I was just a kid.
Maybe that's why I'll never forget that night.
Our family came home from a New Year's Eve party, and when we opened the door from the garage into the house, we just knew. Burglars had ransacked the place.
My dad's suits in the closet, my mom's jewelry box from the bedroom, the recipe bin and drawers in the kitchen were thrown and dumped everywhere in a search for hidden treasure. The criminals stole our TVs and electronics, such as they were at the time.
Here's the twist: the Sheriff's department told us this was the third time our house had been broken into through the same point of entry. And because previous owners never improved the security, it was quite possibly the same burglars coming back for another haul.
This story has a direct parallel to what is happening at some organizations right now, especially when it comes to ransomware and Zero-Day attacks.
Ransomware attacks: paying the ransom twice
At SecureWorld's regional cybersecurity conferences, we've heard more than a few CISOs say something like this:
"You need to have a conversation with your board in advance. Decide if you will pay the ransom in a ransomware attack. Build consensus on this issue before you get hit."
That's excellent advice. But how would that conversation go if you told the board you might have to pay a ransom twice?
Security researchers say an increasing number of ransomware victims are doing exactly that. And in some cases, it is the fault of the security or IT teams.
The U.K.'s National Cyber Security Centre (NCSC) wrote in a recent blog post it has noticed this trend and shared this example:
"We've heard of one organisation that paid a ransom (a little under £6.5million with today's exchange rates) and recovered their files (using the supplied decryptor), without any effort to identify the root cause and secure their network.
Less than two weeks later, the same attacker attacked the victim's network again, using the same mechanism as before, and re-deployed their ransomware. The victim felt they had no other option but to pay the ransom again."
And experts at the NCSC say one of the reasons this happens is because security and IT teams may have a laser focus on recovery, which can be a time consuming and painful process, even with decryption keys:
"For most victims that reach out to the NCSC, their first priority is—understandably—getting their data back and ensuring their business can operate again. However, the real problem is that ransomware is often just a visible symptom of a more serious network intrusion that may have persisted for days, and possibly longer."
Sometimes the attack's point of entry never gets closed.
And we recently learned that paying a ransom twice is something an increasing number of organizations face, for a variety of reasons, according to Proofpoint.
We'll learn specifics about this trend during the State of the Phish Report 2021, which is a SecureWorld webinar happening on February 11th.
Failure to patch leads to Zero-Day attacks
The ransomware example is not the only way organizations can invite trouble upon themselves.
Maddie Stone at Google's Project Zero focuses on tracking previously undiscovered cyber vulnerabilities—ones that hackers are using and organizations don't yet know about.
And she wrote this week about a very interesting discovery by the Project Zero team:
"...what may be the most notable fact is that 25% of the 0-days detected in 2020 are closely related to previously publicly disclosed vulnerabilities.
In other words, 1 out of every 4 detected 0-day exploits could potentially have been avoided if a more thorough investigation and patching effort were explored. Across the industry, incomplete patches—patches that don't correctly and comprehensively fix the root cause of a vulnerability—allow attackers to use 0-days against users with less effort."
It's a conclusion the Google team emphasized with bold text and a clever headline: 'Deja vu-Inerability'
"When looking at the 24 0-days detected in-the-wild in 2020, there's an undeniable conclusion: increasing investment in correct and comprehensive patches is a huge opportunity for our industry to impact attackers using 0-days."
Cyber risk mitigations to implement right away
What are the risk mitigations organizations should embrace as quickly as possible?
When it comes to ransomware, the National Cyber Security Centre say we must ask and answer a key question: "How did the attackers gain access?" And then work to shut that door.
And when it comes to Zero-Day exploits and many known threats, the Google team says we should ensure our cyber hygiene looks like this:
- Correct Patching:
"A correct patch is one that fixes a bug with complete accuracy, meaning the patch no longer allows any exploitation of the vulnerability."
- Comprehensive Patching:
"A comprehensive patch applies that fix everywhere that it needs to be applied, covering all of the variants."
- Complete Patching (a case of 1+2 =3):
"We consider a patch to be complete only when it is both correct and comprehensive."
And when this happens, the Google team says, we will collectively force bad actors to spin their wheels, at least for a time:
"The goal is to force attackers to start from scratch each time we detect one of their exploits: they're forced to discover a whole new vulnerability, they have to invest the time in learning and analyzing a new attack surface, they must develop a brand new exploitation method. To do that, we need correct and comprehensive fixes."
The parallel between a burglary and cybercrime
That brings us full circle to that New Year's Eve when burglars ransacked our family home. Remember, they used the same point of entry three times because nothing changed between these physical attacks.
At the suggestion of the Sheriff's department, we added bars to a particular window and a deadbolt lock to a door that required a key both inside and out.
I'm not going to tell you that improved the cosmetics of the house, but I can report that my parents lived there for another 20 years without incident.
Making the job more difficult for burglars caused them to look somewhere else for a successful exploit.
And we have the collective power to do the same thing to cyber bad actors, mitigating organizational risk in the process.