By Chris Fisher, Director of Security Engineering, Vectra APJ
Ransomware attacks on critical infrastructure spike in last 3-6 months
When the ICT systems of Eastern Health in Melbourne, Australia, were attacked by hackers in March, the organisation was quick to reassure and confirm that patients were not at risk. However, the incident resulted in significant disruption to the hospital’s network, including the cancellation of elective surgeries and stress on staff and patients.
It’s not just hospitals being hit. Critical food supply chain infrastructure is also being impacted. A recent ransomware attack on JBS, the world’s largest meat works company, has forced the temporary closure of 47 sites across Australia. More than 11,000 JBS workers across Australia were impacted with operations temporarily closing down. In a bid to protect customers, JBS paid the equivalent of $11 million in ransom to end the attack.
These attacks can have ongoing detrimental effects, with the Nine Entertainment ransomware infection highlighting this. The attack, described as ‘significant, sophisticated and complex’, was quickly contained by 9Technology, the company’s IT organisation, but a statement from the CEO revealed that several core systems remained offline and restoring core systems and connectivity would ‘take time’.
In response to the number of high-profile ransomware incidents, the Federal Government has launched Operation Orcus. The cross-agency initiative is designed to target ransomware attacks that have direct links to sophisticated organised crime groups, both in Australia and globally. The Australian Federal Police are leading the initiative, with the Australian Cyber Security Centre (ACSC), Australia Criminal Intelligence Commission, AUSTRAC, and state and territory police agencies also joining the force.
Ultimately, it’s become abundantly clear that organisations must understand how to mitigate risks and stop attackers breaching critical infrastructure, otherwise ransomware will continue to rise with increasingly adverse effects.
Recognising the risks and finding a solution
While the vectors of all these incidents have remained the same, the speed at which the attackers can now pivot through an organisation’s network and the coverage they are able to achieve as a result has greatly increased. This highlights that current prevention tools are no longer enough to mitigate risk.
Advanced attackers will access and propagate across cloud, data centre, IT, and IoT networks, which enable viewpoints across the infrastructure. However, due to the volume of data and the attacker signal-to-communication noise ratio, manual analysis and detection cannot deliver the scale, speed, or efficiency that is required.
Constantly evolving critical national infrastructure threats means a round-the-clock effort and highly specialised skills to bolster enterprise cybersecurity. Typically, most organisations have lean IT teams and lack the cybersecurity expertise required to pre-empt and mitigate sophisticated threats, placing enormous strain on what is potentially an already limited resource.
Regardless of industry, when it comes to implementing robust security, businesses need to consider the relationship between IT, operational technology (OT), change management and cybersecurity. As every organisation’s infrastructure is different, internal teams will understand their IT and OT better than any outside party. However, cybersecurity experts can step in to help protect against threats at the network level.
Once there is an understanding of operational assets and how an organisation approaches change management, you can focus on non-intrusive, continuous visibility and network security tools that detect and flag when an attacker moves in.
Threat signatures only search for known malicious payloads, while anomaly detection only knows what is different instead of what is bad. Effective network security tools slow down attackers with defensive controls and perimeter protection, and speed up defenders with high-fidelity detections, and threat and context awareness. They automate threat detection and incident response, allowing security analysts to perform in-depth investigations based on actionable incidents. Cyber and safety come together at this critical infrastructure layer to stop attackers in their tracks.
Fighting ransomware for CNI infrastructure: Top three tips
Focusing on attacker behaviour within the network and not relying on signature-based technology is the key weapon in the fight against ransomware. Organisations need solutions that provide clear signals without noise providing contextual information to enable quick, informed decisions empowering security analysts.
To better protect an organisation from inside and external threats, I’d like to share some best practice tips:
1. Apply a mix of subject matter experts and technology
It’s not enough to just invest in the tools but it matters to build knowledge and establish stringent governance frameworks. That’s where vendors with true cybersecurity expertise drive value, helping organisations not only to draw upon expertise and intelligent, AI-driven detection tools but to also gain deep visibility into security and compliance gaps.
2. Understand and protect your new threat landscape
First and foremost, understanding the assets and having asset management is vital. The next step is to understand change control processing. When looking at allowed or unapproved changes, you need to be able to match these up with the assets. There are several technologies that can assist with asset management classification. This will bring everything together to provide a broader understanding of all the downstream consequences, all the assets that could be impacted, and what the change management process reaction or the initial reaction would be, if this were to occur.
It is also imperative that organisations truly understand their new enterprise network. We have seen perimeters of the network vanish during 2020 as organisations have shifted to the cloud; the modern enterprise network is now Datacentre, IaaS, SaaS and PaaS. It is vital that the enterprise has visibility into all of these networks and be able to track attackers as they pivot through these environments. We must build detection and response capabilities that can shine a light into all these environments and track attacker behaviour as they attempt to move laterally through them.
3. Prioritise and respond at speed and scale
It is not only critical to identify attackers as they pivot through the modern network, but also to have the ability to respond rapidly and in a consistent way across all network stacks be that IaaS, SaaS, PaaS, or Datacentre. The only way to achieve this is via prioritisation of incidents leveraging AI and automation. This will bolster the limited capacity of the security operations centre giving it the best chance to drive down metrics such as mean time to remediation, therefore reducing the impacts of attackers and reducing the risk of a widespread breach.
Building a secure organisation for the future
Combating cybercrime is not only a priority for enterprises but is rapidly becoming a matter of national interest. Research has found that countries with established digital economies, including Australia, Japan, Singapore, and New Zealand have the highest exposure to cyber risks and their governments are taking active measures to invest in and implement cyber defence strategies. With global rollouts of COVID-19 vaccines in progress and cyber threats to supply chains prevalent, never has this been more crucial.
About the Author: Chris Fisher, Director of Security Engineering APJ
Chris Fisher is the Head of Security Engineering for Vectra.ai in the Asia Pacific and Japan Markets. As a leader for the APJ business Chris’s key responsibility is to ensure that Vectra customers have the security foundation to embrace new technology and lines of business, allowing them to digitally transform whilst reducing business risk and improving their security posture.
Chris has over 15 years of cybersecurity experience from practitioner
through to strategic advisors for large organizations. He has vast experience in SCADA environments working in the mining and energy sectors for several years. Recently Chris has been helping customers transition to cloud environments securely.