If any organizations are still unconvinced of their vulnerability to cybersecurity risks, the recent ransomware attack against Kaseya's Virtual System Administrator (VSA) platform should represent a $70 million wakeup call. However, for those organizations fortunate enough to have avoided this exposure — perhaps because their managed services provider (MSP) didn't use Kaseya — there is a strong tendency to offer a prayer of thanks and then not think about it, since your organization was unscathed. That's a mistake, and one that can make your organization more vulnerable to future attacks.
The Kaseya incident is the latest example of an attack that combined malware coupled with legitimate software typically granted high-level permissions (Kaseya VSA in this case). By combining the two, the attackers can obfuscate their attack. Essentially, they hope to come in under the radar by making the attack look like something the victim expects, using a known piece of software. This use of a disguise is clever, and as we've seen in the past week, it can be very effective, but it's not new.
It is likely that given the success of the attack, we should anticipate 100% probability for future use of this technique.
You need to be ready for it.
The Complex Supply Chain Challenge
The lesson here is that one cannot assume that everything coming from an apparently benign source is safe. Organizations need to use endpoint analytic tools that can differentiate corrupt behavior from legitimate commands, especially those coming from pre-approved vendors with elevated network permissions.
Because these attacks, and the legitimate software that serves as a disguise for the attacks, ultimately originate outside of the company environment, they could be characterized as supply chain attacks. Contracts — which serve as the formal set of rules between the parties — likely were not written with this kind of attack in mind. And in this case, there are multiple layers of contracts — between Kaseya and the MSPs, and between those managed services companies and the end-users who hire them. Similarly, the various cyber-insurance policies may not provide clear guidance on coverage for these attacks.
We should consider two problems. First, the technical challenges associated with preventing these attacks. Second, the intricacies of responding to them when they occur.
Consider that the attacks associated with the Kaseya system were launched right before a three-day holiday weekend. That's not unusual. The attackers know that many of the people who would normally participate in a response might be unavailable. What we can conclude from this is that these risks can materialize suddenly and have to be dealt with very quickly. Having a comprehensive and effectively managed monitoring platform active 24x7 is becoming more than just a good idea: it is increasingly becoming a necessity. Having a reliable source that can update threat recognition and help you launch an appropriate response can be the difference between being a victim and avoiding a serious intrusion.
Our experience tells us that the leadership of every organization should ask the question, "What if we were targeted because of software that we use and have no reason to suspect?" At the very least, your organization should conduct a risk assessment to know where you stand. What will you do if the next attack of this kind were launched on Christmas Eve — given that Christmas this year is on a Saturday? Who would be there to detect it if you don't have an external monitoring solution? Who would be there to respond?
Also consider the complexities of investigating this kind of attack. Just collecting the evidence can be a difficult forensic effort, particularly when you consider that the evidence might become discoverable in future litigation over responsibility or insurance coverage. It has to be collected and maintained in a forensically correct way and documented with a complete chain-of-custody. That evidence can be the difference between winning or losing that litigation.
For this reason, it is vital that the investigation and response to the attack be viewed as more than just an IT function. Certainly, the company's legal counsel should be involved right from the beginning. If there is cyber insurance, the risk manager or whoever is responsible for the company's insurance program has to be involved to assure that notifications required by the insurance contracts are made. This is a case where having a pre-identified forensic and investigative consultant can be vital. Taking the time to identify a provider, assure that they have the state licenses required (some states require computer forensic investigators or those conducting corporate investigations to hold valid state-issued private investigator licenses) and negotiate a contract takes time that you won't have once your security has been breached.
Without knowing what the next attack will be, we can't predict exactly what will be involved in preventing, detecting, and responding to the challenge. However, we do know that there will be future attacks, that they will be sophisticated, and that they will exploit software that is in regular use. This will happen whether you're ready or not. Better to be ready, because the threats — and the risks to your organization — are real.