This year Independence Day brought more than barbeques and an extra day off from work. The recent holiday came hand-in-hand with the one-year anniversary of the Kaseya ransomware attack.
For decades I have seen the industry change year after year and attack after attack. Like WannaCry, SolarWinds and even the Target breach (talk about a throwback…), Kaseya has earned its way into the hall of not-so-great moments that brought detrimental damage cushioned by valuable lessons learned. With the milestone anniversary, it’s important to reflect on what happened, how it impacted today’s security landscape, and most importantly, what still needs to be done moving forward.
First thing’s first: Let’s evaluate the scale of Kaseya.
This is clearly a global problem for a number of reasons. First, the Kaseya breach, much like the SolarWinds breach, not only affects the company being attacked, but is also targeting all of the companies that use their product.
Second, organizations like REvil and their affiliates target companies with large cyber insurance coverage, understandably believing they have something critical to protect and have the money to pay the ransom. Recent news from cyber insurance companies indicate they are not only consistently increasing premiums because of the continued rise in ransomware attacks, but are also classifying high risk companies, such as MSPs as requiring catastrophic insurance – possibly making it easier for these attackers to identify prime targets.
What caused it and what can we do moving forward?
Unfortunately, many of the successful attacks are the result of human error, or companies not implementing basic network security hygiene. Focus on user education on security hygiene is first in the list of things to do. Just as important, or possibly more important, is to use new and evolving technologies and procedures to protect critical assets. Segmentation of critical assets and discrete, need to know access, can significantly reduce the number and type of attack surfaces on these assets.
Like any business that depends on the internet to deliver products and services to their customers, or to receive system updates from its vendors, it must have sufficient malware detection capabilities to ensure any new software update patch is completely vetted prior to distribution into their or their customers’ network.
Another critical aspect of protection is to have a complete inventory of all servers on the network, the criticality of the information on those servers, and know exactly how and when to segment them in the event of an attack or perceived attack. The faster they get the affected servers off the network, the sooner they can stop the chain effect.
Since the chained ransomware attack on Kaseya, numerous ransomware preparedness guidelines and defensive applications have been brought to the market. However, it’s difficult to say how ransomware preparedness will help to stop an attack. Attackers are constantly developing new ways to breach a system. When attackers use legitimate windows processes, such as REvil and their affiliates did with the Kaseya VSA breach, the malware tries to appear benign making it harder for defensive applications to detect.
So what’s next?
As an industry, we must constantly learn from our mistakes. We must embrace what happened last year and fine tune processes — whether they be training, cyber hygiene, remediation, etc. — to prepare for the next attack. If I’ve learned anything throughout my 45+ years in the industry, it’s that instances like Kaseya are a matter of if, not when, and you always need to be ready.