Another cyberattack is spreading quickly across the globe. The Ukraine’s power grid, banks and government offices are getting hit especially hard. The attack comes less than two months after a similar cyberattack severely impacted Britain’s National Health Service, delaying medical treatments for thousands of patients, possibly affecting lives.
These are both ransomware attacks, which are increasing in frequency and severity. These breaches go far beyond leaked emails or exposed customer data. These attacks can shutdown the critical infrastructure society relies on, like water treatment facilities and manufacturing plants, among other critical assets, causing both financial and health repercussions.
Understanding the nature of a ransomware attack is the first step to preparing your organization. Here are the basics of what you need to know, as well as details on the new cybersecurity platform Uptake has developed to prevent these types of attacks.
Q. What is a ransomware attack?
Ransomware is malicious software installed on a computer that holds digital assets ransom, prompting the user to compensate the attacker for recovery. An example may be a piece of software that encrypts files and prompts a user to pay a “ransom” to recover their data.
Q. Why have we seen two major attacks in the last couple of months?
It is unknown “why” two have specifically happened, but it is likely the attackers have learned that there are a number of systems connected to important infrastructure that are vulnerable and can be exploited using a ransomware attack. Once the systems are attacked, there is a high likelihood that the victims won’t know what to do other than pay the ransom in desperation to get their files back and system up and running again.
Q. Is this something we can expect to see more of? Why?
We should expect to see many more of these types of attacks as organizations continue to connect networks and systems that were previously shielded through isolation and air gaps. Connection of these networks and systems introduce complexities that include inability to update software against vulnerabilities, a mitigation tactic used by IT assets such as computers and mobile phones.
Q. What types of organizations are most vulnerable? Why?
Organizations are most vulnerable in industries where IT infrastructure has converged with Operational Technology (OT). Many of these organization’s infrastructure rely on outdated versions of operating systems that don’t enable the option to update software. For example, a power plant maybe have software that controls certain OT components that will only run an outdated version of Windows 2008 – presenting risk against modern attacks.
Q. At a high level, what steps can an organization take to protect itself from a ransomware attack?
First, an organization should perform a detailed discovery of all the IT and OT assets within their entire environment. They should then catalogue each system by operating system and patch level.
Next, they should work to understand if any network segmentation or isolation can be performed. Those systems that cannot be immediately upgraded should be isolated or segmented from networks with general user activity. Organizations should also contact the manufactures of the OT systems to understand how they can be updated, if at all. Organizations should also make sure that vendor passwords are not default and that the IT related systems are running modern anti-malware software.
Finally, visibility into IT/OT is key to early warning when an outbreak is beginning. Having a solution in place that can monitor OT environments for abnormal behavior can provide indicators of malicious activity even when traditional IT security tools fail to detect and stop a new attack method.
Q. What kind of solutions exist to monitor an organization’s OT system?
What’s required to avoid this kind of catastrophe is a cybersecurity platform that ingests data from across the entire enterprise, normalizes it and analyzes it to reveal where the attacks are happening and provide actionable insight into the incident resolution.
At Uptake, we provide that capability with a single, unified platform that empowers a core group of analysts to stay a step ahead of the attackers. Uptake Secure leverages our proprietary machine learning anomaly detection engines combined with our core security expertise to reliably detect, prevent, investigate, triage and resolve cybersecurity threats against OT assets.
For example, our solution monitors OT asset and network traffic to identify anomalous behavior, triggering an alert upon detection with all relevant contextual data, to provide an analyst with all information necessary for effective mitigation. This results in efficient, effective detection of and response to threats, in addition to more reliable, productive, and safe operations.
Q. How is Uptake’s solution different?
It takes most vendors 18 months to build a data science model, validate it, transfer it to an analytics platform, tune it and, finally, push it into production. Uptake’s security researchers work hand in hand with data scientists to build and validate models that can detect new attacks against your OT assets in under two weeks.
Our process is divided into four parts:
Ingest asset, enterprise IT, operational and contextual data from the disparate sources across the business.
Clean up and normalize data for processing and analysis.
Apply anomaly detection models to identify potential threats, providing recommendations based on security policies and remediation techniques available.
Provide visual application for your security operation center that allows analysts to triage, investigate, remediate and resolve potential cybersecurity threats from a single platform.
Pushing these models into production faster creates a critical advantage. And it works by empowering your most powerful asset: your people. Our platform’s combination of AI, machine learning and data science allows a core group of analysts to triage, investigate and resolve highly complex IT/OT security issues spread across the entire organization. This enables analysts to monitor thousands of assets at the same time, prioritize events, and make actionable recommendations, while integrating solutions with existing IT security controls.
Additionally, we’ve invested heavily in security and put it at the core of our culture. In the last year, we have recruited some of the top thinkers and doers in the security industry. We also have an entire team dedicated to building innovative security features directly into our platform—we’re not just tacking on some vendor solution.
We’ve also put security at the core of our culture. Every developer gets a copy of the Uptake “Security Manifesto,” which stresses their responsibility to embed security into every line of code they write.
As technologies proliferate into the heart of every organization’s critical operations, becoming more and more interconnected along the way, it’s crucial that cybersecurity measures keep pace.
It’s not just a matter of encrypting emails and patching servers anymore. It’s about protecting the people and technologies that power our world.
Nick Percoco is the Chief Information Security Officer at Uptake. For his latest updates, follow him on Twitter at @c7five. To learn more about our new cybersecurity platform, contact us.