We
recently assisted one of our clients during an information security incident, a
server monitoring system had picked up unusual file access activity on one of
their network file stores, upon further investigation they discovered that a
piece of malware was encrypting files on a user’s network share.
By the
time we arrived onsite they had already started to contain the outbreak, taking
the infected network drives off line, identifying the user whose network drive
was being infected, removing the user’s PC from the network and disabling their
network account.
At that
time they were in the process of rolling out new anti-malware definitions
across the network so they immediately commenced a full network scan using the
latest definition files concentrating on the offline network shares.
Investigation
of the user’s machine, indicated they have browsed to an external URL minutes
before the unusual activity was logged.
The user had received an email, from a reputable postal service
reportedly saying the organisation had a parcel that was awaiting payment and
delivery, being a member of the accounts payable team, the user clicked on the
link that opened a copy of the postal services website. Unbeknown to the user malicious files were
being downloaded initiating the malware infection using the win32 crowti
ransomware variant and subsequently starting encrypting of all their files.
The
email itself was very well crafted using good English and corporate branding of
the postal services company, only upon closer inspection and hovering over a
link to unsubscribe did we notice that the link misspelt the word “unsubscribe”
as “unsubscrube”. Checking the email
headers revealed the IP Address and checking the registration confirmed the URL
was located in Russia.
Whilst
the incident was being Triaged the client asked, what they could have done to
stop this kind of attack, we recommended they block the IP address in their
firewall and block the domain on their SMTP relay but once the cyber criminals
move to a different IP address or domain these defences would be useless,
enabling smart screen filter as a group policy setting on their browsers could
afford them an extra layer of security.
But in
hindsight all of these enterprise and perimeter security controls are great but
the user decided to click on the link in the email, not maliciously but in the
normal duties of their role. Users are
the last line of defence….right?
Correct
they are the last line of defence, but far too often organisations treat users
just as that last in the line, security/awareness training as just another tick
in the box to ensure some form of compliance.
Organisations can have the best of breed technical security controls in
place at the perimeter, but these are only as good as the speed and efficiency
of the vendor releasing signature or definition files and the IT department’s
diligence at deploying updates. During
this incident the infected PC and network drives were disconnected from the
network with ten minutes during which time approximately 50K files were
encrypted.
The user
however is the one constant that is always present and one that the
cyber-criminal is relying on to perform an action or act that provides them
with the backdoor they need.
Is
annual security refresher training enough, when compared to how the security
landscape changes in our view no! Too
many organisations use this as a tick box exercise, a cyber-criminal is relying
on the end user, this is the mechanism that allows them to not brute force the
front door spending 100’s of hours reconnoitring a target company and then
trying to push an exploit through the front door.
How many
times have you done something you were told not to do, “Don’t walk on the grass!”
“Don’t
bite your nails!” humans have individuality and intrigue these are some of the
traits that make society the great place it is so why would we curtail it. You cannot tell someone not to do something, their
very inquisitiveness will ask well “what will happen if I….” rather demonstrate
through past experience, constantly building security awareness into their
daily habits, so that they become accustomed to questioning the norm.
Large
organisations have layers of security to protect their important information,
with the abundance of social media and on-line interactions “the general public”
does not have these controls to protect them, with the internet all around us,
we need to make all users of the internet aware of the inherent dangers of its
use, many of the day to day natural things we do to protect our homes, cars,
handbags/wallets etc, if we applied the same common sense approach to the
internet we would make the cyber criminals job that much harder.
Neil Bray
Senior Security Specialist
www.cqr.com
No comments:
Post a Comment