Tuesday, August 22, 2023

Yet Another Glitch In The Matrix

It's about that time again, isn't it? It's been a while since we've had a significant (or, depending upon your perspective, radical) shift in the cyber crime eco-system, so maybe we're due. 

What am I referring to? Back in 2019, we saw a shift in ransomware attacks, where threat actors began not only stealing data, but leveraging it as "double extortion". Up to that point, the "plan" had been to encrypt files, maybe post something publicly to let the world know that this organization had been impacted by your efforts, and hope to collect a ransom. The shift to "double extortion" moved things to a whole new level, and while there's some discussion as to whether this started in November 2019 with Maze, or if it actually started sooner...some have anecdotal information but cannot point to any public statement to the effect...the fact remains that the game shifted. In the ensuing four years, we've seen quite a bit of damaging information released, and maybe none was more disturbing than what was discussed in the ransomware attack against Minnesota Public Schools, in Feb, 2023. The school system refused to pay the ransom, and the stolen data was released publicly...a brief reading of what was in the dump gives you a brief look into the devastation caused by the release of this data.

Something else to consider is the impact of the insurance industry on the cyber security market, a topic that was covered extensively by Woods, et al, at Usenix. The insurance industry itself has, in recent years, started pulling back from the initial surge of issuing policies to developing more stringent requirements and attestations that impact the premium and policy coverage.

So, what?
Okay, so, what? Who cares? Well, here's the change, from @HostileSpectrum:

Threat actors monetizing nonpayment negotiations by issuing their own authored breach reporting...

Yes, and that's exactly what it sounds like. Not convinced? Check out this LinkedIn post from Dr. Siegfried Rasthofer, regarding the Snatch ransomware actors; "...contact us...you will get a full access gaining report...".

I know what you're thinking...so, what? Who cares? The org files a claim with their insurance provider, the provider recommends a DFIR firm, that DFIR firm issues their report and it'll just say that same thing, right?

Will it?

What happens if counsel tells the DFIR firm, "...no notes, no report..."? RootkitRanger gets it, sees the writing on the wall, as it were. No notes, no report, then how is the DFIR analyst held accountable for their work?

Why is this important? 

For one, there are insurance provider war exclusions, and they can have a significant impact on organizations. Merck filed their $1.4B (yes, "billion") claim following the 2017 NotPetya attack, and the judgement wasn't decided until May, 2023, almost 6 yrs later. What happens when attribution based on the DFIR firm's work and the decision made by counsel goes on way, and the threat actor's report goes another?

We also need to consider what happens when attestations submitted as part of the process of obtaining a policy turn out to be incorrect. After all, Travelers was able to rescind a policy after a successful attack against one of their policy holders. So, in addition to having to clean up and recover, ICS did not have their policy/safety net to fall back on. Let's say the threat actor says, "...we purchased access from a broker, and accessed an RDP server with no MFA...", and the org, like ICS, had attestations stating that MFA was in place?

No comments: