Cybercriminals can attack just about anyone, even the security experts who typically protect other organizations. Dragos reveals that it recently had to deal with an attempted ransomware attack. The damage was limited, even though data was stolen. The security company hopes to destigmatize cyberattacks and their victims by being as transparent as possible about the incident.
Firstly, in a blog post, Dragos clarifies how the cybercriminals got close to sensitive data in the first place. The group compromised a new employee’s private email, making parts of the onboarding process accessible. The criminals gained access to Dragos SharePoint and contract management systems, but customer data on these platforms remained untouched.
Dragos says it relied on the proven methodology recommended by most cybersecurity experts. For example, Dragos systems typically assume the principle of least privilege. This security practice assumes as few privileges per user as possible, as the name suggests. In other words, no one has access to data unless explicitly granted access via MFA (multi-factor authentication) or by a system administrator.
The compromised account was blocked as soon as the attempted attack became known. A service provider and an MDR supplier employed by Dragos were called in for quick incident response. Thus Dragos’ layered security took effect: both internal systems and external parties proved helpful in mitigating the problem.
Dragos regrets that data will likely be leaked, although this will be limited to the data of one customer to which the new employee had access. Dragos says it has contacted the customer about the problem.
Tip: ‘Nine in ten organizations fear ransomware’
What significantly aided Dragos’ efforts to triage the compromise was the fact that the criminals never got around to posting ransomware. Because the security company did not respond to the threatening WhatsApp messages from the criminal organization, there was never a question of negotiating a ransom payment. This will be a trickier prospect for many companies, assuming there is ransomware in their systems that puts essential data under lock and key. In that case, it becomes a lot more tempting to negotiate with the criminals anyway.
The attempts at contact from the cyber criminals show a lot of rhetorical bluster. Although family members were mentioned by name, fictitious e-mail addresses of them passed by. In addition, the criminal negotiator stated that Dragos should ignore CISA‘s advice. Ultimately, it turned out to be mostly hot air, as Dragos implies. In particular, the comment “We have EVERYTHING” comes across as somewhat desperate, knowing that only a minimal leak occurred.
Having experienced firsthand how it deals with a cyber attack in practice, Dragos makes several recommendations. First, one addresses the importance of solid Identity & Access Management. Only by assuming least privilege principles can organizations limit the damage. In addition, Dragos recommends spreading tasks around the organization as much as possible to prevent a particular employee from being overwhelmed by an attack. MFA should be enabled whenever possible. This security method is excellent, although several ways exist to circumvent it. Dragos sees these as very recognizable TTPs: tactics, techniques & procedures that threat actors deploy to scam someone.
Tip: Researchers Bypass MFA system Protecting Box Accounts
Dragos additionally provides us with some general security recommendations. Organizations should block known dangerous IP addresses, employees should know how to detect phishing emails, and SOCs should combine tested incident response plan with ongoing security monitoring.
As helpful as Dragos’ advice is, we must remember that the company has a highly specialized level of expertise in recognizing the signatures of ransomware criminals. For example, even a highly secure system can be circumvented by intelligent social engineering: the persuasiveness of phishing can sound compelling thanks to AI tools like ChatGPT, for example.
Another structural problem is that there is a shortage of security experts. Those with the money can secure the best help imaginable. However, this leaves many smaller organizations unprotected, few of which will likely have the security expertise to pick up on TTPs. In short, the importance of fundamental knowledge remains undeniable.
Also read: Data privacy: from necessary security step to competitive advantage