According to the "Cisco 2017 Midyear Cybersecurity Report," cyber adversaries have the desire and resources to...
encrypt systems and permanently destroy production and backup data -- threatening to put victim companies out of business. Cisco and others in the cybersecurity industry call these attacks destruction of service.
WannaCry and NotPetya were essentially destruction-of-service (DeOS) attacks that hit systems worldwide last year. WannaCry made it very difficult for victims to pay the ransom, leaving most company data unrecoverable, while NotPetya did not provide data decryption even if victims did pay.
Cisco predicted that more DeOS attacks were coming, and there has already been a reported increase in attacks, including the Zenis ransomware that appeared in March and purposely deletes backup files. With DeOS attacks starting to trend, thick layers of solid defense are needed.
Adapting cybersecurity for DeOS
The critical mitigation for DeOS is to protect backups at all costs. You must back up data off site and ensure that there is no connection between the backups and your production networks. Otherwise, DeOS attacks can spread from production to the backups.
According to a recent Microsoft blog post, there are several steps you can take to protect off-site backups:
- require multifactor authentication to change passphrases and delete backups and require strong passwords;
- use strong encryption for data in transit to the backup location and backup data at rest;
- secure passwords in a separate location from your production data;
- segregate backup duties within the security team and allow no more access than is necessary for team members to perform these duties;
- set up real-time alerts about critical operations that affect the existence or availability of backup data; and
- ensure that you keep backups for a given time even when someone uses authorized credentials to request deletion.
Because attackers use ransomware in DeOS attacks, antimalware tools that offer real-time detection of ransomware behaviors should be used, including fast encryption of files and machines. Antimalware tools should trigger alerts and responses to ransomware, including dropping the connection, stopping file changes or reverting encrypted files back to normal.
DeOS can also acquire administrative credentials from RAM and use them to spread their attacks and malware. No machine or user should have administrative privileges unless it is necessary to provide the minimum capabilities that the device or user's role requires.
Software patches should be sought out and applied to mitigate specific DeOS attacks that are spreading, as DeOS can spread by leveraging software vulnerabilities. Organizations should consider automatic updates in order to stay ahead of these threats.
DeOS attacks can further inject their malware using phishing ploys. The InfoSec Institute has a relatively comprehensive portal with sections that explain phishing and provide many antiphishing tools, countermeasures and resources.
Phishing education and training for employees should ensure that they can identify potential phishing emails and messages and know how to report them. There are training tools available that actively try to phish individuals in your enterprise, monitor whether they click on the suspicious email links and attachments, and then reinforce training where necessary.
According to Cisco, attackers are innovating distributed denial-of-service (DDoS) attacks that use IoT botnets so they can disrupt enterprise networks and damage an organization's ability to recover. Enterprises can use scrubbing services that detect and reroute DDoS attack traffic, scrub it clean in the cloud and return sanitized packets to the organization.
However, the Cisco report says that IoT devices and their "security weaknesses ripe for exploitation" can be used by threats actors to gain access to corporate environments and open up enterprises to DeOS attacks.
The industry needs to mitigate the formation of IoT botnets and potential DeOS threats by testing and securing IoT devices. IoT device vulnerabilities demand security regulations, standards, frameworks, strong passwords and over-the-air updates, and patches and penetration testing to mitigate them. Likewise, vendors need to create secure IoT devices and software.
Several companies, vendor-neutral security organizations and consortiums are working on IoT security frameworks. Organizations should tap into the threat intelligence available from their security vendors and reputable sources on the web to stay informed of new DeOS attacks.