium Commission.

"No one of them can solve it alone—you have to do all three," he says. "We need to be working consistently across all three of those lines of effort."

The Ransomware Task Force recommended five policies: Coordinated diplomacy and law enforcement efforts, an aggressive whole-of-government campaign by the United States to dissuade ransomware groups, the establishment of cyber response funds to help business, an international framework for responding to ransomware, and more regulation of cryptocurrency. The recommendations cannot be done piecemeal but need to be pursued all at the same time, says Team Cymru's Shank. 

He has high hopes for such an approach. While companies and nations may seem to be at a disadvantage compared to cybercriminals operating in other jurisdictions, the vast majority of interests lie in solving the problem of ransomware, he says. 

"The attackers—compared to the army of people who have an interest in them not being successful—they are way, way out numbered," he says.

Ransomware as Terrorism

The United States is not the only nation whose government has put a spotlight on ransomware. On July 8, INTERPOL put the threat of ransomware on par with terrorism activity, as a priority for collaborative law enforcement efforts. 

Ransomware for sure is a worldwide problem. WannaCry and NotPetya, two cyberattacks that mimicked ransomware, caused tens of billions of dollars in damage, shutting down operations not only at US companies, but European and Asian firms as well. The vast majority of businesses affected by the Kaseya ransomware attack were outside the United States, with 45% of downstream attack attempts detected by Kaspersky occurring in Italy and 15% in Columbia. The United States ranked second, with 26% of detections of the REvil ransomware payload.

In its annual conference this week, INTERPOL called for tighter partnerships between countries to combat ransomware and other threats.

"A global strategy in response to the threat of ransomware is critical – one where we successfully build trust, see effective exchange of data, and maximize rapid operational assistance to law enforcement agencies," INTERPOL Secretary General Jürgen Stock said in a statement

Companies also need to do more to protect themselves from attacks. As automation and cost savings are implemented, those funds should be reinvested, says FDD's Montgomery. Colonial Pipeline benefited from significant automation of its operations, but it did not invest that into cybersecurity to keep that its oil-and-gas transport network safe, he argues.

"They let go dozens and scores of people when they automated, and when they were attacked, Colonial Pipeline could not have reverted back to the 1960s when their pipeline was manual," he says. "So when you move toward more automation, invest in the security of your operational systems."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32790
PUBLISHED: 2021-07-26
Woocommerce is an open source eCommerce plugin for WordPress. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce plugin between version 3.3.0 and 3.3.6. Malicious actors (already) having admin access, or API keys to the WooCommerce site can exploit vulnerable endpoi...
CVE-2021-32791
PUBLISHED: 2021-07-26
mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In mod_auth_openidc before version 2.4.9, the AES GCM encryption in mod_auth_openidc uses a static IV ...
CVE-2021-32792
PUBLISHED: 2021-07-26
mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In mod_auth_openidc before version 2.4.9, there is an XSS vulnerability in when using `OIDCPreservePos...
CVE-2021-25801
PUBLISHED: 2021-07-26
A buffer overflow vulnerability in the __Parse_indx component of VideoLAN VLC Media Player 3.0.11 allows attackers to cause an out-of-bounds read via a crafted .avi file.
CVE-2021-25802
PUBLISHED: 2021-07-26
A buffer overflow vulnerability in the AVI_ExtractSubtitle component of VideoLAN VLC Media Player 3.0.11 allows attackers to cause an out-of-bounds read via a crafted .avi file.