Olivier Le Moal - stock.adobe.co

The Secret IR Insider’s Diary: It’s all gone quie...

The ‘Q’ word isn’t one that’s really used in incident response, says the Secret IR Insider, largely because as soon as you use it, something happens

Famous last words: “We’re having a lull” or “it’s a bit easier at the moment”, something like that. But never the “Q” word.

A few weeks ago, there was a bit of a lull in cyber activity. Since then, we’ve had some incidents that have started having more impact, or at least more visible impact, on people outside of the organisations being attacked – Colonial Pipeline, JBS, among others. But we’ve also seen ransomware gangs claiming they would be shutting down or not attacking critical infrastructure.

Whatever their reasons for backing off, it’s difficult as an incident responder to take comfort in it. Experience shows that attackers are pivoting to the next thing, the next vulnerability. As defenders, we can never rest easy, we still have to protect, prevent, detect, respond, analyse, analyse, analyse – just in case we’ve missed something.

During any lull, there is always work to do. Namely helping customers be as prepared as possible through readiness assessments, plans and processes, table-top exercises, compromise assessments, and developing more services that can help customers detect and respond, such as purple teaming, managed detection and response, ransomware readiness assessments and security architecture reviews.

The Check Point team is doing some really good work with table-top exercises at present, working through scenarios based on real events to discover how well organisations are prepared for incidents to strike.

But then, as always, it kicked off again – did someone use the “Q” word? This time, around the US Independence Day holidays, a new stream of ransomware attacks using the Kaseya IT management software came to light. More than 200 organisations were hit, but who knows how many have been or could be affected?

In this instance, the attackers used a zero-day vulnerability that was in the process of being fixed, and reportedly demanded a record $70m ransom. There will be more attacks like these, mark my words, and we’ve been waiting for things like this to happen.

There are pieces of software and utilities all around organisations’ networks – something used by that engineer months ago, something they were trying to make work, something they implemented without fully knowing how it worked or what it could do; all sensible things to do at the time but are now causing risk in their environment.

Even without those, how could we have foreseen the attacks leveraging some of these products and utilities? We’ve always talked about attackers living off the land in respect of their use of in-built utilities, but this is a step on from that.

So how do we stop it? We can’t expect organisations to rip out software that enables them to run effectively and, with the increasing frequency of these types of attacks, neither can we cover all bases – we never know what might be next.

One of the only ways to be better prepared is to assume that something will go wrong. Becoming more resilient, having backups, protecting sensitive data in stronger or different ways. Preventing, detecting and responding to any unusual behaviour.

Incident response (IR) and security operations have always been full-time jobs, and it seems it’s not going to become any easier in the near future.

The Secret IR Insider works at cyber security services and solutions supplier Check Point Software.

A specialist in incident response (IR), they are at the front line of the ongoing battle against malicious cyber criminals, ransomware and other threats.

Their true identity is a mystery.

Read more from the Secret IR Insider


Read more on Hackers and cybercrime prevention

Data Center
Data Management