09 December 2016
Blogs by author: Bryan K. Fite, Account CISO, BT.
Facing extortion at the hands of cyber criminals, what would you do? Bryan Fite reveals how he helped an organisation going through just that.
The start of a cyber saga.
Some months ago, I was traveling home from a long, productive week of client and team meetings. As I came out of ‘airplane mode’, I found several voicemails and SMS messages waiting for me. All of the communications were from a panicked operations manager who needed help with an incident.
“Stay calm,” I counselled, and proceeded to digest the series of data points around the event:
1. An enterprise user associated with the operational security team had received an extortion threat via email.
2. The email demanded a payment of five bitcoins, otherwise a web property would be exposed to a DDoS attack and taken offline Monday morning.
3. The threat was attributed to the hacking group known as Lizard Squad.
All very helpful for framing my assessment. The natural follow-up questions came pouring out:
“Does the organisation have a policy on extortion?”
“Uh, I don’t know.”
“Do you have any bitcoins?”
“What’s a bitcoin?”
“Do you have any anti-DDoS capabilities?”
“We have a firewall.”
Armed with these data points I started my analysis activity.
1. Without a formal policy on extortion, I had to consider two possible responses — pay the extortionist or do not pay the extortionist.
2. If you pay them, you need to have or produce bitcoins.
3. If you don’t pay, you need to prepare for a potential DDoS attack.
Should you pay cyber criminals the ransom they want?
Although law enforcement will not officially recommend or condone complying with the ransomware or extortionists’ demands, they will acknowledge — off the record — that those who do comply, often get their data back, or don’t get attacked.
In this instance, I recommended not paying or engaging with the extortionist. Blackmail and extortion is a messy business and one can never be sure that paying will do anything other than reward the behaviour, proving that crime does pay.
Assessing the risk.
Therefore, we needed to assess the risk associated with a potential DDoS attack, because, referencing a line from one of my favourite movies, “Mr Pink doesn’t tip.” Here’s what we knew:
1. Lizard Squad certainly was known to have a significant DDoS capability, which has been used effectively against some very large networks.
2. However, it was not known to extort money from victims, and had focused its attacks on gaming networks, not commercial websites. As I have said many times, attribution is the toughest part of cyber operations.
3. The extortion amount of five bitcoins (~$5,000) also struck me as odd, given the size of the organisation being threatened.
4. There were also no specific references to the threatened organisation, the target website or the time zone (e.g. Monday morning, when/where).
5. This email reeked of a non-targeted form email. SPAM-ish in its tone and lack of specificity.
These observations, and other Open Source intelligence, suggested that this was a hoax perpetrated by another criminal organisation, which was usurping Lizard Squad’s ‘brand’ — and that it likely did not have a DDoS capability.
Of course, extortion is extortion and we still needed to prepare for the possibility of an attack. So we quickly started the technical and commercial process of provisioning some volumetric anti-DDoS capacity — always more expensive and disruptive when performed under emergency conditions. The organisation was as prepared as it could be, given the situation. We were on high alert, and ready for anything.
What happened next.
Monday morning came and went without incident. Tuesday and Wednesday the same. Thursday we stood down. It was indeed a hoax or, as we say, a ‘non-event’. However, the entire exercise was a wakeup call for the organisation. A post mortem of the event showed the need to expand its threat catalogue, develop new policies and create new incident-response playbooks. In addition to the volumetric anti-DDoS controls put in place, other targeted attack controls are now being considered.
Table-top exercises are the next phase in maturing the organisation’s response effectiveness — training its operational personnel and testing its procedures. So, a non-event actually became a learning opportunity.
WannaCry Ransomware - listen to Mark Hughes, President of BT Security and Les Anderson, VP, Cyber and CSO, at BT, explain more about what’s happened.
Our report with KPMG, Taking the Offensive – Disrupting Cyber Crime, gives you a detailed view of the current threat landscape, and practical steps your business can take to stay secure in the face of organised criminal entrepreneurs.