“It’s been really surprising, just the degree of inhumanity in some of these bad guys.”
Kris McConkey works for the leading professional services firm PwC, where he acts as the Cyber Threat Operations Lead Partner for their clients in the United Kingdom.
McConkey and his teams work directly with PwC’s clients, with an emphasis on threat intelligence, and incident response to high-sophistication threats.
When the pandemic struck, and organizations shifted to a primarily Work From Home (WFH) arrangement, McConkey witnessed numerous changes in the security landscape—from both attackers and defenders.
Here’s what McConkey experienced and learned during the pandemic.
Primary Changes in the Cybersecurity Landscape due to COVID-19 and WFH
McConkey watched his clients transform their risk posture when they transitioned to WFH. Many organizations dissolved their perimeters and lost the security controls they relied upon to protect themselves.
At the same time, their internal IT teams became overwhelmed by the tasks required to spin up and manage their new technology environments. They no longer had the time to handle even small security incidents, and began to ask McConkey and his teams to shoulder more of the burden of their defense.
“In many instances, we’re called in because the organization’s internal team is already overwhelmed,” said McConkey. “They are drowning the new volume of alerts that are coming because of all the new technology being deployed, and the additional changes to the IT environment. As a result, they have less capacity to field even small incidents because they have been so burdened by other things.”
This created a perfect storm of vulnerabilities.
And attackers have taken advantage.
How Attackers Took Advantage of the Perfect Storm of Vulnerabilities
When the pandemic arrived, McConkey saw espionage actors strike first.
These actors were information gathering tools for their nations. They sought information around vaccine research and crisis planning from other nations with more developed plans.
But soon, more malicious actors began to launch attacks. And their attacks were creative, comprehensive and vicious.
“We saw a really significant uptick in human-operated ransomware,” explained McConkey. “This isn’t ransomware that infects a couple of systems, and you have to pay the equivalent of a couple hundred dollars in Bitcoin to get a decryption key. These are full-blown network intrusions where the bad guys can be in the networks for weeks or months.”
During that time, the malicious actors would determine how to cause the most impact by locking up the critical systems the organization needs to operate, at the point the organization needs them most. In some cases, the malicious actors would also steal data, and add the threat of a data leak to their ransom demands.
This strategy has proven effective.
The top-end hacker groups launching human-operated ransomware have walked away with millions of dollars from single victims.
While some of these attacks have been deliberately inhumane—such as those targeting hospital groups—most have been opportunistic.
And the best defense against them is simple…
Make sure you are not an easy target.
McConkey’s Advice: Be Prepared
McConkey believes that organizations must better prepare themselves for any attack that might strike. He recommends they:
“If you think about the decision to enter into negotiation dialogue with threat groups, it really comes down to a number of factors. Do you have really good visibility into your IT environment? Can you tell precisely what the bad guys touched, what they accessed, and whether they still have a foothold in your environment. And secondarily, based on the visibility and control you have in the network, how confidently can you kick them out, and actually keep them out?”
- Make response plans for a breach—and stress test them—to bounce back quickly during a breach.
“All of those factors really need to go into planning in advance of something like this. Knowing how much visibility you have in the environment, knowing how you react whenever an intruder gets in, and being able to use the dwell time to spot the fact that they’re there, and then kick them out of the network and batten down the hatches. That’s becoming a really significant focus for most organizations and their security planning.”
“The one thing most organizations really need to think about is how do you stress test your response processes and systems in this new world. We have new and very extreme types of threat categories that exert all sorts of pressures that organizations are not used to responding to, all at the same time. Making sure you understand where the pitfalls are, and how to bounce back from them very quickly, is really important.”
“We’ve investigated a bunch of incidents where the fundamental root cause has been people working from home, and as a consequence their laptop VPN was misconfigured. Those laptops were going straight out to the internet, and not through corporate security controls. In this day and age, there’s almost no excuse not to have phenomenal visibility at the endpoint where you can see what’s happening on those systems, regardless of where people are.”
And finally, for McConkey, so much of being able to effectively handle today’s threats—and tomorrow’s—relies on a simple focus on the fundamentals.
“Any organization’s ability to rapidly respond to an incident, investigate what happened, and actually take action to resolve it, is going to be severely compromised if there’s not good endpoint visibility and control.”