A high-level executive summary containing some of the most important news articles that have been published on Forensic and Cyber Security matters during the last month.
In May 2021, New Zealand forensic and cyber related news was dominated by a high-profile ransomware attack on a Government Agency. Given the significant coverage to date in the media, instead of listing the numerous articles, we are providing guidance to assist you in improving your cyber resilience and Incident Response preparedness, focusing on the threat of Data Leak Sites.
- New Zealand Data Breach Response Guide
- Understanding Ransomware and Data Leak Sites
- CISA and MS-ISAC – Ransomware Guide
- CISA – Technical Approaches to Uncovering and Remediating Malicious Activity
On 1 December 2020, the Privacy Act was updated to include mandatory notification requirements if serious harm could be caused to individuals whose data had been compromised. On 26 May 2021, the Privacy Commissioner John Edwards warned DHBs to address security failings identified in a Ministry of Health stocktake of health IT systems in 2020. The Privacy Commissioner also stated the need to:
- notify and offer support to the individuals identified in that information without delay.
We recommend that notifications be conducted using specialist tools, which will also track and record which custodians have received your communications.
- actively monitor potential host sites on the Dark Web or elsewhere.
As published in recent copies of this bulletin, we have seen an increasing number of New Zealand organisations being targeted and impacted with Ransomware, often resulting in data theft and publication. Our forensic examination over recent months of numerous ransomware notes, the associated malware and associated data leak sites has identified the following three data leak sources:
- Credential Monitoring. This is a cost-effective option to monitor known Dark Web sites for your compromised logins and passwords.
- Dark Web sites referenced in ransomware notes. Cyber criminals operating as part of organised crime groups are motivated for direct financial gain. Accordingly, they are increasingly publishing the Dark Web sites where they will publish compromised data. The monitoring of these sites requires a degree of technical knowledge and therefore carries a slightly higher price tag.
- Data Leakage Detection. If you do not know which Data Leak Site your compromised data may be published to, then you may need to conduct a more thorough monitoring exercise requiring specialist software and expertise, at a considerably higher cost.
Ciaran Martin, the founding chief executive of GCHQ’s Cyber Security Centre (NCSC), spoke after the Irish health service was targeted by international criminals yesterday. The Prime Minister of Ireland refused to pay a ransom demand after the Health Service Executive (HSE) was plunged into chaos by the ‘most significant cybercrime in the history of the State’ which threatened the care of thousands of patients. Mr Martin said making these payments illegal would help stop the funding of organised criminals who forced businesses into helping pay for further attacks.
Colonial Pipeline has confirmed it paid a $4.4m (£3.1m) ransom to the cyber-criminal gang responsible for taking the US fuel pipeline offline. The Wall Street Journal reported that Colonial Pipeline authorised the payment on 7 May because of uncertainty over how long the shutdown would continue. “I know that’s a highly controversial decision,” Joseph Blount said in his first interview since the hack.
New research shows how Cobalt Strike is being weaponized in campaigns deploying malware ranging from the Trickbot banking Trojan to Bazar. The popular penetration testing kit, of which source code for version 4.0 was allegedly leaked online in 2020, has been abused by threat actors for years and has become a go-to tool for advanced persistent threat (APT) groups including Carbanak and Cozy Bear. The researchers say that the existing abuse of Cobalt Strike has been linked to campaigns ranging from ransomware deployment to surveillance and data exfiltration, but as the tool allows users to create malleable Command and Control (C2), it can be complicated to trace C2 owners.
The group behind the SolarWinds (SWI.N) cyber attack identified late last year is now targeting government agencies, think tanks, consultants and non-governmental organizations, Microsoft Corp (MSFT.O) said on Thursday.
“This week we observed cyberattacks by the threat actor Nobelium targeting government agencies, think tanks, consultants, and non-governmental organizations”, Microsoft said in a blog. Nobelium, originating from Russia, is the same actor behind the attacks on SolarWinds customers in 2020, according to Microsoft.
Summary of last month’s Cyber Alerts and News Clips:
18 May 2021 – Incident Response Solutions – Ransomware (Updated 18 May 2021)
This month’s theme is “Implementing Cyber Controls”.
In previous bulletins we have discussed the importance of adopting a mature and trusted cybersecurity framework for guiding your cybersecurity improvement programme. We recommend the NIST cybersecurity framework for this purpose.
Additionally, we believe organisations will benefit from using an appropriate set of Cyber Controls that align with the cybersecurity framework to support their journey to cybersecurity maturity. The CIS controls provide clear, actionable items for immediate gains in cybersecurity posture.
The SANS Institute developed the CIS critical security controls in early 2008 due to an alarming number of US defence industrial base organisations suffering significant data losses. The controls were intended to act as best practice guidelines for computer security. They have since evolved to become a prioritised set of specific actions a business can implement for protection from known cyber-attack vectors.
The Controls at a glance
CIS controls version 8 were released in May 2021 consisting of 18 top-level controls and 153 safeguards (sub controls) that can guide you through the process of creating a layered or defence-in-depth cybersecurity strategy. This latest version focuses more heavily on cloud-based computing (full and hybrid environments), virtualisation, outsourcing, work-from-home and mobility. It also recognises changing attacker tactics. The list of top-level controls below displays the scope of the framework:
|1: Inventory and Control of Enterprise Assets||7: Continuous Vulnerability Management||13: Network Monitoring and Defense|
|2: Inventory and Control of Software Assets||8: Audit Log Management||14: Security Awareness and Skills Training|
|3: Data Protection||9: Email Web Browser and Protections||15: Service Provider Management|
|4: Secure Configuration of Enterprise Assets and Software||10: Malware Defenses||16: Application Software Security|
|5: Account Management||11: Data Recovery||17: Incident Response Management|
|6: Access Control Management||12: Network Infrastructure Management||18: Penetration Testing|
Each of the 18 controls have multiple safeguards (formally called sub-controls). We will be undertaking a deep dive of these over the coming months to describe what each one means practically and how it can be assessed and implemented.
Benefits of Implementation
The CIS Controls recognise that most organisations have limited resources which must be prioritised. The controls are tiered by way of Implementation Groups (IG), whereby organisations can continually assess their resource availability to determine whether they can increase their cyber improvements.
- IG1 is for small businesses and start-ups with limited resources and is considered “basic security hygiene”.
- IG2 is for medium enterprises with moderate resources, therefore comprising a more extensive control set.
- IG3 is for large organisations with significant resources, capable of implementing all the CIS controls and sub-controls.
The ability to prioritise and categorise the controls is what makes the CIS control set so effective in practice. It allows you to focus on a small number of actions that can significantly reduce cybersecurity risk and provide the most “bang for your buck”.
The recently released 2021 Verizon Data Breach Investigations Report identifies a core set of CIS controls that they believe all businesses should implement regardless of size to protect against the most common attack vectors seen in the report.
Combining the NIST cybersecurity framework and the CIS Controls
As the CIS controls align to the NIST cybersecurity framework, we recommend these be used together to gain control of your cybersecurity maturity in a methodical, organised way.
About the Bulletin:
The NZ Incident Response Bulletin is a monthly high-level executive summary containing some of the most important news articles that have been published on Forensic and Cyber Security matters during the last month. Also included are articles written by Incident Response Solutions, covering topical matters. Each article contains a brief summary and if possible, includes a linked reference on the web for detailed information. The purpose of this resource is to assist Executives in keeping up to date from a high-level perspective with a sample of the latest Forensic and Cyber Security news.
This Bulletin is prepared for general guidance and does not constitute formal advice. This information should not be relied on without obtaining specific formal advice. We do not make any representation as to the accuracy or completeness of the information contained within this Bulletin. Incident Response Solutions Limited does not accept any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, when relying on the information contained in this Bulletin or for any decision based on it.