The Kaseya attack is especially unique because it didn’t begin with a password breach, and the companies were following cybersecurity best practices. So, how can we protect against this threat?
TechRepublic’s Karen Roby spoke with Marc Rogers, executive director of cybersecurity at Okta, about cybersecurity and the Kaseya attack. The following is an edited transcript of their conversation.
SEE: Security incident response policy (TechRepublic Premium)
Marc Rogers: The Kaseya ransomware attack should be a wake-up call to all of us. We’ve seen sophisticated ransomware attacks before, but we’ve not seen them at this scale, and we’ve not seen them to this devastating effect. What makes it different is when you look at your typical ransomware attacks, like take the Colonial Pipeline one, is a great example, it usually involves a very simple way in. Like somebody got a password or somebody found an exposed remote desktop session, allowed them access. And that’s because ransomware gangs typically look for the easiest way to quickly get in, make some money and get out. But what happened with Kaseya is somehow the ransomware affiliates involved in this, the gang behind it is called REvil, found a vulnerability that Kaseya was in the process of fixing and used it to attack Kaseya. And then, more specifically, attack Kaseya’s customers, knowing that those customers were managed service providers who had thousands of their own customers.
They went one by one, targeting on-premise MSP platforms so that they could attack the customers underneath. And when they popped the platform on premise, they then used it to infect the customers below. And so suddenly we found thousands of small and medium-sized businesses affected by this essentially ransomware supply chain attack. It’s different because it started with a zero-day, and that’s unusual. It’s hard to say best practice in terms of avoiding this, how do you patch for something? Zero-days by their nature don’t have patches for it. The companies that were infected, were following best practices. If you’re a small company without a security team, you should be using an MSP to do your security services. So, all these guys were mostly doing the right things. There were some mistakes like the platform being used shouldn’t have been exposed to the internet.
We believed it was mostly exposed so that people could remote work because of the pandemic and to make more online availability. And it looks like that there was overuse of what are called endpoint protection exclusions. Which is essentially a rule that you put in to say, “I trust the stuff coming from this machine, you don’t need to scan it with antivirus.” And that, unfortunately, those two mistakes conspired with the whole scenario to make a really big disaster. But we’re sitting here now with thousands of small- and medium-sized businesses impacted, and they’re impacted because they trusted the supplier. And that supplier was impacted because they trusted their supplier and the security of the platform that that supplier was providing to them. So, it’s kind of hard to take the lessons out of it. The simple lessons of strengthening your architecture would help, but I don’t think they would have solved this problem at all.
SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)
We need to think about this one as a wake-up call. Because for me, this is if you consider ransomware acts as almost like being startups, this is them scaling. They’ve got a successful business model, and now they’re looking at how they can do it as big as possible. And it’s almost as if they learned from the SolarWinds style of attack to get as many people as possible down the chain and applied it to ransomware and got as many as possible. And there actually are indications that these guys couldn’t handle the volume of companies they compromised because they were so successful. But for us, we really need to go back to thinking about how we trust our supply chains to make sure that this kind of ransomware attack can’t happen again, because it’s devastating. There are still small businesses out there who’ve got encrypted data. The ones who had backups have managed to restore to a larger extent, but there’s a lot out there that don’t. Because unfortunately the nature of a small businesses, you don’t have the services or resources to really be as resilient as a large enterprise.
Karen Roby: As you said, most companies have been and are following their best practices and what’s suggested to them. But this one, the ripple effects have just been devastating.
Marc Rogers: I think there’s two big lessons that are going to come out of this. One is industry. This is another reminder, just like we got from SolarWinds, that we really have to look at supply chain. How do we verify the trust we place in companies that are our suppliers? More importantly, how do we place trust in their suppliers? Because it’s those removed levels of trust, where you start to get less and less influence, the bad things can get even worse. Something shouldn’t be able to happen two or three links away from you, and then come all the way down and then blow you up. That’s not a great scenario. And we saw those lessons from SolarWinds, I’m hoping we can see those lessons here. But the other side of it is kind of another strong call out to policymakers that ransomware as a scourge is really getting out of hand and we need to take a much more proactive stance on how we deal with it.
SEE: Kaseya supply chain attack impacts more than 1,000 companies (TechRepublic)
Simple sanctions aren’t enough because often they’re hitting broad groups of organizations or people, and they’re not targeting the specific individuals who are making large amounts of money out of this. Somehow we have to make this personal for them. And so some of the work that DOJ has been doing to make this more personal, like seizing ransomware wallets and things is great to see because it’s good to see actual repercussions. But somehow we have to solve this problem of these guys can’t be out of arms’ reach, launch devastating attacks against our country, and then just move on.
Karen Roby: Yeah, exactly. All right Marc, any final thoughts here?
Marc Rogers: The only other thing I would say is the ransomware task force put out a report suggesting how industry and government could work together to collaborate in attacking this threat. The report came out of the of IST and it can be downloaded. I would strongly recommend everyone in industry taking a look at it, and policymakers take a look at it. Because a lot of the guidance in there is good and solid, and it pushes people in the right direction towards tackling this threat and shows that actually there are some meaningful things that we can do. This isn’t a case of, “Oh, it was an advanced, persistent threat. We should just discount it.” This is a, “Yes, we can do something about this, and we should do something about this.”