Like mutating bacteria, cyberattacks have been evolving into ever more pernicious threats. As quickly as companies arm themselves against the most recent attacks, a new and even more complex infection arises.
Case in point: cybersecurity researchers now believe that two banking trojan horse malware strains – named Trickbot and Emotet – are now being used by attackers to gain a foothold in enterprise networks, and then, after a period of targeted reconnaissance, download and launch destructive Ransomware code.
Both Trickbot and Emotet commonly use phishing or spam emails with executable attachments to initiate and quickly spread the malware by distributing infected messages to others in your email address lists – instantly making the messages more trustworthy, as they are coming from a known source. Attackers are now frequently using Emotet as the primary loader to any of a number of other trojans, like Trickbot.
Upon the infection of your networked computer, the trojan makes an initial connection to a command and control (C2) server to let the C2 server know it is active and available for additional commands. The C2 server will randomly deliver new variants of code, altering their behavior over time and making it both harder to detect with standard tools, or impossible with no tools. There is no preset schedule to these communications.
Some variants give the malware the ability to traverse across the victim organization’s network looking for targets of value – often involving the financial functions of an organization – in order to inflict the maximum amount of damage.
Somewhere, right now, out there on the Internet, someone is poring over a collection of hundreds of affordable exploit kits available on TOR and trying to decide which one to purchase to attack your network.
Researchers believe that the TrickBot operators are renting their service to cyber criminals, who then use this to gain access to networks where TrickBot is installed. Ransomware such as Ryuk enters enterprise systems long after they have been infected by Trickbot. It’s estimated that Ryuk and Trickbot have enabled operators to generate $3.7 million worth of Bitcoin since last August.
Because most organizations don’t have the time, manpower or tools needed to locate these network intruders, attackers can take their time selecting when and where to best unleash their malicious payloads. And they can be very patient. There have been several documented cases where the hackers were in the network for more than 12 months before they encrypted the victim's data and demanded a ransom.
For example, Marriott revealed that hackers had access to the networks of many of its hotel chains for four years before they breached the hotel’s reservation system.
They know your email addresses, they know where you work from LinkedIn, Twitter, Facebook or other social media, they know who your peers are at work, and in some cases they also know your password because you use a common one for all of your accounts because it's convenient...and with a little effort they can figure out which of your friends deal with the financial transactions in your company. All they need is for you to click on an innocent or very convincing link in an email sent to you from someone you believe is a peer...and they got you.
Don’t make the mistake of not having the proper tools or services to detect and stop an infection before it evolves into a Ransomware Recovery Incident. The longer you wait, the greater the potential impact..
Certainly, there are ways to offset the potential loss. Companies operating in highly regulated markets – or with contractual or legal requirements – should consider purchasing cyber insurance. In fact, any organization that deals with Personally Identifiable Information (PII) or Protected Health Information (PHI) should limit their cyber exposure. Most cyber insurance policies cover costs related to first-party breach expenses, such as:
- Forensic Audit
- Breach Notification
- Credit Monitoring
- Business Interruption
- Data Restoration
- Telecom Fraud, and
- Social Engineering Fraud.
Let the buyers beware!
Unfortunately, your cyber policy may not pay your claim if the attack strain was created by a nation state or is classified as a cyber weapon. In 2017, a major insurer refused to pay a $10 million claim by a U.S. company infected with NotPetya malware.
Launched as part of the Kremlin’s effort to destabilize Ukraine, NotPetya was called “the most destructive and costly cyberattack in history,” by the White House. The insurer refused payment by claiming the NotPetya malware was a “hostile or warlike action in time of peace or war” by a “government or sovereign power.”
In cases like these, your best defense is a reputable insurance broker. A broker will get you the best deal on the most comprehensive policy. But, before you go out and interview potential insurance carriers, invest some time to learn more about cyber insurance by viewing the excellent collection of free videos found at the Travelers Cyber Academy.
How Centre can help you
As part of Centre Technologies’ Centre Premier Business Solutions group, Centre's security specialists have been studying the changing world of cyber security and cyberattacks extensively. We developed our Assessment of Risk and Technical Infrastructure Security (ARTIS™)—a comprehensive audit of security and compliance across a company’s entire IT infrastructure—to ensure your organization’s technology is in compliance with required regulations and mandates.
Centre’s ARTIS™ engagements are available both as a one-time service that provides you with a detailed view of the security posture of your organization and identifies potential vulnerabilities across your environment, or as a recurring advisory-level consultation service that manages threat detection and response.
As of 2018, ARTIS™ Services are also available on Texas State Contract DIR-TSO-4144 to all TXDIR Customers. Centre Project Services are also included in this contract.
With ARTIS™, companies can easily determine their recommended baseline security level, accessing sound advice on business recovery and resilience or supplemental insurance coverage as needed. The assessment includes a Business Impact Analysis and Risk Assessment on your entire infrastructure and development of a response plan to reduce potential threats and mitigate risk.
Subscribing to ARTIS™ gives you constant access to Centre’s seasoned IT security experts, who are knowledgeable of current and potential threats and provide a variety of services, including:
- Assistance in creating a strategy to stop attacks and/or minimize their impact,
- Security awareness and anti-phishing training to users and first responders,
- Real-time vulnerability scanning,
- Penetration testing,
- Identification and prioritization of all your network weaknesses for most effective patching and/or mitigation, making cost-effective use of security budgets,
- Tools and/or services to detect and block connections to malicious parts of the Internet, and
- Creation or revision of your incident response, recovery or continuity plans.
Centre Technologies’ ARTIS™experts are also equipped to provide clients with response and recovery plans and security training. They can develop a customized Information Security Management System Policy that provides guidance for protection, detection, response and recovery controls and even support a Cybersecurity Operations Center with 24/7/365 active monitoring with up-to-the-minute threat intelligence.
In addition to ARTIS™, Centre Technologies offers a broad suite of security products and services designed to protect you and your business data against the threat of cyberattacks. Please feel free to contact us with any questions or concerns.