2021. What an interesting year. With the world turned upside down by a pandemic that seemingly had its sights set on...
Pirates of the 21st Century
Keith Moore, Distinguished Technologist at HPE
HPE
AdrianSince the days of yore, pirates have captured, ransacked, and held people and goods as hostage. It was not that many years ago when most of the world was a bit taken back with a bunch of modern-day ship pirates who successfully hijacked modern vessels, killed or held crew hostage, and stole items of value. It was a common ploy to board a ship and hold the crew for ransom. The reality and the drama of these cases were shamelessly exploited in stories and even with a Hollywood movie, Captain Phillips (2013).
It is an obvious step to compare pirates to the computer ransomware exploits that are perpetrated by groups, countries, and individuals. The booty is the data, the hostage is the computer, and the ransoms are again usually monetary. It is not difficult to also compare the measures necessary to stave attack, see breaches, and recover from exploits. The methods are similar; in most cases, the old and the new can be mapped next to each other. I am likely not the first to draw this analogy, but I think it is worth using as a simple guide to address the modern IT pirate, who is an anonymous character, not the eponymous hero of the movies.
There have been numerous attacks that mirror what the pirates perpetrated going after the data booty for enterprises. For the most part, the pirates design their attacks to surprise and subvert known vulnerabilities in the protective systems and in use cases. Ship pirates catch lumbering cargo ships when out to sea because they are most vulnerable to surprise attach. Similarly, computer systems have vulnerable times, operational processes, and software exploits. These same vulnerabilities are where the pirates attack and where IT security need to remain diligent to protect.
Batten the Hatches and Put Up the Cannons!
Protection and Prevention
Identify, Protect, and Detect
As with most things relating to IT security, the simple truth is that prevention is the most valuable action to address piracy. If the pirate cannot get to the vulnerability, then they cannot exploit it. Obviously!
- Stay current and follow all security IT guidelines. Some vulnerabilities are simple and already addressed. Some are processes and procedures that prevent rogue software, and some are processes that capture and repel the pirate attempts. A network firewall acts like a high side on a ship making it hard to traverse and breach the ship. A good crew does all necessary operational things like DevSecOps (shift-left security), auditing, and surveying the access. A good captain has a proactive plan for hiding the treasure via encryption and tokenized obfuscation is critical for IT should their actual loot be exposed to the criminals. Think of the movies where the loot was useless and not what the pirates had expected.
- Protect the data and obfuscate it. Since the usual ransomware exploit is to encrypt and threaten to make it unreadable, it makes sense that the data in the first place needs to be unreadable by the pirate. Disk volume encryption does not address this need, but tokenization and/or user-level encryption does. Take preemptive steps to protect the data.
- Develop and deploy strict software and configuration change management as part of every entry into the enterprise run environment. A well-run ship has a boatswain that makes sure only approved cargo and crew ever get on the ship. The boatswain knows what the cargo is and how it got on board. Boatswain also has access to the able bodies that can eject intruders.
- Capture and document the “known-good” state of your system on a strict schedule. This seems simple, but it is difficult. When the pirates attack, if you know where the last good treasure is stored, you can bring it back to the ship and sail on after the attack. Use tools and procedures to validate the consistency of the current environment to the expected “known-good” state, check the level of the rum casks with a good eye for any watering down! If you do not know where the last good treasure was stored, and which chests hold good booty and which have the false treasure, you are in for a rough time trying to find it to save it. This goes beyond just data backup. It requires strict change management and change audit for everything in the system.
Battle once the Pirates Have Breached the Ship!
Expel and Assess
Respond
If you fail to repel boarders, you must expel as soon as possible and immediately assess and determine how to recover. Expelling can be as dramatic as scuttling your own ship to save forensic information. There are cases where the computer systems need to be suspended for forensic analysis and the recovery needs to be done on a separate computer instance. This is not in all cases, but for a full-on Jack Sparrow breach, it may be necessary.
Analysis tools like SIEM and on-board audit can be used to identify what things were stolen and how. But they do not address the recovery schemes required in the event of a full-on breach. The processes of detailed forensic analysis can continue beyond the recovery or transfer of the cargo to a new ship. Deep analysis can determine if you most move to a safe harbor and a safe ship while the damaged ship founders. But waiting too long to decide what to do, could lead to losing all the critical cargo (data). So, this is a critical step and must be done with a perspective of RPO (Recovery Point Objectives), and RTO (Recovery Time Objectives). Just like with disaster recovery, the decision of when and what to do is based upon the business RPO and RTO requirement.
Jump Ship or Run to Shore for Repair!
Recovery
The attack has been staved off and the recovery plan is clear; it is time to execute. Recovery plans are unique to each use case but should be driven by RPO and RTO of the enterprise. If the queen’s ships are considered lost and destroyed, the question turns to the condition of the cargo. The IT director needs to recover the cargo (data) and restore access to either a new ship (computer) or restore the use of the original ship (computer). The mechanism for data recovery is unique to each business; just like the penalty and impact is unique to each individual ship sponsor (monarch or shipping company, for example).
It is critical that the preparations made in the first steps be clearly documented so that the recovery times can fulfill the RTO. Sometimes this means complete rebuild from a baseline, and other times this means tactically repairing or restoring specific data. But, in all cases, the IT processes must be thorough, documented, maintained, and tested. So, when the event occurs, it’s “all hands on deck!” with the recovery.
We Sail!
Conclusion
I hope that this fun little excursion helps define what it is that is common to all attempts to extort and steal the precious booty, that is our data. I further hope the metaphor wasn’t overused. I do believe the situation is analogous and that it is good to consider that the perpetrators goals are similar.
The three above activities are common with many IT security events and preventions. Moreso, the ransomware topic has direct and sharable correlation to IT disaster recovery (DR) plans. In fact, I recommend that these two IT processes and documents be shared and expressed in common. Tests for DR should also include the data ransomware perspective and vice versa. Ransomware recovery (RR) techniques should be considered right along with the disaster recovery.