Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Nation-State Actors or Common Cybercriminal, Your Cyber Fundamentals May Be Your Achilles’ Heel

I have seen quite a few articles of late proclaiming that a major cyberattack against Australia is imminent as a result of the ongoing situation in Ukraine, and in truth it's kind of riled me up a bit.

The most recent announcements about Australia promising cyber support to Ukraine has increased speculation on this question. As someone with a keen interest in Geopolitics, who frequently writes and delivers threat intelligence briefings, what does this all mean for Australian organizations, and why is my blood pressure so high right now?

Well, the main thrust of the conundrum is “The enemy of my friend is my enemy, my friend is about to have a fight, I may get hurt” which is probably a fair set of assumptions. Where it becomes problematic for me, is the sort of hasty generalizations that attempt to draw a long bow between Russia invading Ukraine, and Australian hospitals or schools being on the receiving end of a ransomware attack, along with a conflation of threat actors in play, namely APT's, Cybercriminals and Cyber Vigilantes.

I don’t know the expert quoted in this article, but to give him the benefit of the doubt it’s possible that his words were taken out of context by a journalist or sub-editor whose objective was to write a sensational story. In truth, Australian businesses including hospitals and schools have been constantly bombarded with ransomware attacks of this nature for several years now. This is unlikely to increase as a result of the conflict.

These attacks are not simply the result of a Russian government directing their agents to create chaos, but a complex combination of many factors primarily driven by personal greed rather than patriotic ideology. Typical ransomware groups are not military, they are not really backed by the government, and they have little need for military datacenters at all, rather the Kremlin have historically tolerated them provided they were attacking businesses in countries outside CIS and China.

Ransomware crews have more in common with Uber Eats than the KGB, much of the work is carried out by freelance ‘affiliates’ who may well work for several different crews. An open marketplace of vulnerability exploit kits, ransomware and attack delivery routes are available on the Dark Web, and can be assembled in a coordinated mesh for a price and successful delivery of a payload. Picture your Uber Eats delivery rider showing up with a Deliveroo Jacket and a Menulog helmet.

Did somebody say Threat Intel?

There seems to be a common misconception that corporate cybersecurity people consume threat intelligence as if they are sat in something resembling an old railway signal box pulling levers in accordance with the level of threat they are tipped to be expecting.

18462_picture13

The 19th century railway signal box museum at Romsey, Hampshire by Anguskirk CC BY-NC-ND 2.0

“Oooh look Russia is about to Invade Ukraine, Russians are known for Ransomware quick pull lever number 3 all the way back.”

That’s not really how any of this works, the mundane truth is that cybersecurity is more akin to farming than a military operation in that it’s an iterative process of mending fences, planting seeds and pulling weeds in the hope that your crops will continue to grow. The problem is that combine-harvester-automation analogies are just not as sexy as pseudo military geopolitical intelligence briefings.

Please Be Prepared

If you are unprepared for a cyberattack today, it might be because you are wasting your time consuming hype like this rather than patching your fences, and propping up your scarecrows! Don’t be distracted by the noise and ensure you have your house in order first.

Please don't stop doing the mundane stuff to focus on the extraordinary. My key tips:

  • Get the fundamentals right. As always, one of the best places to ensure you are covering all the cybersecurity essentials is the Australian Cyber Security Centre’s Essential 8. Many good tips are in the ACSC’s “strategies to mitigate cyber security incidents” document .
  • Understand your attack surface. Vulnerability Assessments and penetration testing can help you spot those long forgotten and vulnerable hosts left open to the great unwashed.
  • Test how both your technical teams, and executives might respond if the worst should happen, prepare a Ransomware Playbook and crisis management plan to ensure you can respond effectively and quickly and use a tabletop exercises to put your teams and plans through their paces.
  • Carry out continual awareness training that is regularly refreshed and up to date so that staff can spot and avoid common contemporary attacks.
  • Implement a best of breed EDR agent on your endpoints that will enable you to collect telemetry, and isolate a system if alerts are detected.

Nation-state actors grab the FUD headlines, but most organizations should care less about ‘who’ is attacking them and focus more on the ‘how’. Many successful attacks would have been avoided by getting the basics right.

Latest Trustwave Blogs

Defending Healthcare Databases: Strategies to Safeguard Critical Information

The healthcare sector continues to be a primary target for threat actors, with 2023 seeing a record number of data breaches and compromised records. While successful attacks are inevitable, it’s...

Read More

Trustwave SpiderLabs: Ransomware Gangs Dominate 2024 Education Threat Landscape

The security teams manning the defenses at the higher education and primary school system levels often find themselves being tested by threat actors taking advantage of the sector's inherent cyber...

Read More

LockBit Takedown: Law Enforcement Disrupts Operations, but Ransomware Threats Likely to Persist

The news that US, UK, and other international law enforcement agencies disrupted LockBit is welcome, as stopping any threat group activity is always a positive. The unfortunate aspect is this blow...

Read More