State and local governments, corporations and the nation as a whole are getting walloped in cyberspace and will continue to do so without real changes to their defenses, Kevin Mandia, chief executive of the security company FireEye, said Tuesday.
Between high-profile events like the SolarWinds hack, which the U.S. government blames on Russian intelligence agents, a zero-day breach in the Accellion file-transfer application and a continuous spate of ransomware incidents, the United States has been taking multiple blows, Mandia said in remarks to an online cybersecurity conference hosted by New York State.
“We are getting sucker-punched in cyberspace as a nation,” he said.
Mandia also told the audience he thinks the SolarWinds breach — in which malicious code was inserted into the network integration software vendor’s supply chain, an attack the U.S. government has pinned on Russian intelligence operatives — will not be an isolated incident.
“Not the first time this has happened,” he said. “I think this will happen again.”
He also noted that with Accellion, a zero-day exploit allowed hackers to carry out extortion attacks — including against several major research universities — without needing to actually deploy ransomware.
But Mandia said it’s with regard to ransomware that organizations continue to be the most vulnerable, especially as most perpetrators reside in places beyond the reach of U.S. law enforcement, like Russia, and collect their payments in hard-to-trace cryptocurrencies. He said before the rise of bitcoin, digital extortion schemes that collected payments in cash were easier to track.
“We didn’t have a long period of extortion in the mid-2000s, but since the emergence of bitcoin it’s gone way up,” he said. “If you know what you’re doing as an attacker, and you’re not lazy, you can keep what you’re doing with bitcoin relatively anonymous.”
He also said that in addition to becoming more frequent, ransomware incidents are also taking less time to pull off. Rather than spend weeks or months inside a victim’s network before deploying their malware, Mandia said FireEye’s analysts have seen that timeframe go down to about 20 days. Ransomware’s continued adoption of a software-as-a-service model has also added to the damage.
“Even a blind person shooting a gun is going to hit a bird some of the time,” he said. “Right now ransomware actors have unlimited opportunities.”
Mandia recommended that ransomware-prone organizations, like governments and hospitals, incorporate into their cybersecurity strategies plans for how to maintain operations if their network functions are impacted. In some cases, ransomware incidents at hospitals have forced doctors to delay medical procedures.
“How do we operate if our systems are down?” he said. “Ransomware’s impact is rarely predictable. These things are hard to do, but I recommend every organization try it. It’s very important for hospitals to learn how to operate off the grid.”
But he also said one of the best preventative measures is for chief information security officers and their teams to focus more on intelligence and threat analysis, no matter how mundane the work can be.
“You have to have an intelligence component,” Mandia said. “It’s only as good as your rigor and discipline to catalog what you know. No threat analyst likes logging technical details, you’ve just gotta do it.”