Author Rita May Brown (not Einstein) said “insanity is doing the same thing over and over but expecting different results”. In the wake of a relentless wave of supply chain attacks, security leaders must heed this famous line and change their approach. When relying on traditional prevention-based strategies, victims have faced costly and humiliating results time and time again. We need to do things differently.
Same pattern, different provider
The Kaseya breach hit thousands of victims earlier this month as part of a complex targeted attack, with attackers exploiting a vulnerability in its VSA software to reach around 1,500 small to medium businesses (SMBs). In Kaseya’s report of the damage done, it was clear smaller organisations with thinner wallets, such as dentists, architectural practices or libraries, were hit hardest and held to ransom. For attackers, this made economic sense because Kaseya served as an efficient distribution hub for their software. Kaseya VSA, the company’s widely-used SaaS offering, became the unwitting delivery system — at the service of the black hats.
But the Kaseya attack wasn’t the first of its kind, and it certainly won’t be the last. Threat actors followed the same strategy in the SolarWinds attack in late 2020. There too, infiltration of one SaaS vendor victimised a long list of targets. What’s more, the apparent culprit in the Kaseya attack – the Russia-linked REvil – is also believed to be responsible for the recent ransomware attack on international meat processor JBS.
However, more than six months after the SolarWinds breach was first disclosed, still not enough has been done by organisations to carry out systematic security audits of their managed service providers and SaaS vendors.
Most of us are not revisiting our cyber preparedness posture with even half the urgency that’s now appropriate. The similarities between the SolarWinds, Colonial Pipeline, JBS, and Kaseya attacks are obvious enough. They give us a clear pattern to follow, but we’re still not reacting.
Insurance industry regulation is needed to mitigate ransomware attacks
A lack of reaction
Procrastination is a part of human nature, and in the business world half a year isn’t long at all. But investing in preparedness is always going to be preferable to managing a crisis. After the SolarWinds attack, Vectra surveyed 1,112 security professionals working in mid-to-large-sized organisations. The research found that security teams were still confident in the effectiveness of their own company’s security measures. Nearly four in five claimed to have “good” or “very good” visibility into attacks that bypass perimeter defences like firewalls.
The reality is that no application, network, or data centre is bulletproof. If an organisation’s decision-makers rest on their laurels when preparing to fend off hackers, the chances are they aren’t equipped with the tools they need to succeed.
In the aftermath of Kaseya, we are reminded that complacency can exact a terrible price. With the risk of harm no longer limited to sprawling enterprises with deep pockets, the incident should trigger new security discussions across IT departments of every size.
Learning our lesson
After the SolarWinds attack, we said it would take months to figure the full scope of damage done; now we are saying exactly the same thing about the Kaseya ransomware attack. However, we should be optimistic that, as a digital society, we will connect the dots and turn this tide.
It’s clear that when companies become more reliant on data storage and SaaS solutions outsourced to the cloud, there will be heightened risk. We need to accept this and act accordingly.
This means:
- Organisations need to do more to bolster their ability to halt an attack before it becomes a breach – that means putting in place more advanced threat detection that can reduce the time it takes to spot threats.
- Technology suppliers of IT infrastructure software need to show incredible diligence in finding and patching vulnerabilities in their software, and need to advise (and possibly enforce) best practices on how their software is deployed.
- Managed Service Providers (MSPs) need to reduce their attack surface to the absolute minimum. That means reducing their internet-facing footprint, and forcing necessary access to such servers through hardened bastion systems with multi-factor authentication.
- When your business relies on a product like Kaseya VSA, you’re only as secure as your provider, so there should also be fresh scrutiny of SaaS subscription relationships, and the security policies of managed service providers. This has to be a top priority for organisations, so they can secure partners and their customers too. Ultimately, in the current security landscape it’s the customers who are left to pay the ransom demands.
The hidden costs of ransomware
A moment for change
For years we’ve understood the virtues of network monitoring to aid in the rapid detection of potential breaches. US President Biden’s May 2021 executive order made attack detection, investigative and remediation capabilities priorities for the US federal government. Business leaders worldwide must now respond to the Kaseya ransomware attack by hastening their migration to a more effective cyber security strategy.
Each publicly-disclosed security incident can have a positive effect, arming organisations with valuable lessons to learn – but we have to be listening. Let’s hope that the misfortunes suffered by recent victims will cause more organisations to take notice, and that in the future this will be remembered as the tipping point that led eventually to a better security posture.