Cybersecurity: Preventing Disaster from Being Online

The Internet is an incredible resource that has revolutionized every aspect of our ever-changing global society. Some parts of life are nearly impossible without some connection to the net for work, play or learning. Yet, while our connectivity accompanies the entire planet through the digital evolution, it also introduces a new level of risk few people ever imagined.

But “spycraft”? What does that have to do with you or me? In truth, most of us are the furthest thing from a “spy,” let alone know how to control our risk of hacking. But the fact that you’re reading this post means that you’re asking the right questions.

Allen Dulles and his 73 Rules.

Allen Dulles was an American diplomat and intelligence officer who served as the first civilian Director of Central Intelligence (DCI) and was the longest-serving director of the Central Intelligence Agency (CIA) from 1953 to 1961. During his time at the CIA, he played a significant role in shaping US foreign policy, particularly during the Cold War. He was involved in several covert operations, including overthrowing the Iranian Prime Minister Mohammad Mosaddegh and the Bay of Pigs invasion in Cuba. He also helped establish the CIA’s covert action capabilities and modernized its intelligence-gathering methods.

The inspiration for this presentation is roughly based on Allen Dulles’s 73 Rules of Spycraft. When he wrote this missive, it was as an instructor for agents in the field. His general philosophy for the craft was that “spying” anywhere is often dangerous and must be engaged with the strictest discipline.

A quick read of Dulles’s rules reveals a bit of duplication and redundancy, but there are good reasons why he wrote that way. In part, he wanted to demonstrate that rules for this type of work required constant adaptation. And like a good teacher, Dulles illustrates that the essential aspect of being mindful about security “consists not only in avoiding big risks… it is consistent care in them that forms the habits of true security mindedness.”

Knives out: Lurking Cybersecurity Threats

In a real sense, you’re risking everything whenever you open a browser window. One little error, one misstep in judgment, and you could lose it all to a hacker.

According to the 2023 SonicWall Cyber Threat Report, while the total global count for ransomware was 493.3 million (a 21% drop over last year), Europeans saw an 83% jump, which includes a 112% increase in the UK. The education and finance sectors were hit the hardest, with sharp increases of 275% and 41%, respectively. So, while the risk of getting hit by ransomware is still higher than getting hit by a car or lightning, the effects can be just as devastating.

What is the solution? Experience shows us that we can manage both the risk and the potential damage. For the sake of this article, I present an easy four-step action plan.

Whom do you trust?

Trust is the crux of cybersecurity, where behavior and technology meet. Therefore, the first step is assessing trust and recognizing that risk is omnipresent.

Just by being here and reading this article, you trusted the host of the website where this article is published, the IT engineers and technicians who run the website, the coder who built the page and uploaded the article, and me. And that’s not including anyone who may have sent you a link because they think you should read it. My gosh. That’s four or five people in the process you’ve trusted already. Let’s add now the manufacturer of the technology you’re using to get here, your bandwidth provider, your fiber or wire or satellite company – maybe even the neighbor with a beard. You see where this is going, right?

The juvenile response to such mounting risk is, “I’ll never trust anyone.” However, such an attitude only takes us so far because when it comes to engagement and interaction (online or offline), eventually, you must trust someone.

Spycraft as a cybersecurity risk mitigator.

Consider the second step: how to apply spycraft as a risk mitigator. We adopt unconscious happenstance to function normally for everyday tasks: preparing ourselves for work, the commute, lunch, watching a show on the television, and walking the dog. Now consider how a happenstance approach endangers your cybersecurity. Risk always increases when we stop paying attention.

Adopting ‘spycraft-sense’ mitigates the risk of getting hit by a car by looking both ways before we cross a street. And you can avoid most lighting strikes simply by not going outside when conditions for lighting are present. Similarly, we can enhance cybersecurity by never blindly trusting everyone and everything we see online. That means adopting what Allen Dulles called “greater situational awareness” for the things that increase risk.

Therefore, we can reduce risk by becoming fully mindful of our daily interactions and engagements. That means being aware of how hackers deploy social engineering with various forms of phishing (email, text messaging, social media) and setting personal rules about links we click, sites we visit, downloads we take, and the technology we deploy to control or even reverse potential damage.

Cybersecurity technology that can enhance the effect of spycraft.

Then it should be no surprise that our third step is looking at how technology may enhance the effects of everything we’ve done so far. From great technological advancement comes greater convenience. New tech delivers fantastic opportunities straight into our hands. But, if we want to continue to enjoy those opportunities, then it’s really up to us as individuals to step up and control the inevitable risks that come with using them.

The title of this Mindhunter presentation seems a little apocalyptic – disaster is not inevitable. I would instead like to think that the title gives us some optimism. We don’t have to become spies to control our cybersecurity risks; we just need to follow basic rules of engagement and interaction to keep us safe from malware that can lead to ransomware and other advanced threats.

However, should something sneak past us, we want layers of technology that can stop threats before they exert their total potential damage. Think of yourself as an onion with an outside layer of good anti-virus and anti-malware software on all your local devices. In the next layer, we can deploy next-generation firewalls (NGFWs) and AI-augmented software that analyzes even advanced threats and neutralize them without degrading device performance. And we want redundancies, backups, and means for easy rollback to protect our core. The best part is that this technology is off the shelf and ready to deploy today.

Explore and learn with SonicWall’s Mindhunters.

That leaves us to the fourth and final step: book your seat for MINDHUNTER #12, Cybersecurity: Preventing Disaster from Being Online. This is where you can pick up active lessons on cybersecurity from experts in the field today. Get the most from better online behavior and be boundless with excellent cybersecurity solutions and technology. The event is scheduled for April 18, 2023. Good hunting!

The Art of Cyber War: Sun Tzu and Cybersecurity

Weighing the lessons of Sun Tzu and how they apply to cybersecurity.

Sun Tzu sought to revolutionize the way war was fought. That’s saying quite a bit, since he was born in 544 BCE and lived during an era when most wars were little more than gruesome bludgeoning events between one or more groups armed with axes, clubs and sharp sticks.

While not much information about Sun Tzu’s life has survived, we know he was employed by the then-ruler of the Kingdom of Wei in what is now the northeastern heart of China. He was a Chinese general and philosopher who envisioned the psychological aspects of war, which was a completely original approach to armed conflict in ancient China.

Many historians believe Sun Tzu’s book was intended to help his colleagues engage in the many regional conflicts they faced. Today, Sun Tzu’s the Art of War is a bestseller that has transcended 2,000 years and hundreds of wars. The book has become a kind of Rosetta Stone of military theory, cited by theorists and translated well beyond the battlefield to gain prevalence in business schools worldwide and now cybersecurity.

The Art of Cyberwar: preparation.

Adapting Sun Tzu’s many well-known quotes to cybersecurity is pretty straightforward. We looked for three that could best describe important aspects of cybersecurity: preparation, planning and knowledge. For preparation, we settled on a re-quote of this well-known warning:

Cyber warfare is of vital importance to any company. It is a matter of life and death, a road to safety or ruin.

Despite his military background, Sun Tzu claimed that direct fighting was not the best way to win battles. But when fighting was necessary, it was wise to carefully prepare for every possibility. That’s the lesson commonly ignored by companies who, after a severe breach, found themselves fined, shamed and scorned because they neglected their network security and failed to protect themselves from attackers. To prepare, we not only need the most advanced technology possible, but we must also train the workforce and make cybersecurity everyone’s business.

The Art of Cyberwar: planning.

In the realm of planning, we considered how the “art” is also a source of wisdom for attackers:

Where we intend to fight must not be made known. Force the enemy to prepare against possible attacks from several different points and cause them to spread their defenses in many directions; the numbers we shall have to face at any given moment will be proportionately few.

This re-quote relates to other stratagems where Sun Tzu urges his generals to never underestimate their enemies and to plan for all possibilities. The same goes for cyber attackers. They will pick the easy battles to ensure they have the upper-hand. Therefore, as we engage our defense, it is wise to plan our defenses as though we are already targeted and have been breached.

The Art of Cyberwar: knowledge.

Sun Tzu guides us away from making rash emotional decisions by emphasizing the importance of knowledge. He suggested that leaders gain as much knowledge as possible when preparing for battle, but not to limit themselves to the enemy’s strengths and weaknesses.

If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.

This bit of advice is a direct quote and accurately describes how cybersecurity should operate. Businesses must maximize the power of threat intelligence by giving IT teams the means to analyze real-time analytics and transform every scrap of data into actionable insights. IT teams should also be empowered to consider everything that could happen and assess the best course of action before, during and after a breach.

Explore and learn about the Art of Cyber War.

War theorists have long-standing debates about categorizing military activity preparations and execution. General Carl von Clausewitz stands next to Sun Tzu as one of the best-known and most respected thinkers on the subject. Paraphrasing from Clausewitz’s book Von Kriege (On War) published in 1832), he observes that the preparation for war is scientific, but the conduct of battle is artistic. As a science, we study logistics, technology and other elements depending on need. As an art, we rely on individual talent and grit to exploit opportunities that increase the likelihood of victory. Clausewitz also believed that war belonged to the province of social life, as are all conflicts of great human interest.

Cyberwar also fits these definitions. For instance, consider business activity as a combination of science, art and social life. As businesses compete in the marketplace, they carefully analyze the competition, create ways to appeal to audiences and press for social engagement and interaction. Shouldn’t we apply the same level of attention and resources for our cybersecurity? We think Sun Tzu would rub his beard and nod profoundly.

Cyberattacks for this year already eclipse the full-year totals from 2017, 2018 and 2019, according to the mid-year update to the 2022 SonicWall Cyber Threat Report. And new attack vectors are coming online every day. Without adequate preparation, planning and knowledge, companies and their customers are at a high risk of falling victim to devastating cyberattacks.

Explore and learn about the art and understand the science. Book your seat for MINDHUNTER 11, “The Art of Cyber War,” and learn from experts on how you can keep your company safe in the coming cyberbattles.

Meeting a Russian Ransomware Cell

Ransomware is one of the most notorious and effective types of cyberattacks in the last decade. And I had the opportunity to go inside the minds that operate a real-world ransomware cell.

It starts with the young leader — nicknamed “Twig” — of a Russian ransomware cell. After two weeks of chatting through a secure channel, what I found was very interesting.

On social media, some cybersecurity firms like to portray him in black hoodies with leather gloves and a backdrop of matrix-style digits. They namedrop buzzwords like advanced-generation V attacks and other trumped up terms, which could be more fitting for nation-state attacks, but this isn’t the case with most hacking groups.

Carrying out successful ransomware attacks typically only requires a mixture of scripts, common vulnerabilities, brute-force efforts, bad IT policies at target organizations, and generations of frustration between eastern and western politics.


On-Demand Webinar: My Two-Week Conversation with a Ransomware Cell

Join SonicWall security expert Brook Chelmo as he gives you an inside look into the human-side of a modern ransomware cell, their advice on how to stop them from infiltrating your organization, encrypting your endpoints, and spreading to other drives and segments of your network.

How does a ransomware attack work?

The number of organizations and verticals targeted each week, including the demands they make on the compromised device(s), are all private. Twig, however, is open to saying that their attack style is generally through spear-fishing and port-scanning for common vulnerabilities.

Twig’s favorite ports are “5900 and 5901 which are open and unpassworded.” Together, these two ports rank as the 19th most scanned port. These ports are used by virtual network computing (VNC) for desktop-sharing and remote-control application for Linux and Windows machines.

Over the years, several vulnerabilities related to these ports have allowed attackers to bypass authentication and gain access to the system. If Twig can get in, then your participation isn’t even required to activate the ransomware script (e.g., enable macros on a malicious Word document received in email). In fact, SonicWall research shows that anywhere between 17% and 20% of all malware attacks come through non-standard ports.

While Twigs scripts are pinging a range of IP addresses for vulnerabilities, he runs a PHP script alongside unnamed services that spam targets to gain remote access to their systems.

HILDACRYPT, for example, uses file extensions that are not normally scanned, such as .vbox, to evade inspection and detection by firewalls or email security services. Once access has been granted, he will log in after-hours and run a batch file through PsExec throughout the entire network to make it “go boom.”

Or, in less dramatic words, to “make Hilda run on the entire network.” It’s the same headache caused by the likes of WannaCry, NotPetya and SamSam ransomware strands, the infamous attack wave from three years ago. Since admins tend to have access to multiple drives — and sometimes read/write ability on endpoints via access manager roles — exploiting them is critical to mission success.

“If Twig can get in, then your participation isn’t even required to activate the ransomware script.”

Once systems are compromised, they don’t exfiltrate the files and sell the data like some do. They just set the demand and wait.

Initially, they asked victims to watch the Hilda series on Netflix (yes, really), join their Discord server for support, then pay the stated ransom amount in bitcoin (a popular way to couch the demand).

What can you do to stop ransomware attacks?

First of all, Twig says to “use proper passwords” for ransomware protection. He said many passwords are either written by the ‘crazy or the lazy.’ Most of them are too simple and are often guessed by his scripts. His favorite story was when he found a password to be two quotation marks. I guess the administrator thought it was too simple to guess. Well, he was wrong and had to pay for it.

Second, he said “write your programs in a real programing language.” He said that real programmers write in C or C++, and that Java or PHP is for the lazy and stupid (an opinion not shared by all professional programmers).

When he sees programs written in Java, he feels he is dealing with a non-qualified individual and, therefore, an easy target. It is also worth noting that some security professionals advise not to program in C when it comes to security.

Third, he casts shade on Americans and tech workers over the age of 35 either because of his belief in their lack of modern skills or energy to do the job properly. He says organizations should hire qualified people who can both code and understand security. If he was in charge of hiring at your company, and didn’t discriminate by age or nationality, he would hire people who hold qualifications in C or C++ and have the energy to follow security best practices.

Misconfigured firewalls leave doors open for ransomware attacks

Finally, Twig points out that misconfigured firewalls are his best friend. In fact, he has strong opinions for some firewall makers that enable him “to uninstall [the firewall] from the computer.” In the case of network firewalls, misconfigurations are easily done and can be one’s downfall. It happens more than you think.

In the case of endpoint firewalls, end-users should be under the principle of least privilege (POLP), which means they will have just enough rights to do their job and without the ability to modify their endpoints. In 2016, Microsoft reported that 94% of critical vulnerabilities can be mitigated by removing administrative rights from users.

Four ways SonicWall stops ransomware attacks

Stopping ransomware attacks isn’t always easy. A conversation with Twig makes that apparent. But he also highlights that if you follow best practices and implement security across different layers, ransomware attacks won’t be nearly as successful. Leverage the four key ways SonicWall helps organizations block ransomware attacks — automatically and in real time.

  • Deploy a firewall and keep security services active. Firewall vendors like SonicWall are now security platform providers that protect the traffic to and from branches (SD-WAN), and examine traffic through the firewall with gateway antivirus to stop known versions of malware. It’s also smart to leverage Intrusion Prevention Services (IPS) to identify known communication patterns within malware and stop what it wants to do, like travel laterally to other drives or networks. The combination of gateway security and IPS was critical in stopping WannaCry ransomware attacks for SonicWall customers on Day 1.
  • Block unknown ransomware with a sandbox. However, all of the updated versions of the strain that came after Version 1 were blocked automatically by the Capture Advanced Threat Protection (ATP) sandbox (if the other ransomware variants were found by a customer before SonicWall could create a definition/signature to block it on firewalls and email security).
  • Protect your inbox. To make it even more difficult to attack your network or users, use secure email solutions to block spoofed emails and examine attachments within all email to look for malware. Email is still highly effective at getting malware exploits onto your network.
  • Secure your endpoints. Finally, protect your endpoints with a next-generation anti-virus (NGAV) For example, Capture Client will help stop intrusions and ransomware attacks from initiating. Even if a ransomware strain did execute, Capture Client would give the administrator the ability to roll back the damage to a previously known clean state.

For the full story on my chats with Twig, I urge you to attend my upcoming webinar, “Mindhunter: My Two-Week Conversation with a Ransomware Cell.”