$5M for shutting down that major of a pipeline seems like too little, unless, of course, they weren't expecting the company to even pay. Now that these actors know that the oil (and quite likely other utilities) are more than willing to pay big bucks to get back online, they will be targeted far more.
There are so many reasons this is very very bad.
There are lots of infrastructure management teams taking security more seriously than they were a month ago. That alone is worth more than $5M
The fact they caved so quickly tells me they are years away from a reasonable security posture.
Without widespread ransomware scammers, the risk of getting compromised is just theoretical, not tangible. Companies can get away with ignoring security concerns for a long time and might never be impacted by it.
Thus, companies which are paying a premium for better security might never be able to benefit from the mitigations they are implementing, and could be outcompeted by the companies which simply got lucky enough to avoid being attacked.
Eventually we end up with major too-big-to-fail megacorps like Equifax getting hacked by trivial exploits because nobody took advantage of them when they didn't have such a strong market position.
Still, this might lead to their first solid security hire that can bring about change in the form of zero-trust principles, security in depth, etc.
> to have any chance of stopping a targeted state actor.
Given unlimited resources, interest and budget, no participant in the modern digital landscape has a significant chance of stopping motivated threat actors.
> The fact they caved so quickly tells me they are years away from a reasonable security posture.
Yes, obviously, but driving change is about incrementally tending to a desired state. Your fatalism is, quite frankly, unnecessary, not that you're not entitled to your opinion, just that disagreeing with GP or stating they are naive because this won't bring about perfect, all-encompassing change is not useful.
And if one target is so critical that it could take out a society, perhaps it would be better to either 1. Make it so minimalistic that it can be fully audited and secured or 2. Broken into smaller pieces and decentralised so they can either qualify for #1 or increase the total cost and complexity of compromise.
E.g. warm blankets at home, and food that doesn't need to be boiled, if cannot heat the house because the oil and electricity system is broken for a while?
The preppers are the other side of the same coin. The only thing they seem to never run out of is toilet paper. Who the fuck cares? Pentesters have the same energy. They tell you about what software not to use (anything in their automated suite), followed by a bunch of meaningless bullshit. It is a form of anti preparation, it would not have helped Colonial at all.
You talk about crippling, and in the biggest audition for crippling society in the world, time after time it’s the Everyman being an idiot - or a Prepper being too smart for their own good - that is responsible for all the bad.
We shouldn't have widespread shortages for the sake of theoretical people whose existences are structured around 5 gallon commutes and razor thin margins tied with no lines of credit to float a week of double gas expenses.
The reason, which is likely apparent to both of us and everyone reading this, is that such assistance would likely never be put in place, and the only help ordinary folks will have in the event of such an increase is wishful thinking.
and so you suggest hurting the vast majority of people even more?
That's right, your suggested approach of keeping artificially-low-prices-that-allow-hoarding leads to zero gas at the pumps, and zero gas at the pumps hurts the vast majority of people very directly and very effectively.
Allowing prices to float higher in a shortage solves the allocation problem for scarce resources by ensuring that people think twice about how they use it, while keeping it available. Ignoring that the resource is scarce not only doesn't solve anything, it makes the problem worse.
1. More people are hurt by price gouging of products with inelastic demand than hurt by limiting the price increase.
2. A completely floating gas price disproportionately affects disadvantaged folks who have no alternative, even when there are no outages.
I mean, I totally agree with OP, there's a straightforward solution: set up a government program that insulates people from the effects of a floating price proportionately to how disadvantaged they are, and then, after that, let the gas price float. That way we get your idea without hurting anyone! Win-win.
no, your statement is false.
Hoarding cheap gas results in zero gas at the pump, and that is MORE effective at stopping people who need it than high prices do.
That's right, market pricing solves allocation problems that your misguided approach creates.
Even simplistic rationing is at least relatively fair and can ensure at least a base level of availability. For the major necessities this can be pretty reasonably accounted for to ensure nobody suffers from some extreme deprivation.
It also lets you at least put some somewhat predictable cap on how fast resources are going out. Allowing price gouging doesn't let you predict much of anything, and I'm not sure it even slows the outflow given the uncertainty of these situations.
1. only those who really need it buy it
2. others are encouraged to increase supply
For example, before anti-gouging laws, when a hurricane interrupted the gas supply, people from a state over would immediately fill jerry cans with gas and drive into the disaster zone, selling gas out of the back of their pickups.
Anti-gouging laws put a stop to that. Now nobody gets gas until FEMA gets around to it.
I've talked to people who lived through WW2 gas rationing. It was a mess of mis-allocation. People who didn't need their ration turned into criminals selling it on the black market. People who needed it turned into criminals buying it on the black market. It was pure political theater.
Those who buy it are those who can afford it. They also (think) they need it, for some reason. That can include the intention to legally resell it. Buying suddenly comes with even more time pressure. Buying now becomes both a hedge and speculation, with zero legal risks.
Sure, people bringing in supplies on their own sounds good. It can even be good. But how much does it actually bring in? Does it come with other problems, like additional stress on infrastructure? If this really is such a great thing, I don't see how it should be wholly incompatible with anti-price gouging laws. If you want to specifically incentivize private transport of goods from out of the area, you don't have to allow them to be sold for any price, nor do you have to allow it for goods already in the area.
As for the black market, I'm not sure that's a bug. It makes it harder, and adds some risk, to acquiring more. If you actually need it enough, you'll do it. There some be some correlation between actual need and willingness to participate in the black market. With proper use of the discretion available to law enforcement, maybe this even enhances how well the goods end up distributed. That's a big "with" but still.
Rationing implies a black market must be illegal. Besides, it enriches random people who don't need gas, at the expense of the people who went to the effort to supply it.
If that isn't a topsy-turvy unjust, inefficient and inequitable way to run an economy, I don't know what is.
Rationing suffers from the delusion that bureaucratic rules can distinguish who needs something and who doesn't, and denial of the existence of normal human motivations.
But then the outcome would not have changed, the people who hoard will be worse off, the people who produce a valuable commodity will be better off and there is incentive for people to contingency plan and have gas reserves for when things get tight.
That is a strict improvement. Plus, you're probably being overly pessimistic - people will stop hoarding once the price gets high enough. The shelves would not be bare.
> These are not individuals with any knowledge of economics - theyre not doing it for trade, they're doing it out of belief.
The people with knowledge of economics don't have much of an advantage though, do they? When has an official body ever been banging the drum before a major crisis issuing panicked warnings? Every crisis it turns out all the people held up as experts had grossly misread the situation.
People with knowledge of economics often get bowled under by people with a knowledge of politics or of statistics when it comes to trading.
Last year when all the grocery stores were running out of staples, I was unluckily traveling for work where there are no grocery stores. Upon returning, I conveniently found that my neighborhood co-op still had eggs because, while almost all eggs had been sold out, no one wanted to hoard $7.50/dz eggs, meaning I had the opportunity to get eggs if I really wanted them. I was able to buy eggs and did so, adjusting my habits accordingly to operate on fewer (but not zero) eggs. Everyone else who had visited that store had the same opportunity, and they also had the chance to compare their own desire for eggs against others' desires to recognize that they could do with fewer, as could I. At the end of the day, having reduced amounts of something I want is way less impactful than having none.
The only problem here is if gas stations talk to each other to set a price, but that is collusion, and is illegal independent of gouging laws.
I'm not buying gold, but the odd thing is that Russian and Chinese central banks are. I would assume those people know a thing or two about economics. I'm curious to see what the future holds.
They’re already the #3 and #1 producing countries world-wide.
no, you've got it exactly backward. People buying it more than ever is driving the price up, and the feedback of higher prices is actually slowing down their purchasing not only by changing their minds, but also because their purchasing budget is spread more thinly.
Maybe. But, I tend to lay the blame with the foreign criminals/adversaries who attacked us rather than a panicky handful of my fellow country people.
Not sure why some here are blaming the victims while giving the criminals a pass, and even thanking them as if unsolicited, live pentesting on critical infrastructure with a side order of extortion is a good thing.
I bet a lot of companies, including Colonial, are investing more in security, including hiring more people for security.
Me: Only if you learn it.
Penetration testing is part of a security program. If you don't have a security program, penetration "testing" isn't useful whether it's painful or not.
Haves the careers or investments of anyone significant who brought things to this point been screwed? If not, nothing will change.
As someone with a lot of friends and co-workers who are on the info-sec side, the stories I repeatedly hear of how many times they visit the same company year/year and little if anything is done to harden their networks, and impose stricter security on their users is way more common than it should be.
Most, if not all of these networks should be taken offline and siloed, but you know that won't happen now, the genie is out of the bottle. If they did, it would create a much smaller attack surface for critical infrastructure. As it sits now? Doubtful we would go back to that world.
2. Agree that paying leads to bad outcomes. But I also suspect the feds put some pressure on Colonial. Voters remember gas lines and the pump prices.
This was my thought was as well. I thought they were in on this before it hit the public media. For me, it was like in the movies when the feds are trying to tap the line and the person is trying to keep the bad guy on the line as long as possible so they can trace the call?
My theory is the feds encouraged Colonial to string it out in order for them to get as much information on the hacking team as possible. From what we're seeing now (bitcoin seized, servers seized) it sounds like the Feds have them nailed pretty good and their gamble paid off.
I'd expect there will be some serious talks about how much to pay to prevent things like this. 5 million, once? Meh, why bother taking security seriously? I suspect the lost revenue is tougher to swallow.
I dunno. you gotta pay every month forever, for protection against maybe something bad happening someday? It's an insurance premium, but you don't get made whole.
I guess, I'd expect companies to start paying a little for infrastructure so they can buy good insurance policies. backups would get you a lot.
It'll be interesting.
Hardware write-enable switches on the drives are 2 or 3 cents.
This is analogous to overspecialization in an ecological niche where there was no predation.
As ransomware becomes more widespread, it becomes more and more detrimental to companies to pursue short-term security savings. That's good for everyone.
These may be the same thing however.
The situation of not being able to tell is pretty good.
At the very least, $5M seems a good start to fund an ongoing effort at developing cyber attack capabilities.
I’m wondering if in the grand scheme of things this could be one more reason to speed up development of solar/wind + distributed energy production.
Nonsense. This is not an academic exercise. Our country is being attacked by "nation states" (do more research) and we need to respond accordingly, treating it as the national security threat it is and making the perpetrators pay a heavy price. If they'd bombed our critical infrastructure, no one would be sitting around saying, "oh this is good for improving our defense. Thank you for dropping bombs on us."
The idea that they are doing us some kind of service and we should just play a game of defensive cat and mouse, hoping for 100% effectiveness (which we know is impossible) is absurd.
Wake up. We're at war.
With whom? And given that nation states have engaged in this sort of thing for years, and that the US/5-eyes/etc also engage in these activities, do you really want to turn a cyber/cold-war into a hot one?
The solution is defense-in-depth, with liability on the providers of software, which will require them to insure, which will raise prices, which will force them to address security as COGS which will force them to reduce their attack surfaces to reduce their insurance premiums.
I didn't say we needed to turn it hot. Where did you read that? But, I do believe this idea that we "shouldn't escalate" emboldens the aggressors.
There is no defense-only solution. Your profile says you work in IT, so you know that.
Why are you against punishing/deterring the aggressors?
Yes, we could "unbomb" it for some amount of money. But, we generally use the term "repair".
But, that's a great point: as long as we can undo the damage for some amount of money (via repair or paying extortion), we should let foreign adversaries dictate the terms on which they'll allow us to operate our infrastructure.
Still, do let us know when you think we should be concerned. 2 more pipelines? 3 more hospitals? 4 more police stations?
$5 trillion ransoms? Maybe? No? Perhaps when infrastructure outages and other attacks cause deaths?
At least according to https://finance.yahoo.com/news/colonial-pipeline-paid-hacker...
Krehel (chief executive officer and founder of digital forensics firm LIFARS and a former cyber expert at Loews Corp) said a $5 million ransom for a pipeline was “very low.” “Ransom is usually around $25 million to $35 million for such a company. I think the threat actor realized they stepped on the wrong company and triggered a massive government response,” he said.
Unless Vlad starts frowning on this behavior, which persists at his pleasure, it may take that (or a seriously escalatory cyber response) to lower the threat to acceptable levels.
Assuming you were in a TV show, and offered two options: Spin wheel 1 with a 95% chance of winning $5M, or spin wheel 2 with a 50% chance of winning $50M, which one are you going to spin? The EV is higher on the second one, sure, but taking the near-certain 5M may still be a better choice - a bird in the hand is worth two in the bush.
Additionally, this group is said to do its research and adjust ransoms accordingly, so it seems likely that the ransom amount was a carefully thought out choice.
Example: Say you have $10⁵, and you have the option to play game 1, which offers a 95% chance of a $5×10⁶ prize, or game 2, which offers a 50% chance of a $5×10⁷ prize. By the Kelly Criterion, the value of a scenario is the expected value of the logarithm of your wealth under that scenario:
• not playing at all = lg[10⁵] = 5
• game 1 = 95%×lg[10⁵ + 5×10⁶] + 5%×lg[10⁵ + 0] ≈ 6.6
• game 2 = 50%×lg[10⁵ + 5×10⁷] + 50%×lg[10⁵ + 0] ≈ 6.3
So game 1 is the best option if you have only $10⁵. On the other hand, if you have, say, $10⁶, then game 2 is the best option.
• pay for security that prevents attacks = lg[company value – cost of security]
• don’t pay for security = attack probability × lg[company value – cost of dealing with attack] + (1 – attack probability) × lg[company value]
Never negotiate with terrorist. As long as they feel there is a chance they will get paid it never stops. Burn it to the ground, but do not give in.
This lesson should have been learned at school. If you give in to the bully you get exploited more.
Sure it's more work to fight. But it makes sure you're not abused so much.
Both amounts are enough for me to never work another day in my life, and instead focus on building what I want to build. Past that massive increase in quality of life extra money is relatively meaningless (to me) .
This is the same reason that people who decry spending money on lottery tickets as a stupid thing to do based on the EV alone are thinking far too simplistically.
That was exactly one of the reasons why I showed that example.
While this may be different for a gang that has to split the money N ways, the "bird in the hand" might still be worth the two (or ten) in the bush, due to this or other factors.
I can start building it now. But after already spending 40 hours a week writing code at my day job and having those problems swimming around in my head all the time it's hard to find the motivation to do more, even when what I do for my day job isn't as creatively fulfilling.
They called this: "The extortion economy: How insurance companies are fueling a rise in ransomware attacks. Even when public agencies and companies hit by ransomware could recover their files on their own, insurers prefer to pay the ransom. Why? The attacks are good for business." 
> ProPublica has found that they [insurers] often accommodate attackers’ demands, even when alternatives such as saved backup files may be available.
What a perverse set of incentives. Insurance companies are paid to manage risk. Risks go up the more they pay ransoms. As risks go up, the risks are more visible, more companies get policies, insurance gets more money. This is bordering or racketeering.
How many times do people on HN say “back up your files”. Certainly that’s the way to do it if you want less ransomware. It’s not sexy, it’s not “visible”, but it will reduce your risk. But apparently, the goal here is to encourage more ransomware.
We had a similar issue with builder's insurance down here in Australia. It's was (and still is) cheaper to get insurance than build a quality building. Eventually that caught up with the builders (and they moved to using a seperate corporate entity for each building and closing it after the building is built, but that's another story of corruption).
Hmm, so if buying a house, it can be good to first find out if this house is the only one the construction company has built
> insurance companies make some profit, specially in the beginning
I've gotten the impression that CEOs often don't plan much longer than any bonus program periods?
And, later when getting too expensive, can't they just then start telling the companies to use their backups instead.
Backup media must be append-only unless a physical write-enable switch is pressed.
Physical write-enable switches used to be standard.
I'm not buying the crazy argument that remote update is necessary to remove malware installed using remote update.
Not to mention, rewarding people for bad behavior is never a good idea. I learned this as a child... "If you give a mouse a cookie, then he'll ask you for a glass of milk."
So they have to follow through with unlocking and they have to use an amount of money low enough to make the decision obvious.
5M, 50M, 500M, 5B, 50B?
I wonder how the government would react if a hacker group held gas/power/clean water/etc. hostage for millions of Americans for a ransom in the tens of billions
The “utility" acting in Flint was state and state-imposed local government officials, 9 of whom have been criminally indicted for their role, so manifestly the government has something of a problem with it.
Transcript of Whitehouse Press Briefing: https://www.whitehouse.gov/briefing-room/press-briefings/202...
In the grand scheme of things it's very low likelihood we'll see any level of prosecution for this incident in the next year or two, if ever. And even then it will likely only result in attribution in a random report a year from now with no actual consequences for the attackers.
The final thing is the amount of money isn't extraordinary. As others have said it's mostly a rounding error in annual revenue that passes books of a company like this.
The insurance may demand better practices for lower premium in turn
Basically the large oil firms know they hold all the cards so they regularly delay payment as long as possible.
This problem needs to be solved in collective level.
My guess is they lowballed - $5m is considerably less than other payments I have seen them take before for a much bigger catch.
You can’t hire cleaners. Site cleanup is suspended. Your insurance is invalid if workers are onsite while hazmats are left uncleaned. You shut down on the day you were about to ship a full warehouse of product. Manufacturing grinds to a halt because the outbound warehouse is full. You have to cease goods incoming because they were misusing the day-labor app for handling delivery grunt work.
Ph0bos Security Services also hacked your email so now everyone has to use personal phones and WhatsApp but upper management won’t share their numbers with anyone except the foreman so he is now the bottleneck for everyone who needs approval to make out of budget purchases to handle the capacity overload that’s happening everywhere except for hazmat cleaning.
But the pumps were airgapped so at least they didn’t get hacked.
At some point it will wake up the authorities to go after them more seriously too.
$5m was 100% a lowball because of the geopolitical implications of this attack.
If you think it's about the ransom though, think bigger. Can you even imagine how many billions of dollars silicon valley is going to make off it? They just paid Microsoft dozens of billions for some AR glasses.
How much for some software to prevent cyber terrorism? How much did TSA get to secure planes? $8 Billion/yr.
$18 Billion for border protection.
How much for cyber border protection? $100 Billion? Where will it go? Google? Microsoft? Palantir? Facebook? Twitter? Amazon?
They haven't even gotten started. $5 Million is pennies. Rounding error.
Even if they don’t pay, the scammers buy puts on the public stock for the companies they’re ransoming so they profit off of blowing them up too.
I’d imagine that’s easier to track and stop, but it’s interesting.
Also, just a cool thing
There are like tons of attack like this that are possible and they demonstrate those at the booths
I've seen similar patterns and so I was surprised by this.
Not paying the ransom would have been tantamount to complete dissolution of the company. it would have tirggered a much wider investigation into the company with shareholders abandoning it as the outage dragged on at the hands of an incompetent leadership.
Unfortunately it seems to have been a Pyrrhic victory as paying the ransom puts their shareholders at risk of serious sanctions and indictment from the US Dept. of the Treasury.
This would have the beneficial side effect of flushing all the incompetent paper-pushers / requirement-box-checkers out of the security industry.
If you're found vulnerable, that's a fine. If something gets accidentally broken in the exercise, that's the price of commitment.
Nothing is going to change until you increase the frequency / likelihood of breaches for these companies. If it's a yearly cost, it gets addressed. If it's a catastrophic possibility, it gets ignored.
What happened to the responsibility of corporations for corporate security? Including corporations that are the victims of attacks, and corporations that sell buggy operating systems and applications?
Why does the government have to provide the red teams? The general attitude is all government agencies are wasteful and incompetent, except in this circumstance where the wealthiest corporations in the history of the world apparently can't spend enough to fix their own crap. But the government not only can but should??
This just sounds like externalizing costs to the public while banking record private profits.
How about rather than subsidizing software corporations we talk about liability laws and fines, like any other physical industry that releases dangerous, broken products. Or an insurance system that is funded by a portion of the profits the software industry makes. Then we're actually making the software vendors feel some pain which will incentivize them to release higher quality code.
The problem does not fix itself until the investors start truly losing money, the care, unlike the Equifax case. Until the portfolio value cannot go down 90% there is not going to be a change in corporate actionism.
The govt only has a relative abundance of talent [largely interspersed with its contractors] in highly regulated activites like making nuclear weapons, where private entities don't participate.
I guess the government could legalize ransomware hacking to encourage it, but that'll never happen.
This (almost certainly) isn't true. It may put management at risk of sanctions, but shareholders are shielded by the corporate veil.
I say "almost certainly" because in some cases prosecutors can go after shareholders, but this is limited to cases where a specific shareholder is involved in decision making.
Since healthcare is so heavily regulated it’ll be interesting to see what repercussions come of this. The company has been mostly silent on the matter despite it being severe enough that you can’t even get to their website.
Treasury doesn’t indict anyone, that’s Justice’s job.
And this isn't a car, this is infrastructure with national security implications. Someone needs to go and do time.
There are lots of infosec openings across the country but compensation doesn't seem to be rising in response. It appears that companies are fine with leaving these positions open for long periods of time. As long as the position actually exists, they're not all that concerned with filling it. This might be complacency creep. Everyone staffed up after the cluster of breaches that happened around the time of the Target and Equifax breaches. A lack of other high profile breaches or attacks might be why many companies have become lax in keeping their staffs full.
This is not a failure to live up to potential or incompetence, though there is a fair amount of both of those. We need solutions that are literally 100x better than the best systems currently available before we get to even adequate for critical infrastructure whose disruption can literally cause hundreds of millions or billions of dollars in damage let alone potential human lives. Anything less than that keeps extortion economically viable for the attackers and paying off extortion economically sound for the victims. That is how far away we are.
And yet Apple still manages to keep its private signing keys secure. Even from the FBI.
Like how the FBI paid $900,000 to do so and get exactly what they wanted (at least with respect to the phone) in the San Bernardino case which you are referencing? Or how the going price for a iOS zero-click remote code execution with persistence, which basically gives you the ability to arbitrarily compromise any iPhone at any time, on Zerodium is $2M? You can get effectively the same outcome as stealing their signing keys for $2M or less in a way that is far less traceable or detectable. There are so many ways in and to get what you want that the fact that one of them, which is not even clearly the best or easiest way, being untouched is not exactly a cause for celebration or indicative of the quality of that defense. The cash register being untouched because the safe door was wide open is not exactly a very compelling security story. So, no, they do not reach the $10M level. Not even close.
Even if that's true, it doesn't affect backups.
Back your fucking systems up properly, and if you are attacked by ransomware, then do a scorched earth restore.
As for how you attack the backup system it depends. If it push based you send your payload during the push. If it is pull based you craft your payload in the data that will be backed up. If it is not append-only you can easily nuke the entire available history. If it is append-only, but that is only done in software you just need to take over the software. If it is in hardware you just infiltrate then silently encrypt any new data until it would be painful to revert that far back in time. Given that the mean-time to discovery is on the order of months that is quite painful. If they regularly test their backups you just silently decrypt the data on restore until it is time to strike. There are plenty of ways to beat vulnerable backup systems in that sort of budget.
Like, seriously, with a $5M budget you can literally purchase and burn multiple zero days for every system in the chain and still come out ahead. You can hire 10-50 full time software engineers for a year per attack. Most systems have serious vulnerabilities discovered by lone individuals working for a few months in their free time let alone a team of 50 people. The current backup systems survive because most of these attacks are being done with budgets closer to $10k-$100k to maximize profit and growth rate and that is not really enough money to pay for the second arm of the attack. But with a $5M return they could easily allocate a few million to capitalize on the opportunity if that is what is needed once all the juicier targets have been eaten.
Two friends are in the woods, having a picnic. They spot a bear running at them. One friend gets up and starts running away from the bear. The other friend opens his backpack, takes out his running shoes, changes out of his hiking boots, and starts stretching.
“Are you crazy?” the first friend shouts, looking over his shoulder as the bear closes in on his friend. “You can’t outrun a bear!”
“I don’t have to outrun the bear,” said the second friend. “I only have to outrun you.”
In our scenario, the bear is the ransomware attackers, and Colonial Pipeline is one of the runners.
There are hundreds or thousands or tens of thousands more runners that the bear can go after.
You don't need to have perfect security over every aspect of your operation (though you should of course aspire to that). In particular you don't need to give up because in theory someone could infiltrate your offsite backups.
You just need to make things hard enough that the ransomware guys will go after an easier target.
No, reality is more like the story of the dodo. A vast quantity of delicious prey that nobody was eating because nobody knew about them. Then they were discovered and some predators showed up but there were not enough to eat all of them. But then more and more predators showed up to exploit the vast untapped resource until they were all eaten.
We are still in the middle of that process which is borne out by the fact that the frequency of attacks has been increasing on the order of >100% per year and average demands per attack have been doing something similar. That is an utterly ferocious rate of growth that will soon be enough to attack not just the juiciest targets, but every profitable target in a few years.
Being slightly faster or slightly less delicious will not help when there are finally enough bears to eat everybody.
Barring a Mr. Robot hack of the institution and Iron Mountain to burn the tapes the absolute worst-case scenario in a ransomeware attack on a financial institution is an afternoon of data lost.
Backups are not the end of the story unless you are dealing with attackers with only $10k to their name which is essentially what everybody without backups is losing their minds over and being defeated by. That is a literal rounding error of a rounding error of a rounding error for the financial industry. People spend more on lunch than that. A moderately sophisticated attack with a few million behind it is literally 100x the resources of most of these attacks and that is still just a microscopic pittance compared to the financial industry. Think about that, if you want to reach the $1M level you need a system that can defend against an adversary with 100x the resources of a basic ransomware attack. The gap is so large that the capabilities fundamentally change and intuition for how to defeat a $10k attack does not generalize.
And, we have not even considered a system that would even be considered barely adequate for the financial industry. If you want to get to something barely adequate for the financial industry, like say protecting against an attack funded to a level comparable to one day of disrupted operations for JP Morgan, you would need to protect against an attack on the order of $500M, literally 500x more than those "good" systems and 50,000x better than these basic systems. The gaps are ludicrous and the lessons at one scale do not really apply when you go up another 2 or 4 orders of magnitude.
What does "infiltrate" mean here? An insider?
> painfulthey regularly test their backups you just silently decrypt the data on restore until it is time to strike.
Interesting, I was just going to ask
It’s well, well, well known that working in ICS security as a security engineer means aggressively lower salaries to secure horribly insecure, outdated tech in a low funding environment.
That’s just a known fact.
The other problem is that the industry has an oversupply of by-the-book certified security people who can configure firewalls and run scanners, but who have never dealt with live hackers or hacked anything themselves. But hackers are clever and artistic, and defending against them isn’t like following a recipe for baking a cake.
And as an employer looking to introduce security, there is no way to really evaluate a good security leader vs a charlatan, and then it’s either bad hires all the way down, or talented people on the bottom who lack leadership and are ineffective in the bureaucracy.
* making sure you have all your ports locked down
* limit connectivity between all instances to only the bare minimum
* any public access is via protocols such as ssh which have zero-to-none vulnerabilities
* any 3rd party software you dont know is secure should never be public
* routinely run employee training on how not to let themselves get hacked via social engineering
I'm sure I'm missing other stuff, but I feel like if you follow these "best practices", you have just made yourself a very hard target and hackers will probably skip over you unless they have some weird reason to target your org specifically. So for 95% of companies out there, this level of security should be sufficient.
I'm legitimately asking - is this sufficient? Or are hackers so creative that even following these basic rules will still not make you a hard target?
This stuff seems fairly easy to do but I agree you need training or an info-sec person making sure your dev teams are doing it all. You can't have any slip ups. Your devs / managers have to take it seriously.
In particular, "routinely run training" might reduce the probability of a breach due to social engineering, but it probably won't.
You also didn't really cover client machine security, which is how compromises often happen. Your awesome security isn't worth much if the admin's machine is compromised.
Your employees need to use computers to do their job. As part of that, they will need to browse the web, which they will do with one of the major browsers. This browser has unknown 0-day vulnerabilities. Whatever security measures you implement must not disrupt business.
They may also need to plug in USB drives. These can come with malware. Whatever security measures you implement must not disrupt business.
They may also need to open documents, possibly with macros. Whatever security measures you implement must not disrupt business.
Your "basic rules" will at best prevent the - still extremely common - social engineering based attacks, but they still won't reliably keep an attacker out of your network. The attacker will compromise a random person, find some company-wide writeable shared network drive (that you didn't even know about) where a team shares their executables, replace one of those, compromise more machines, escalate to domain admin credentials through one of the many ways that exist, then use your own fleet management system to push their backdoor to your entire fleet.
For good security, you need for example:
- an overview of what assets (computers etc.) you actually have
- a decent way to manage these assets
- monitoring so you can hopefully detect when (not if) a compromise happens
- many layers of defense in depth that slow down attackers and limit what they can do once they've compromised one part of your company
- technical barriers to prevent social engineering attacks (binary whitelisting, strong multi-factor authentication)
- protection against insider risks
- physical security
and that's just a few things that popped into my head, the actual list would probably not fit whatever post length limits HN has. And of course all of this needs to be implemented with the limited budget the company is willing to give you, without disrupting the business, etc.
As the "security guy", you're seen as the troll under the bridge. Someone to get past via any means necessary, including lying.
But lets say you get your way.
"making sure you have all your ports locked down"
You can't imagine how much work this actually is on a network with 1,000+ servers running at least 10,000 distinct pieces of software. Most of which don't document their firewall requirements.
Oh, did you know that Active Directory domain controllers -- the single most valuable attack targets -- require essentially all ports open to all computers on the network?
What is your firewall going to do when all modern software communication is over HTTPS and "looks the same"?
How are you going to firewall off just one modern server with 200 Gbps Ethernet? Do you have any idea how much you'd have to spend with CheckPoint or Juniper or Cisco or whomever to do that?
"limit connectivity between all instances to only the bare minimum"
That lasts right up to the point that the shouty guy in finance that talks directly to the CxOs wants PowerBI on his desktop to be able to pull in data directly from all the databases. Did I say desktop? I meant a laptop on unencrypted airport WiFi.
"any public access is via protocols such as ssh which have zero-to-none vulnerabilities"
You don't get to choose the software. Windows doesn't use SSH for anything, and can't be made to.
Also, if you know anything about ransomware attacks, you would know that protocol encryption does nothing to even slow them down. If anything, it makes detecting attacks harder!
"routinely run employee training on how not to let themselves get hacked via social engineering"
Meet Mr Bell's Curve, and its unavoidable left hand side. Some people are just incorrigibly stupid and will routinely fall for phishing attacks, no matter how much training they receive. At any large corporation -- the type worth ransoming -- these people are inevitable. You, Mr Security Person, don't work in HR and don't make hiring and firing decisions.
"I'm sure I'm missing other stuff"
You're missing the fundamentals of the problem, which is that as a security guy:
- You must come up with security solutions that work in the face of morons.
- You must be able to secure software written by morons with no interest in, or ability to write secure code.
- You must do this without impacting the business in any material way, because if you stand in the way of anyone more senior than you -- even once -- you'll never be listened to again.
"Or are hackers so creative that even following these basic rules will still not make you a hard target?"
Currently, for any large org above about 1K staff, security against targetted attacks is basically impossible. Certainly not financially viable. Your competition will not spend the money, make more profit, pay out the ransom, and come out ahead of you.
Oh come on. It is just an excuse. Look up what FAANG pays for those jobs ( total compensation ). Pay 2x. Get people from FAANG to work for you.
Any software engineer can do security if they spend time learning and working on it. But executives don't seem to care about it.
Being hit by ransomware is not an indicator of total IT incompetence.
Having no good options but to pay the ransom absolutely is.
All ransomware is doing is exposing the existing hope-based DR plans (that is to say, lack thereof) in the industry.
Part of paying the ransom is the promise that the ransomer will not just unlock your system, but will also delete all the data they downloaded (which often includes a pile of PII that the ransomee doesn't want published).
This is just flat out wrong.
"Hiring some guy with an infosec cert would not have stopped this attack, because there is no way to stop this kind of attack."
Also, a lot of infosec positions are just chugging through audits and ticking boxes to say whether you have some control in place or not. Those are more clerical positions that don’t require deep technical knowledge that could command a higher salary.
Then, paradoxically, you aren’t actually punished, but usually rewarded, when you do get hacked. That’s the one time you’re needed most, and you get to act like the hero for saving the company.
If I’m a leader in a company with a culture and intangibles not yet optimized for the people working in the infosec roles, how would I aproach changing the environment for the better?
Is it viable to cooperate with other companies to share best practices? Wouldn’t they hesitate to share?
Would doing deep interviews with potential employees get me the right information?
Would some hr consultancy provide this info? Arent’t they too old-fashioned for this field yet?
Rotate the keys periodically and sweep all unstolen bitcoin into a bonus fund split between everyone who had access to the machines which held the private keys. Give devops real skin in the game for keeping boxes secure.
Could also develop a convention for deriving private keys from security secrets - make it so if someone gets your AWS root key, they can test the credentials to see if the company has offered a enough funds that they are willing to announce (and thus burn) their access by transferring those funds away. I wonder if you could 'license' these coins in a way that it would be legal (or at least more-legal) to take them without prior consent: if there was a legal means to monetize 'misplaced' credentials many hackers might choose that over the legally riskier and less-moral traditional alternatives.
Credential rotation would certainly be more fun if it meant I was going to get a bonus!
Also make the dollar amounts relatively low so an insider is unlikely to risk their position. $1000 is a lot to someone who doesn’t care but is foolish for someone who passed a security check to get access.
If they've gained access, they'll just do their normal thing and then right as s they're doing it empty out the wallets. $1000 is not going to deter them from a multi million payday
There are world currencies used by 100M+ that are worth less than a sat today (IDR). In short while it’s more like 1B+ as BTC grows rarer.
I thought the protocol for these attacks was to send the decryption keys, not provide a "decrypting tool."
If some kind of software was provided by the attackers, and Colonial installed it, this could be far from over.
Also, if the company has backups, then why not use them instead? If they're incomplete, then that's the real problem.
More charitable reading is that the encryption key was sent over, and they started restoring with that but using standard OSS tooling.
This is a fundamental misunderstanding of the ransomware business. The whole reason people pay up is because the hackers don't run and leave you hanging; if you pay they will decrypt your data. Trust and convenience are essential to making this work.
Perhaps a few cases of high-profile companies falsly claiming „wow, what a load of shit! we got ransommed and after paying up the hackers disappeared! we had to restore from backup, AND the money is gone“.
What are the hackers gonna do, sue those companies? :-)
Oh yes they can.
Also, assume you have the key - what you do with it? You don't know how the files were encrypted, in which way they were stored afterwards, etc. There are many ways one can encrypt and write data, even with the same key - you obviously need the algorithm, but also there are often parameters (e.g. block sizes), storage formats etc. The easiest way to deliver all that is to provide a program.
Otherwise, what a random "press any key" IT person would do with an encryption key? They probably don't even have any tools that can do encryption on any of the systems. Do they have to write those themselves? Use OSS tools - which ones? With which parameters? What if it doesn't work?
Uh, why? The system is already compromised. They’re already in.
One would hope they'd just run the decryption program on each computer, not connected to the network. Or maybe hire some experts to extract the decryption key.
That would make a lot more sense but I also bet there's a non-zero chance that in a day some dumb media outlet will conflate those tools as "hacker tools" and the headline will be "Hacker tools used in Colonial pipeline hack available freely on Internet. News at 10."
Thinking $5m is a "high" ransom, thinking that there is no way they would send a decryption binary rather than a key.
Why don't you just actually research how these schemes function before commenting? The team that did this has a pretty consistent MO and five million was a massive discount.
To be fair, malicious code has already ran on the affected machines, so if the ransomware authors wanted to do further damage they wouldn't need a malicious decryptor to do that.
So you'd either:
1) not trust the ransomware authors, rebuild everything from scratch (potentially paying the ransom and reverse-engineering the decryptor or running it isolated from the internet) and make sure to not carry over any executable code that could allow potential malware to persist
2) trust the ransomware authors and not rebuild everything, in which case you may as well run their decryptor
It's a simple matter of copy-pasting the key into a box, and the decryption will happen.
Over a slow network link (like a VPN to a remote NAS), I could totally imagine it taking days/weeks/months to scan every file though...
Consider that most victims are small fry who would not know what to do with just a key.
Fair, but anyone who pays me $5M and wants a powershell script gets one, and an air freshener of their choice.
If anything they’re working on speeding up their decrypting tool for the next release :)
I’m sitting here wondering what exactly about the release of their financials and internal procedures prompted them to immediately pay $4-5m in the hopes of preventing it from happening?
If the threat was to release sensitive information, surely the firm would be asking the attackers for details of the sensitive information they claim to have.
If the attackers come back with nothing then it was just a bluff.
However if the attackers come back with real information
then paying the ransom is just stupid, as the attacker still have the sensitive information and can repeat the payment demands ad infinitum.
I can't even begin to imagine the amount of people that could cause an issue in the size company you are a CISO at.
Clearly, you can never make it literally impossible, but to my knowledge, nobody has ever managed to get malicious software onto a classified production system. Information leaks are, of course, another story.
Are these (i suspect not) published anywhere as "Three letter agency network security standards"?
The types of ransomware attacks we see today might not be preventable as well, every company on the planet will get or was already hit. But, the difference between the attacks: the amount of damage. If money is spent on security, that amount will certainly be smaller.
The US legal system is not capable enough to allow for large pipelines.
Also, this and coal are the sort of stuff that nuclear replaces...
Nuclear is fine for baseload, but no good for anything else, costs a fortune, has huge externalized waste processing costs, and is inherently not fail-safe using actual deployed designs.
Regarding base load, my suspicion is that SMRs inherently accommodate transients better because leakage becomes a bigger factor and starts to compete with poisoning effectively, so maybe you get more bang for your buck out of influencing the moderator. Regardless, even if it's only ever good for base load, that's a lot of ground nuclear could still cover in the US.
Finally, the cost of nuclear comes mostly from the aggressive safety standards. There's space to fix some of that (enormous cost to the fact that radiation workers typically experience less exposure than aircrews) and also space to acknowledge that we're lowballing standards in fossil fuels, with pipeline leaks and ransomware compromise being easy examples. That's before you talk about the pollution released by fossil fuels, including the radioactive contamination released by mining and burning coal.
Not a rhetorical question at all. To me, the idea that the infrastructure we rely on is controlled by middle managers with no sense of urgency and no grasp of their domain looks like the real fridge horror story here. On the other hand, I have learnt better than to trust everything I read in the press; thus the supposedlies. Either way, "the decryption tool is slow" is not an excuse to not deliver essential supplies.
That is what can often create bank runs and created the "great toilet paper shortage of 2020".
And the toilet paper shortage was not purely panic-driven. People did shit at work before the pandemic, and that part of demand switched to a different supply chain. The panic-induced bullwhip was probably stronger than the original demand spike, but the whole thing wasn't just memed into existence.