Just the Facts: What to Look for in Cybersecurity Incident Reporting
Ransomware attacks are alarming. With increasing media coverage, here’s a guide to analyzing news stories and why you should trust BluVector when we say that our Advanced Threat Detection (ATD) could have detected a threat vector.
So far in 2021 there have been numerous high profile cybersecurity incidents, most notably related to ransomware and supply chain compromises. The obvious examples being the incidents impacting SolarWinds, Colonial Pipeline and recently, JBS. These incidents received significant, widespread coverage in both the mainstream and cybersecurity media. This is understandable, particularly in the case of Colonial Pipeline, given its impacts were felt by millions of members of the public through disruptions to the availability of gasoline to those living in parts of the U.S. East Coast. Mainstream media coverage of cyber attacks, especially ransomware, is increasing and will continue to grow, especially given the U.S. Government’s recent acknowledgement of the national security threat posed by ransomware.
The level of media coverage and the non-stop nature of the current news cycle brings with it an expectation in many people that all the details of a publicized attack will be immediately available. This expectation is also often held by C-level executives and boards of organizations both large and small, driven by their own, shareholders and customers desire for answers and reassurance. This frequently results in pressure being brought to bear upon cyber security professionals and vendors to provide immediate answers to their questions and concerns. These questions and concerns often require specific information relating to the cyber attack to answer accurately and completely. It should also be noted that cyber security professionals and vendors will have the same, or very similar, questions.
However, the simple truth is, during the incident response phase of a cyber attack, specific facts relating to the attack will not be released publicly. Whether an incident is handled internally, or external parties have been engaged to assist, the specific details will be considered confidential. Incident response teams will also be focused on containment and mitigation of the attack, and obtaining further insights through forensic analysis, all of which takes time.
In the initial stages of a cyber attack, the victim organization is unlikely to have the answers to give its own executives and board, irrespective of the amount of pressure being exerted on incident response personnel and external consultants to provide answers. Questions such as what the initial attack vector was, the full attack chain, and timeline are extremely pertinent and valid questions. But they take time, effort and resources to answer. If the victim organization and incident responders actively engaged in resolving the incident don’t possess the specifics, there is obviously no way outsiders can answer those questions either during or at the conclusion of the incident.
Additionally, many questions may never be publicly answered with specific details. A great example is the file hashes of the malicious samples related to a cyber attack. Samples from high-profile cyber attacks are rarely publicly detailed, and it’s rarer still for them to be disclosed while the attack is ongoing. An exception to this is rapidly spreading malware attacking vast numbers of organizations simultaneously. During the voracious global spread of NotPetya in June 2017, samples were readily available while the attacks were ongoing. The lack of access to facts can lead to speculation and sweeping but unfounded statements being made by some vendors and individual “experts” who do not possess the facts to make those claims. One particularly illustrative example relates to the SolarWinds breach, where the day following the initial public announcement of the incident, there were various reports of individuals who were cold called by sales representatives claiming their product could have prevented the breach. This is an impossible claim, since there were absolutely no details regarding the specifics of the breach available at this time. Without specific samples or a complete attack chain, claims like that cannot be legitimately made.
Claims You Can Trust
However, with some facts publicly released by credible sources and appropriate disclaimers, statements about probabilities of detecting attacks are valid. For example, BluVector’s patented Machine Learning Engine (MLE) detected 27 recent DarkSide ransomware samples (24 Windows executables and 3 Linux executables) after news of the Colonial Pipeline attack broke. BluVector regression tested the DarkSide samples and all were detected an average of 75 months prior to their release. This indicates there’s a very high probability BluVector ATD would have detected the Darkside ransomware used against Colonial Pipeline, although the actual DarkSide samples from the attack are not publicly available so could not be tested.
When considering coverage of the next high-profile attack, keep in mind facts – i.e. specific details – are likely to be in short supply, especially initially. However, theories and speculation are bound to be rife. There is nothing wrong with theories, they just need to be clearly stated as such. Facts will be provided by statements from credible sources, including the victim organization, law enforcement and other government agencies. As an example, the FBI confirmed Darkside ransomware was responsible for the Colonial Pipeline incident and REvil/Sodinokibi ransomware was used against JBS. These are facts, but as an example of speculation, after the FBI’s announcement regarding Darkside, many reports referred to the “Darkside gang” being responsible. Darkside ransomware uses the RaaS (Ransomware as a Service) model, so it was most likely one of the “affiliates”, a Darkside ransomware customer, who was in fact responsible.
Also, keep realistic expectations regarding the timeframes of facts becoming available. In the case of Colonial Pipeline, the public announcement was made by the company the day after the attack took place, two days after that the FBI confirmed Darkside ransomware was responsible. It wasn’t until 27 days after the incident actually began that it was publicly stated a compromised VPN account was used as the initial attack vector. Keep in mind, in this case it is also likely that the immediate public impact of the attack led to these timeframes being compressed compared to incidents with less visibility to the general public.
To sum up, concerns and questions regarding high profile cyber attacks are understandable. Just be aware, publicly released facts relating to attacks are in short supply, especially early on, but theories and speculation will be widespread.