Cybersecurity Snapshot: Insights on Hive Ransomware, Supply Chain Security, Risk Metrics, Cloud Security
Get the latest on the Hive RaaS threat; the importance of metrics and risk analysis; cloud security’s top threats; supply chain security advice for software buyers; and more!
Dive into six things that are top of mind for the week ending Nov. 25.
1 - Ransomware attackers pocket over $100M with Hive
In the past 18 months, cybercriminals have used the Hive ransomware-as-a-service (RaaS) to hijack the systems of 1,300-plus companies and shake down victims for around $100 million in ransom payments, with the healthcare sector especially impacted.
That’s according to an advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and the Department of Health and Human Services (HHS) in which they detail Hive indicators of compromise, as well as techniques, tactics and procedures.
Prevention and mitigation recommendations include:
- Install software updates as soon as they are released, and prioritize patching VPN servers, remote access software, virtual machine software and exploited vulnerabilities.
- Require “phising-resistant” multifactor authentication as much as possible, in particular for services like webmail, VPNs, accounts with access to critical systems and accounts that manage backups.
- Maintain offline data backups, and ensure all backup data is encrypted, immutable and comprehensive.
- If infected with ransomware, isolate the impacted system, remove it from all networks, disable its networking capabilities and disconnect all shared and networked drives.
For more information, watch this video by Justin Hall, a senior research manager at Tenable:
To learn more about Hive and ransomware in general, check out these resources:
- “Hive claims ransomware attack on Tata Power, begins leaking data” (Bleeping Computer)
- “Defending against Hive ransomware: It’s time to use the attackers’ tools” (The Stack)
- “Researcher develops Hive ransomware decryption tool” (TechTarget)
- “Understanding the Ransomware Ecosystem: From Screen Lockers to Multimillion-Dollar Criminal Enterprise” (Tenable blog)
- “Tenable’s Ransomware Ecosystem Report: Understanding the Key Players, Common Attack Vectors and Ways You Can Avoid Becoming a Victim” (Tenable webinar)
2 - CompTIA: Cybersecurity and risk analysis will mesh in 2023
In its “2023 IT Industry Outlook” report, the non-profit Computing Technology Industry Association (CompTIA) outlines 10 trends to watch next year, and one in particular caught our eye: An emerging, evolving connection between cybersecurity metrics and risk analysis.
As companies shift from a defensive, reactive focus to a proactive, preventative approach, they face a key challenge: How do you measure success and progress when cybersecurity becomes a moving target?
Yes, keeping tabs on, for example, the number of patched systems and the percentage of trained staffers is a good start. But to truly map cybersecurity efforts to business objectives, you’ll need what CompTIA calls “an organizational risk approach to metrics.”
What would this look like?
- Assessing the risk of digital activities
- Calculating financial impacts
- Building mitigation plans
“This structure can then be used to justify investment, determine skill needs or quantify cyber insurance activity,” reads the report.
For more information about cybersecurity metrics and risk management:
- “7 key cybersecurity metrics for the board and how to present them” (TechTarget)
- “Cybersecurity Measurement (U.S. National Institute of Standards and Technology)
- “Which cybersecurity metrics matter most to CISOs today?” (VentureBeat)
- “Why metrics are crucial to proving cybersecurity programs’ value” (CSO Magazine)
- “15 Metrics And Factors To Demystify Cybersecurity Efforts” (Forbes)
3 - SANS updates its most dangerous cyber attack techniques
At RSA Conference in June, a panel of SANS Institute instructors presented what they consider the five types of cyberattacks that represent the biggest threats, and they recently revisited their list to offer an update.
In the video below, the SANS panelists discuss what’s new with these “most dangerous” cyberattacks, look ahead at 2023 and offer tips and recommendations:
- Living off the cloud
- MFA bypass
- Ghost backup attack
- Stalkerware
- Cyberwarfare
For more information, you can read this blog about the presentation.
4 - CISA issues supply chain security guide for software buyers
A guide aimed at helping customers steer clear of unsafe software has been released by the Cybersecurity and Infrastructure Security Agency, the National Security Agency and the Office of the Director of National Intelligence.
It’s the third guide devoted to software supply chain security issued by these agencies recently. The first one focused on advising developers, while the second one was aimed at suppliers.
Recommendations for software buyers are broken out into three main categories:
- Procurement and acquisition, which includes:
- Definition of requirements
- Product evaluation
- Contracts
- Deployments, which includes:
- Product acceptance
- Functional testing
- Security testing and validation
- Software operations, which includes:
- Bug reporting by users
- Software updates
- Security and supply chain risk management
Each section includes a discussion of potential threat scenarios along with recommended mitigations.
For more information, read the 39-page guide, titled “Securing the Software Supply Chain: Recommended Best Practices Guide for Customers.”
And check out these articles and videos about software supply chain security.
Articles
- “Software Supply Chain Best Practices” (CNCF)
- “Software Supply Chain Security Guidance” (National Institute of Standards and Technology)
- “The Open Source Software Security Mobilization Plan” (The Linux Foundation and The Open Source Security Foundation)
- “Best practices for boosting supply chain security” (ComputerWeekly)
- “When Securing Your Software Supply Chain, Don't Forget the Cloud” (ITPro Today)
Videos
5 - Play it again, Sam: Another look at CSA’s top cloud security threats
With cloud security firmly top of mind for most security leaders, it seems like a good time to revisit the Cloud Security Alliance’s “Top Threats to Cloud Computing.” Below we highligh one or two key recommendations for each and link to subsequent blogs CSA has so far devoted to nine of the 11 threats highlighted in the report.
1. Insufficient identity, credentials, access and key management
- Deprovision users’ privileged accounts immediately after they leave the organization or change their role.
- Ensure users’ privileges match their roles and responsibilities so that they don’t get excessive access and permissions to systems and data.
2. Insecure interfaces and APIs
- Adopt tools that automate continuous monitoring of API traffic, detect anomalies and remediate issues.
- Adjust conventional controls and change management policies to secure cloud-based APIs.
3. Misconfiguration and inadequate change control
- Adopt technologies that continuously scan and detect cloud misconfigurations.
- Ensure your change control approach matches the speed and dynamism of changes in cloud environments.
4. Lack of cloud security architecture and strategy
- Craft a cloud security architecture and strategy covering identity and access management, networking and security controls.
5. Insecure software development
- Ensure your developers understand the shared responsibility model between your organization and the cloud service provider (CSP).
- Take advantage of the security guidance CSPs provide for deploying software securely.
6. Unsecured third-party resources
- Periodically review third-party products you’re using and revoke the access and permissions of those you no longer need.
- Perform penetration tests and use static and dynamic application security testing tools.
- Conduct routine vulnerability scanning and deploy patches for critical bugs as soon as possible.
8. Accidental cloud data disclosure
- Ensure your cloud databases and storage are properly secured with strong authentication requirements and properly configured.
- Adopt tools that can flag routing or network services that expose traffic externally, including load balancers and content delivery networks.
9. Misconfiguration and exploitation of serverless and container workloads
- Use cloud security posture management (CSPM), cloud infrastructure entitlement management (CIEM), and cloud workload protection platforms (CWPP) to automatically check serverless workloads.
- Boost cloud security training, governance processes and reusable secure cloud architecture patterns to cut the risk of insecure configurations.
10. Organized crime/hackers/APT
- Simulate the tactics, techniques and procedures of advanced persistent threat (APT) groups to assess the detection precision of your monitoring tools.
- Carry out a business impact analysis to get visibility into your information assets.
11. Cloud storage data exfiltration
- Adopt your CSP’s best practices and monitoring/detection capabilities.
- Set different controls based on data classification, and document the recovery actions required in an incident response plan.
6 - SANS: Critical cybersecurity controls for ICS
In a new white paper, the SANS Institute identifies five critical cybersecurity controls that organizations can implement for creating an “efficient and effective” security program for their industrial control systems (ICS).
Intended to focus on outcomes, as opposed to being prescriptive, the controls are:
- An ICS-specific incident response plan that facilitates root cause analysis
- A defensible architecture that reduces as much risk as possible via system design and implementation
- ICS networking visibility and monitoring that helps to understand systems interactions
- Secure remote access via multifactor authentication or compensating controls
- Risk-based vulnerability management
For more information about the security of ICS and operational technology (OT) systems, check out these new Tenable videos.
The top threats to ICS systems
Proactively Securing ICS/OT Systems
ICS Security: Securing Industrial Controllers
Securing the Industrial Control Plane
Automated Asset Discovery and Management for Industrial Systems
Related Articles
- Cybersecurity Snapshot