For this week’s “In the News”, research a recent article, providing the link to the article, that describes an incident that impacted an organization.
- How was the impact worse or reduced because of their Incident Response Program?
- What were the strengths of their Incident Response Program?
Vincent Piacentino says
Kaseya Ransomware Attack
On July 2nd, Kaseya received reports from customers and noticing bizarre behavior taking place on endpoints managed by their “on-prem” Kaseya VSA solution. Shortly after those reports came in, customers indicated that ransomware was being executed on multiple endpoints. Immediately, the executive team at Kaseya made the decision to take two steps to try to and contain the incident. They sent notifications to “on-prem” non-SaaS customers to shut off their VSA servers and Kaseya shut down their VSA SaaS infrastructure. Needless to say, a lot of unhappy people.
The threat actors were able to exploit zero-day vulnerabilities in the VSA product to bypass authentication and run arbitrary command execution. This leveraged the VSA solution functionality to deploy ransomware to endpoints. According to Kaseya, the VSA codebase has not been maliciously modified. FireEye was quickly hired to investigate the mechanisms and extent of the attack.
On July 4th, President Biden authorized the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) to coordinate with Kaseya to reach out to impacted victims.
1. How was the impact worse or reduced because of their Incident Response Program?
Considering this was a Zero Day and it doesn’t look like they were a FireEye customer beforehand, that may have gone a long way to stopping this attack. But I do not know all the information nor will it be released, even though they are upfront with some details released to the public.
2. What were the strengths of their Incident Response Program?
One of the strengths is that they immediately engaged FireEye to investigate and help scrutinize the attack. Kaseya’s quick action on two fronts: shutting down their VSA infrastructure and employing FireEye quite possibly saved them from more harm. Kaseya now has the “universal decryptor key” to recover their data. A Kaseya spokesperson confirmed that it works but won’t reveal the source and that it came from a trusted third-party.
https://www.wired.com/story/kaseya-ransomware-nightmare-is-almost-over/
https://www.whitehouse.gov/briefing-room/statements-releases/2021/07/04/statement-by-deputy-national-security-advisor-for-cyber-and-emerging-technology-anne-neuberger-on-reporting-kaseya-compromises/
Jerry Butler says
Great stuff Vincent ,
Zero day vulnerabilities leave exposure, at that point i think one could implement compensating controls or shut off the specific machines incase they access critical data.
Amelia Safirstein says
Slightly different but I found it interesting: Lawmakers have introduced the Cyber Incident Notification Act of 2021. This would require federal government agencies, contractors who work with the federal government, and organizations that handle critical infrastructure to report to CISA in the event of a security breach. In return, CISA would provide guidance on how to best handle the breach, and help ensure that critical information and PII is kept as safe as possible through the aftermath of the breach. If passed, this legislature would mean a change in the incident response of many organizations. It would give the federal government the ability to investigate and respond more quickly to potential threats to the government, and it would guide organizations more closely to CISA incident response processes in the event of a breach. Organizations would have to take this reporting law seriously as failing to do so could result in a fine of .05% of the organization’s gross revenue from the previous year each day that the violation persists.
It is suspected that this legislation was introduced in response to the recent SolarWinds attack
https://www.securitymagazine.com/articles/95693-senators-introduce-cyber-incident-notification-act
Jerry Butler says
This will be a game changer as regards to standardizing incident response, companies will be able to get direct guidance on how to handle incidents and protect client PII in the aftermath of incidents.
Amelia Safirstein says
Absolutely! The only concern now seems to be over potential delays in government response with guidance and whether companies will become too reliant on that assistance.
Jerry Butler says
Why remote working leaves us vulnerable to cyber-attacks:
A cyber-crime group known as REvil took meticulous care when picking the timing for its most recent attack – US Independence Day, 4 July.
They knew many IT specialists and cyber-security experts would be on leave, enjoying a long weekend off work.
Before long, more than 1,000 companies in the US, and at least 17 other countries, were under attack from hackers.
Many firms were forced into a costly downtime period as a result.
Among those targeted during the incident was a well-known software provider, Kaseya.
REvil used Kaseya as a conduit to spread its ransomware – a malware that can scramble and steal an organisation’s computer data – through other corporate and cloud-based networks that use the software.
https://news.yahoo.com/why-remote-working-leaves-us-230025147.html?fr=yhssrp_catchall
Amelia Safirstein says
Cybersecurity never sleeps! it’s unfortunate but this is the perfect example of why detection systems and cybersecurity professionals have to be on guard at all times.
Vanessa Marin says
https://www.dailyrecordnews.com/news/county-rescinds-emergency-covid-declaration-demobilizes-incident-response-team/article_fc49bc74-b015-505e-83df-7b0e589201ee.html
Publish Date: June 18, 2021
Author: Daily Record
This weeks’ article is actually about how Kittitas County demobilized their Incident Response plan after a successful run during the COVID-19 Pandemic. Their plan increased response personnel. Activated local response systems and facilitated the access to vaccine in the county. The county has gotten to a point that they no longer feel “in danger of being overwhelmed by COVID-19 with the need for more resources.” Now that the crisis has passed and the routine is starting to take its place, they county goes into management mode rather than crisis response mode. The implementation of the incident response was critical in “expediting the processes that assisted the local response during emergencies that were overwhelming local capacity.” It looks like the incident response plan was effective in gathering the resources needed to survive the pandemic. Partner organizations were ready and prepared to provide supplies and volunteers. 538 volunteers donated approximately 16,000 hours dedicated to manning mass vaccinations sites.