The Kaseya attack is particularly unique because it didn’t start with a password breach and the companies followed cybersecurity best practices. So how can we protect ourselves from this threat?
TechRepublic’s Karen Roby spoke to Marc Rogers, Executive Director of Cybersecurity at Okta, about cybersecurity and the Kaseya attack. The following is an edited transcript of their conversation.
SEE: Security Incident Response Policy (TechRepublic Premium)
Marc Rogers: The Kaseya ransomware attack should be a wake-up call for all of us. We have seen demanding Ransomware Attacks before, but we have not seen them on this scale and we have not seen them with this devastating effect. The difference is that you look at your typical ransomware attacks, such as: Colonial pipeline One is a great example, it usually involves very easy access. Just like someone has a password or someone found an exposed remote desktop session, so was they granted access. And that’s because ransomware gangs are usually looking for the easiest way to get in, make money, and get out quickly. But what happened to Kaseya is kind of the ransomware partners involved in it, called the gang behind it REvil, found a vulnerability that Kaseya was trying to fix and used it to attack Kaseya. And then, more specifically, attacking Kaseya’s customers, knowing that those customers were managed service providers with thousands of customers of their own.
They went one at a time, targeting local MSP platforms so that they could attack the customers below. And when they released the platform locally, they used it to infect the customers below. And so we suddenly found thousands of small and medium-sized businesses affected by this essentially ransomware attack on the supply chain. It’s different because it started with you Zero day, and that is unusual. It’s hard to say best practices to avoid this. How can you fix something? By nature, zero-days do not have patches for them. The infected companies followed best practices. If you’re a small business with no security team, consider using an MSP for your security services. So all of these guys were doing the right things most of the time. There were some bugs like the platform used shouldn’t have been exposed to the internet.
We believed it was mainly exposed so that people could work remotely and create more online availability due to the pandemic. And it looks like the so-called endpoint protection exclusions have been overused. That’s essentially a rule you make to say, “I trust the stuff that comes off this computer, you don’t have to scan it with antivirus.” And that these two mistakes unfortunately conspired with the whole scenario to cause a really big catastrophe. But we are now sitting here with the thousands of small and medium-sized businesses that are affected, and they are affected because they trusted the supplier. And this supplier was affected because he trusted his supplier and the security of the platform that supplier made available to him. So it’s pretty hard to learn the lessons from it. The simple lessons on strengthening your architecture would help, but I don’t think they would have solved this problem at all.
SEE: How to Manage Passwords: Best Practices and Security Tips (Free PDF) (TechRepublic)
We need to see this as a wake-up call. Because for me that’s the case, considering that ransomware behaves almost like startups, this is the scaling. You have a successful business model and are now thinking of how to make it as big as possible. And it’s almost like they learned from the SolarWinds attack style to get as many people on the chain as possible and use them on ransomware and get as many as possible. And there is actually evidence that these guys couldn’t handle the amount of businesses they compromised because they were so successful. But for us we really need to think about how to trust our supply chains to make sure this type of ransomware attack can’t happen again because it is devastating. There are still small businesses out there that have encrypted data. Those who had backups have managed to restore on a larger scale, but there are many out there who don’t. Unfortunately, because of the nature of a small business, you don’t have the services or resources to truly be as resilient as a large company.
Karen Roby: As you said, most companies follow and follow their best practices and those suggested to them. But in this case the ripple effects were just devastating.
Marc Rogers: I think there are two big lessons that will emerge from this. One is industry. This is another reminder, just like we received from SolarWinds, that we really need to look at the supply chain. How do we check the trust we have in our suppliers? And more importantly, how do we trust your suppliers? Since it is these lost levels of trust that you have less and less control over, the bad things can get worse. Something shouldn’t happen two or three lefts from you and then come all the way down and then blow you up. That’s not a great scenario. And we’ve seen these lessons from SolarWinds. Hope we can see these lessons here. But the other side of that is another strong call to policymakers that ransomware is really getting out of hand as a scourge and that we need to take a much more proactive stance on how to deal with it.
SEE: Kaseya supply chain attack affects more than 1,000 companies (TechRepublic)
Simple sanctions are not enough because they often hit broad groups of organizations or people and are not targeted at the individuals who make a lot of money from them. Somehow we have to do this for her personally. And so some of the work the DOJ has been doing to make this more personal, like seizing ransomware wallets and other things, is great to see because it’s good to see the real impact. But somehow we have to solve this problem so that these guys can’t get out of reach, launch devastating attacks on our country and then just move on.
Karen Roby: Yes exactly. Okay, Marc, any final thoughts?
Marc Rogers: The only thing I would say is that Ransomware Task Force released a report suggesting how industry and government could work together to combat this threat. The report came from the IST and it may be downloaded. I would highly recommend anyone in the industry to check it out, and politics will check it out. Because a lot of the guides in it are good and solid, and they get people in the right direction to combat this threat and show that we can actually do some useful things. This is not a case of, “Oh, it was an advanced, ongoing threat. We should just ignore it.” This is a “yes, we can do something about it and we should do something about it”.