While it can be argued that cybersecurity is everyone’s responsibility, some are better placed to deal with threats. Having the knowledge and ability to deal with ransomware, and ultimately prevent infection, is a strong case for partnering with a specialised managed detection & response provider.
Been hacked twice in the space of a few months can be interpreted in two ways. First, the company experienced a bout of extremely bad luck. Or, secondly and the more accurate interpretation, the company failed to make important decisions regarding its IT infrastructure and who manages it to prevent incidents from occurring moving forward.
At the time of writing it is not clear if a ransom was paid by Toll, but we do know that their data was stolen and released on the dark web. In the statement released by the company, it was stated they had no intention of paying the ransom and that there was no evidence to suggest data had been stolen. Despite their statements, the whole scenario is an excellent use case in the current realities faced by businesses. Data breaches and ransomware attacks are part of the current reality, morality, and criminality aside, companies need to address these measures in a pragmatic and efficient method. This involves being honest about in-house capabilities and bringing in outside help where necessary.
It is simply no longer good enough to hire a few IT specialists and anti-virus package licenses. The reality, as it is, does mean that hackers have numerous attack vectors to exploit when targeting a business, understanding those vectors and the threat landscape is often a specialised task beyond the scope of IT departments. Mistakes will happen and networks will be compromised and effective mitigation strategies need to be in place. These involves having a robust threat detection & response capability in place together with business continuity and disaster recovery, because the likelihood of another breach is just a matter of time.
The following is a 5-step process that every organisation can follow to ensure they can protect, detect, respond and recover from cyber-attacks including ransomware.
Every security system in the world that works is made up of the 3 pillars of security namely, Protection, Detection & Response and yet most enterprise are squarely focused on the protection pillar with no detection or response capability. So, ensure that your security focus and budget is not incorrectly skewed because Protection will always fail and when it does you need to be able to detect and respond before your assets are compromised.
This usually involves stopping any legacy investments that haven’t delivered any value to you for some time. On the Protection front, that may include stopping any further renewals of your Anti Virus, DLP or SIEM solutions. It may mean replacing your traditional Firewalls with NextGen Firewalls, and so on. On the Detection & Response front it means exploring advanced MDR solutions such as that from LMNTRIX, over your internal SOC or legacy MSSP’s that have all failed to detect and respond to some of the largest breaches in history to date.
Step 1 – PROTECT as much as you can
To get Protection right you need to secure as much as you can taking a layered defence strategy using your existing controls and teams. Here I recommend at minimum you comply with the Essential Eight as your starting baseline. During this step try and maximise your existing investments where possible. As an example, we have seen enterprises replace one control with another (such as AV with a NGAV) only to be successfully breached again with ransomware in a matter of weeks – don’t make this mistake and fall for yet another silver bullet or vendors with more marketing dollars than brains.
This Protect step also includes your weakest link and your first layer of defence – the human element. Threat actors are increasingly targeting staff as an access point to your organization and this is most likely how Toll was hacked in both occasions. Employees are expected to remain the most cited source of compromise. To help thwart this, leading enterprises employ phishing exercises — and don’t slack off until there is evidence of organizational “muscle memory response” among your employees. For example, ask your employees to lie about their personal information for password recovery. For example, “What was your mothers maiden name?” Make up a name. Do not use her real name. And finally ask your employees to slow down, question and verify before clicking on emails or transferring money.
Step 2 – DETECT everything that is missed by PROTECT
The Detect step is your backup plan. Detect entails monitoring of your internal network and endpoints, detecting malware and attackers that bypass your perimeter controls or hiding in your network. This step includes the use of advanced techniques such as Threat Intelligence, Adaptive Response, Analytic Monitoring, and Deceptions.
The second step is your failsafe. For Step 2 to work best, a security team imagines an attacker hiding in their network and covering his tracks, and tries to hunt him down every day. This way, if the time comes that your organisation is the victim of a security breach, the culprit will quickly be discovered and the damages from the hack will be reduced massively.
Don’t let this be you. By implementing Step 2, you’ve assumed that Step 1 will be insufficient, and established monitoring, detection, and intelligence tools accordingly. Now you’re prepared for a breach, and the number of days a hacker can hide in your network will blow the median out of the water. A Step 2 security system isn’t paranoid, because eventually the imagined attacker is a real attacker, and through constant monitoring, detection, and prediction, real attackers are located as quickly as possible after a breach.
For a successful Step 2 outcome, I only recommend engaging an advanced Managed Detection & Response (MDR) vendor with significant intellectual capital such as LMNTRIX.
Here is the bottom line. Step 2 does not mean trying to do this yourself, by all of a sudden fantasising that you’re in the business of 24/7 cyber defence and charging into blowing company resources into a SOC and buying expensive SIEM tools, hiring lots of expensive security analysts and hoping for the best. Nor does Step 2 mean outsourcing to an MSSP. Why? Because these legacy approaches have failed enterprises for the past 20 years and they continue to fail today. If you don’t believe us just try running a red team exercise on your network and you will soon realise that in both of these scenarios, threats will still go undetected for several weeks, proving just how easy it is for attackers to steal your data without being detected. From our experience, most organisations that make such investments still have no ability to detect and respond to advanced threats that bypass their perimeter controls.
Step 3 – RESPOND by containing and remediating before material damage is realised
Most organisations like Toll have no response plan at all. For example, after Yahoo was breached in 2014, the attackers sifted through the company network, downloaded proprietary software and massive databases, and gained the ability to access a billion user accounts. Two years later, when Yahoo made this information public, they basically shrugged their shoulders and said, “It happens, what can you do?”
Well, here’s what you can do: Use an MDR to implement Step 3, Respond. An effective response plan should contain and mitigate an attacker in your network, patch the discovered security hole, prevent the spread of malware, and recover stolen data. You should quickly and efficiently remove the threat from your network (which you will be able to do, because you’ve also implemented Step 2!), figure out exactly what the attacker did while connected to your network, and quickly notify affected parties so they can ensure their privacy and security if necessary (change passwords, alert banks, etc.).
With this approach, you keep hackers away from your secure, sensitive information and rapidly reclaims your fortress.
Advanced MDR vendors offer so much more than is possible for any SOC, MSSP, SIEM or perimeter control. As the security game advances, prevention-based security is hopelessly insufficient and outclassed. We know attackers have become more advanced, and we know that even the most expensive legacy security controls have consistently failed to protect organizations. MDR vendors are making the push into next-generation security, bypassing multi-million-dollar SOCs and SIEMs in effectiveness and countering even the most advanced threats.
Step 4 – RECOVER before anyone finds out
Now it’s time to get your business cyber resilient. This essentially means your ability to continuously deliver the intended business outcomes, despite adverse cyber events.
Recently a client from the construction industry who was cyber resilient had a major ransomware attack and had their network up within 48hrs even though most of their servers and workstations got locked up, while we helped them contain and respond to the breach. You can read all about the technical details of the incident here.
As in the case with the Toll ransomware breach, it’s important to recognise that the only real defence against ransomware is business continuity and disaster recovery irrespective of how many NGAV and magical AI appliances you have on your network. We are seeing a large spike in the number of clients getting hit right now specially across councils, schools and healthcare. The situation should be enough to convince everyone to run at least one exercise to really assess how well their organisation would cope against ransomware. So, the big advise here is, test your backups often to ensure they work (be honest about it) and ensure backups are removed or disconnected from your network and don’t forget about any important files that may reside on workstations and laptops.
Step 5 – Be the threat actor & re-evaluate your plan
What I mean by this is that agile cybersecurity functions employ real-world scenarios to augment standard controls testing. Unannounced red teaming (not penetration testing) focused on gaining an understanding of the real state of cybersecurity readiness is a common method. This way, you can capture key metrics to answer questions such as: How long does it take to detect the attack or anomalous activity? Are the alerts effectively calibrated? How long did it take to block the attack? If the attack was successful, in which layer, and what specific defenses failed? The best metrics are multi-level so they can to show readiness at each specific cybersecurity program and threat area.
As organizations begin to think like a threat actor, they may do a more effective job designing defenses, prioritizing their deployment and devising test activities to assess the effectiveness of those defenses against the real-world threats.
And finally, you need to regularly re-evaluate your plan and priorities by refreshing steps 1 through 5 to stay current with your ever-evolving threat and risk profile.
As we have articulated, in this ever-evolving and increasingly hostile cyber threat environment, it is simply no longer sufficient to evaluate your organization’s cybersecurity program maturity with static checklists and one-size-fits-all-controls testing. Instead, we advise organizations to move quickly to adapt to the changing cyber threat environment by adopting an ongoing threat-based cybersecurity program.
Cyber is a leadership challenge: make it yours – regulators such as ASIC, SEC, FCA, MAS, FMA and SFC have repeatedly stressed boards and executives must take ownership of cybersecurity. The tone and priorities of an organisation are set and reinforced at the top. Cyber isn’t a technical problem, but a business challenge that needs to be faced head-on and with open eyes. The story of Toll isn’t theoretical – particularly for those unfortunate execs who learned the hard way.
Both Toll incidents indicate that there were severe deficiencies in preventing, detecting, responding and recovering from an attack. The price for this lapse in judgement is going to be severe. As it stands Toll’s parent company Japan Post had already been looking at a number of recovery plans for the logistics business including selling the business of which it had already taken a steep investment write-down. The company was initially bought for $8 billion in 2015.
While the story is still developing and facts about the incident will surely emerge the actual cost to Toll can only be estimated. Currently, it can be safely assumed that Japan Post will not see a return on their investment anytime soon. If someone is looking to purchase Toll their valuation would have to include the cost of dealing with the fallout which may result in court battles if Toll did indeed suffer a data breach. For Japan Post, this would further cut down the asking price if it was to sell.
It is difficult to say currently if the incidents could have been prevented without a shadow of a doubt. However, two ransomware incidents within a few months of each other begs the question if any lessons were learnt?
If you have any questions relating to this article or if you would like to discuss your cyber security needs with us, please feel free to get in touch using firstname.lastname@example.org.