The Need of the Hour of Today’s Enterprise – Innovation Within to Enable a Sustainable Ecosystem

The uncertainty and chaos caused by the prevailing deadly pandemic clearly shows that although we live in a world complete with cutting-edge technological solutions for many of our problems, we are not really focusing on the ‘right’ problems. Are we addressing the world’s most challenging issues in the right way? The pandemic itself is proof that we have probably missed some of the most important aspects in this world and shown us that we lack innovation, investment and technological advancements in healthcare, education, environmental and many other areas. The current world order and the financial ecosystem as we know it, is fragile and it clearly is not focusing on the important issues that we need to solve as a human race.

With this realization, the world is starting to understand a little better and is making an effort to shift gears to creating and maintaining a more sustainable ecosystem with innovation at its core. Doomsday Hollywood movies have often depicted how our world may end in the most dramatic way – but the truth is we may be heading that way in reality unless we act fast. Are we too late to change course for the better? The good news is we can, but we need to act fast.

What is Sustainability?

Before we get into the solutions, we need to understand some of the underlying concepts and models that we can use to solve these problems. Sustainability has become a buzzword today, but what does it really mean? Let’s consider this definition “Meeting our present needs without compromising the ability of future generations to meet their own needs (Brundtland Commission, 1987). It has three components — environmental conservation, social responsibility and economic development. While most people primarily associate sustainability with environmental conservation, it is about people and the health of our communities!

In 2015, the United Nations drew up a guideline called The Sustainable Development Goals, a blueprint to achieve a better and more sustainable future for all. They addressed the global challenges we face, including poverty, inequality, climate change, environmental degradation, peace, and justice, encompassing all elements that need to be considered given that sustainability has a broader aspect. Businesses too can add great value to solve these problems if they have a clear focus on them.

How Can a Business Realign and Change?

1. Develop a greater purpose – Businesses have typically had one financial objective – to increase revenue, create shareholder value, improve customer portfolio. However, today, this focus must shift slightly to have a bigger purpose. Companies today must invest in more sustainable ways of doing business, which include culture, impact to society and the community, as well as the environment.
2. Shake off the legacy mindset – To be able to incorporate sustainable practices into your business, organizations need to focus on what’s called the triple bottom line. To build a purpose driven business or operate as one you need to have a long-term vision. Most businesses operate on short-term goals or quarterly based achievements. But, there needs to be a balance, meaning a business should have both short-term and long-term goals. These goals must be impactful with a larger and lasting impact on society and on the planet. It’s only then that any high-tech modern-day innovation can contribute meaningfully to sustain our existence.
3. Carve out a different way to operate – A sustainability focus driven business needs to operate two steps ahead, which means they need to have a long-term focus. It also needs to be partnership oriented, which means it needs to be open to partners who have expertise in other areas and have common goals and vision. Above all, it needs to be human centric and must include an element of empathy.
4. Nurture purpose-driven employees – No goal or innovation can be accomplished if you do not have the right talent and the required motivated and passionate mindsets. That is why your employees will be the biggest assets to transform or build a purpose driven organization or innovation. To do this, you must focus on creating a work environment where employees feel their job is more than just a paycheck by incorporating other intangible benefits. When organizations prioritize purpose over paychecks, they appeal to candidates who are committed, intrinsically motivated and show greater passion for a bigger cause in their work, especially among younger generations entering the workforce today.

Conclusion

The problem is very real and requires immediate attention. While much has been talked about and debated on many forums, some organizations lack the enthusiasm or sense of urgency to address these issues by redefining how they operate. In a nutshell, the future of businesses and companies are not going to be spreadsheet driven. It has been proven by Elon Musk and other modern-day entrepreneurs that their successes were achieved by trying to solve real-world problems. The mantra of organizations today should be to create wealth and value by adopting a larger purpose – one that recognizes and embraces the bigger picture of sustainability to positively impact people and the planet via innovation and disruptions.

“Disruption is the watchword in business today. With technology changing at hyper speed, corporations may struggle to build a foundation for long-term success. Traditionally, organizations have emphasized how much revenue they create and how many expenses they cut. With the challenges facing society today, that simple focus is no longer sustainable.” — Forbes

The Evolution of Cyber-Attacks in Sri Lanka

As you are already aware, cyber-attacks reported within the country has become more common in the recent past. Reflecting on these attacks, we noticed three trends that have been explained below:

1. Drastic increase in threats – Over the past two-to-three years, we have noticed that the number of cyber-attacks targeting Sri Lankan-based enterprises has been drastically increasing. We hear more stories about successful attacks compared to attacks that were detected and mitigated at their early stages.
2. Increase in the complexity of attacks – We aren’t talking about isolated, annoying viruses anymore that make our life a little difficult, for example folder.exe., rather attacks that go through multiple stages spanning over a period of time. Attackers improvise and adapt to the environment and leverage stealth mechanisms to remain undetected until the very last stage is executed.
3. Exponential increase in the impact of attacks – The impact of modern attacks is increasing rapidly. We have come across many instances where large organizations have been brought to their knees and took days to recover. In addition to the financial loss due to the abrupt stop of business, money and resources been spent on the recovery process, many organizations suffer significant reputational damage. News travels fast and bad news travels faster. Some attackers even go as far as releasing samples of stolen data to persuade companies to pay ransom.

In order to understand the current cyber attack trends within the country, let’s analyze what has changed over time from an attacker’s point of view and from a defender’s point of view.

The Evolution of Cyber Attacks in Sri Lanka – From an Attacker’s Point of View

Looking at how the attacks have evolved from an attacker’s point of view, there are a few key points that we have observed.

Sri Lanka is no longer a hidden target – For some time, we had the luxury of reading about attacks only in news or tech blogs. It was very rare for us to be at the receiving end of a cyber-attack. But that isn’t true anymore. Attackers have their eyes set on enterprises in Sri Lanka. With acceleration in digital transformation happening and changing work dynamics due to the prevailing pandemic, Sri Lanka is more visible to attackers who now view it as a viable target.

Attackers collaborate – Just like we collaborate to defend our organizations, attackers too have started to collaborate in order to be more efficient when running attacks. It is no longer required for a single attacker to run all the stages of an attack by themselves, instead they collaborate and function as a tag-team. For example, one attacker group may have expertise in stealing credentials, while another has expertise in stealing data or running ransomware attack campaigns. In such an instance, the former would tend to sell the credentials they stole to the latter, so they can run a ransomware attack. This enables the attackers to focus on what they are good at.

Everything is available at the right price – I believe most of us are familiar with the term XaaS (X-as-a-Service). Customers prefer to consume functions in the form of “as-a-Service” since you can get what you want without having to worry about the underlying technologies and maintenance overheads. This is true with attackers as well. Attackers rent out their infrastructure or services to interested parties to run attacks expecting a percentage of earnings in return. For example, Ransomware-as-a-Service (RaaS) is a very common thing these days.

Easy way to earn money – If you have been following the news and have been monitoring professional social networking sites such as LinkedIn, you will notice that there are a lot of professionals who are seeking work due to the effects of the pandemic. Attackers seek to lure such individuals by showcasing the potential of earning a quick buck.

The Evolution of Cyber Attacks in Sri Lanka – From a Defender’s Point of View

Cyber-attacks are no longer a smash and grab operation – In the past, it was very rare to experience an attack that had multiple stages and most attacks rarely spanned over a couple of hours. But now we experience attacks that have many stages, such as initial compromise, credential theft, privilege escalation, lateral movement, detonation, and these span over a period of time which could range from a couple of days, weeks, to even months. This makes it incredibly difficult to detect if you do not know where to look.

Attackers actively participate – Attackers have become more involved during the period the execution takes place. They no longer release viruses or worms and expect them to do the job on their own. Instead attackers are focused on creating and maintaining communication channels to the victim networks and dictating how the attack is executed. This enables them to be more devastating since they could quickly adopt and circumvent any changes the defenders place in order to thwart such attacks.

No more bringing your own tools – In the past, most attacks were done using tools created by attackers for that particular purpose. This made it easy for security solutions to detect such tools and prevent them from executing. But this is no longer the case. Attackers prefer to improvise, hence whenever possible, they would leverage legitimate tools used by administrators to carry out the attack. This is also known as “living off the land.” This makes it very difficult to detect since we would always have to consider the context of an event before deducing if it is malicious or not. One example would be an attacker compromising your software distribution tool to deliver a malicious payload within your network. Without knowing if the payload is malicious or not, you cannot accurately say if this activity is malicious or not.

Multiple entry points to exploit – In the past, an enterprise had an easier job protecting their networks since the perimeter was clearly defined. Anything within the organization’s premises was considered to be trustworthy and anything coming from outside was scrutinized before allowing access. But with the “New Normal” everything has changed. It is no longer about who is inside your premises and not since many or even all employees are working from home, connecting via secure links and have direct access to the heart of the organization, which are essentially the critical business applications. These devices that are allowed to connect are rarely scrutinized, hence act as easy entry points for attackers. This has made the defender’s lives much harder since now they must focus on multiple entry points (in some instance even unknown) rather than the few well-defined entry points they used to have.

In summary, the attack landscape has drastically changed and keeps changing, and attackers are becoming increasingly effective with time. We have a fare doubt in our minds whether we are putting enough effort to protect ourselves against these attacks. The time has come for us to up our game as defenders and work towards advancing our techniques in order to defend against the attackers who will never rest.

A few years ago, Sri Lankan enterprises were fortunate that they only had to learn about cyber-attacks, such as ransomware, through media and Tech blogs, depicting horrifying stories on how such attacks brought large enterprises to their knees. Attackers forced helpless organizations, which were large in size and significant in terms of brand, to pay massive amounts of ransom to retrieve their stolen data. These organizations were heavily dependent on information technology to carry out their work. Many of us didn’t think such attacks would hit home due to a perception that we may be less appealing to such attackers. But that has changed. The question that organizations face is not “if a cyber-attack will happen?” rather “when will a cyber-attack happen?”

Many customers have recently reached out to us when they were hit by such an attack or when they suspected they were being attacked. Therefore, we have had our fare-share of experience in helping organizations to identify, respond, protect themselves, and recover from these cyber security incidents. When there’s news of a cyber-attack close to home, customers often reach out to us and ask questions such as – What actually happened, Do you know how we can check if we will be targeted, What do we need to do to make sure we will not be victims. Taking all of this into consideration, we wanted to share our experiences in dealing with such attacks, explain how these generally happen and possible preventive measures you can take to protect your organization.

From what we’ve gathered, most of these attacks have the following major steps, which I have explained below:

1. Initial compromise
2. Privilege escalation
3. Lateral movement
4. Persistence
5. Data theft (Less Common)
6. Payload detonation

The Initial Compromise is where the attackers gain access into your network, and there could be many ways in which this could happen. It could be as easy as brute forcing a Remote Desktop (RDP) session you have opened to the Internet to help with your remote working or it could by exploiting any zero-day vulnerability (or a very recently discovered vulnerability which hasn’t been patched) of your Internet facing webserver. A few ways to reduce the risk of the initial compromise is to expose Remote Sessions via a secure remote access VPN (with multifactor authentication), make sure you regularly patch your Internet server and ensure you do not expose unwanted services to the Internet.

Once the attacker gains access to your network, they explore to understand what sort of activities can be performed on that network. In most cases, the attacker tends to perform what’s called Privilege Escalation – in simpler terms, this means they try to elevate their level of access. To do this, they would try out methods such as guessing the passwords (Yes, mycompany@123 can be a very common password) or look for passwords stored in text files (Yes, this sounds very trivial, but the truth is when administrators force you to maintain strong passwords we often resort to simple means of remembering them, i.e. text files) or more complex methods such as running exploitation tools like mimikatz to steal credentials. The higher the access the attacker gets, the more damage they can do to a network. As a preventive measure, you can always try to force users to use complex passwords and educate them on how to keep the passwords safe. You could also monitor your user activity to detect abuse and misuse.

The next step of the attack is the Lateral Movement. In other words, once the attacker gains higher privileges on your network, it starts spreading the payload to all possible victim devices to cause more harm than damaging a single machine. Many would ask what makes a ransomware attack so devastating? The answer is its behavior of launching attacks on multiple devices within a small timeframe. This is what makes them so devastating and enables them to bring down organizations within a few minutes or hours. Most attackers utilize vulnerabilities on your network (e.g. the eternalblue exploit) or they would abuse legitimate tools to spread the payload. The abuse of legitimate tools can be very hard to detect as in most cases since the activity is done in such a manner that it mimics legitimate user behavior. Therefore, it’s very difficult to differentiate if the entire activity is malicious or not without proper context. For example, consider an attacker gaining access to the server that you use to distribute software in your organization. They can use this same tool to distribute the malware as well. A few methods of detecting and preventing lateral movement would be to properly segment user privileges, make sure all your devices have UpToDate security patches, your network is properly segmented and firewalled (a common thing we see is that although you tend to protect your network from the external entities, you rarely practice segmentation internally. Hence, when a network gets compromised, it is easy for the attacker to travel within your network), monitor suspicious usage of privileged accounts and limit what privileged accounts could do in your network.

The next step of the attack would be to make themselves Persistent in your environment. Many attackers put in a lot of effort to gain access to your network and the effort is mostly proportional to the amount of security you maintain on the network. Once this is done, the attacker would hate to lose access via a reboot or change of credentials or other interruptions. Hence, they deploy methods such as using the group policy feature of windows environments, registering as a service, creating scheduled tasks, and creating new accounts to make sure they will not lose their control abruptly. A few methods of detecting and preventing such attempts would be to limit what actions user accounts can perform, monitoring suspicious user creations (e.g. users created during off hours) and monitoring group policy or other services related changes.

Before moving to the final stage of the attack, attackers may opt to steal your data – Data Theft. This isn’t a very common move, but we have witnessed some instances. If attackers sense that your data would have a substantial black-market value or that your brand image would be gravely damaged by certain information becoming public, then they would decide to exfiltrate your data. A common method of stealing data could be uploading the files to a file share site (it’s very common for administrators to allow file sharing sites to make their day-to-day work easy but keep in mind attackers too could exploit these same paths). The methods of preventing or minimizing such data loss would be to implement Rights Management Systems (this will help you to make sure that even if the data is exfiltrated the attacker cannot use it), implementing Data Loss Prevention Systems (will detect/prevent when data is been exfiltrated) and block file sharing sites that aren’t needed for work-related matters.

The final step of the attack would be Payload Detonation. Unfortunately, it’s at this stage most organizations learn that they have been attacked, and by the time the initial panic phase has passed, a lot of damage might have been done already.

There are two types of payloads that we have come across – Cryptominer and Ransomware. Cryptominers do not exhibit any visible damages on your machines and would rather utilize your resources such as CPU and RAM to perform crypto currency mining. In such a situation, you will notice heating up, slow performance, huge bills for your cloud consumption, and abrupt crashing of your devices.

Ransomware is the more devastating type of payloads we see. It will start encrypting the commonly used file types, such as documents, videos and photos, and at the end, it will display a note stating what the attackers have done, laying out their demands, what will happen if you do not comply, and in case you want to comply how the money should be transferred. Attackers use crypto currency as the medium of paying ransoms as this method is more difficult or impossible to trace. Once the ransomware is detonated, it could effectively bring down your entire IT infrastructure. It could encrypt the end user devices as well as the servers that host your critical systems, such as application servers, database servers and email servers. In case the attacker has stolen your data, this is the stage where they will communicate to you about the ransom you need to pay to prevent the data from being released to the Internet. They would even go ahead and share a sample of the stolen data to make sure you know they’re serious.

Reputational Damage Is Far Worse Than Data Leaks

Many organizations do not opt to pay (or cannot afford to pay to recover everything that has been encrypted). Hence, they resort to restoring their systems from scratch, which takes a lot of time and effort. This, in turn, results in massive delays before the organization can get back online to serve their customers. Although the most visible damage of these attacks is done to the IT infrastructure, the biggest, unforeseen damages are to the brand identities of these organizations. News travels fast and bad news will travel even faster. No organization will ever want their names associated with such an event, and any negative media coverage and reputational damage could be made far worse by releasing your confidential data to the public domain.

A pertinent question customers ask during the final stage of an attack is “Why can’t my signature-based antivirus software detect this malicious file (payload)?” The answer is that in many scenarios, attackers change the signature (hash) of the payload before using it during the attack. Many legacy antivirus software solely depend on signature updates, and if the signature isn’t in the database, it is very easy for the attacker to bypass the antivirus tool.

Quick Detection, Quick Response and Strong Recovery Plan

Many organizations take a long time to detect such attacks. And when they do, it is sadly at the final stage of an attack. One main reason for this is that most customers utilize legacy detection mechanisms that have a very narrow visibility instead of adopting more current detection mechanisms which have a broader, in-depth view of the environment.

Based on our recent experiences and observations, many organizations take a long time to get their critical business services up and running or in other words, they take considerable amount of time to execute their business continuity plan (BCP). Moreover, although many organizations have satisfactory BCPs and DRPs (Disaster Recovery Plan) in place, almost all of them are rendered little or no use to safeguard from these attacks. Most of these plans have been formulated to protect organizations against events such as natural disasters, power failures, terrorist threats, assuming the backups will be available to start their recovery. Attackers generally know this and will start by targeting the backup systems as the initial attack points before moving toward other critical assets. This way the attackers know they can force the victim to pay up since they have no other means of recovering.

Another interesting fact about these attacks is that most of the activities happen either during early hours or during holidays. The main reason is that attackers try to leverage human weaknesses (even security operations centers are less alert during these times) to their advantage.

In summary, based on our observations, we can no longer consider Sri Lanka as a country with a very slim chance of being attacked. And these attackers seem to always find enough ways to circumvent defenses employed by most organizations and continue undetected till the very last stage. Many organizations need to rethink and plan their BCPs and DRPs to safeguard from ransomware attacks.

In the past, organizations believed in the concept of “Survival of the Strongest,” i.e. if you keep increasing your defenses, you can prevent any cyber-attack. But now, we believe organizations need to equally focus on the concept of “Survival of the Fastest,” which means it is inevitable that your organization will be targeted by an attacker sooner or later, and when that time comes, what matters is how fast you can detect, contain and recover. In other words, the speed at which you react to contain and recover from such an attack will define how your organization will withstand such an event.