- As the Labor Day holiday looms, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) are urging companies and public sector organizations to consider proactive threat hunting and create offline data backups to protect against ransomware attacks, citing recent incidents that took place over holiday weekends.
- Though there is no information pointing to a specific pending attack, the agencies warned that several recent ransomware attacks — including the Kasaya attack over Independence Day — took place over extended holiday weekends.
- "Ransomware continues to be a national security threat and a critical challenge, but it is not insurmountable," Eric Goldstein, executive assistant director for cybersecurity at CISA, said in the announcement. CISA continues to "collaborate daily to ensure we provide timely, useful and actionable advisories" to help industry and government partners to defend their networks and increase resilience, he said.
Prior to the ransomware attack against Kaseya by the DarkSide organization, there were ransomware attacks against Colonial Pipeline over the Mother's Day weekend — although not a legal holiday — from DarkSide as well as an attack that began over the Memorial Day weekend by REvil against JBS USA, one of the world's largest meat processing firms.
The FBI and CISA alert encourages organizations to implement specific threat hunting techniques that will allow them to detect any unusual movements in their IT systems and potentially thwart an attack before data is exfiltrated. These techniques include:
- Understand the routine IT activity and architecture by establishing a baseline: Companies should deploy behavior-based analytics to understand times and locations where regular users log onto a network. This will help detect anomalies.
- Review data logs: Understand routine performance data and search for anomalous trends, including numerous failed file modifications, increased CPU usage, inability to access certain files and unusual network communications.
- Employ intrusion detection and automated security alert systems
- Deploy honeytokens, which are often fictitious accounts planted in a system in order to lure malicious actors and detect lateral movement.
Cybersecurity researchers urged organizations to remember that threat actors tend to lie in wait for days, weeks or months before they go public on a ransomware target.
"As we have seen with other attacks, many attacks remain latent (dwell time) within an organization for long periods before launching a full blown attack," Darren Williams, founder and CEO at BlackFog, said via email. "They can easily traverse within an organization during these quiet periods and careful monitoring is essential for detecting unusual behavior."
Attackers typically activate late in the evening or early in the morning when users are offline, Williams said. During this time payloads can communicate openly with command-and-control servers, which are in many cases located in China or Russia.
CISOs can do a few things to protect their environments over holiday weekends, according to Tom Kellermann, head of cybersecurity strategy at VMWare.
"First they should elevate application control to high enforcement, segment their backups from the greater network and activate daily threat hunting on all critical systems and backups to help detect behavioral anomalies," Kellermann said. "Finally, enacting just in time administration on all devices will be paramount."