International Agencies Issue Joint Cybersecurity Advisory
Cybersecurity Advisory
On February 9, 2022, multiple federal and international agencies, including the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the NSA, Australia’s Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC-UK), issued a joint Advisory on the rise of ransomware attacks globally and proposed mitigation strategies to help prevent such attacks and reduce the impact of such attacks.
In the Advisory, the agencies noted five trends observed in recent ransomware attacks:
- Most ransomware attacks happened through phishing, stolen Remote Desktop Protocols (RDP) credentials, and exploiting known vulnerabilities. These attack vectors remain relatively constant and were likely elevated in 2021 with continued remote work.
- An increase in the use of “professional” cybercriminal services-for-hire and “ransomware-as-a-service” (RaaS) actors, which has led to more organized and sophisticated cybercrime activity and more accessibility to ransomware for cybercriminals.
- An increase in the sharing of victims’ information among threat actors, which has increased the risk of additional attacks even after an initial incident has been contained.
- Although the first half of 2021 was marked by “big-game” ransomware targets, authorities are observing a move towards mid-size victims, potentially as a means to reduce scrutiny from cyber authorities.
- Threat actors are using additional means to extort money from victims, including threatening to publicly release sensitive information, disrupt the victims’ internet access, and inform the victims’ affiliates about the incident.
How Should Companies Respond?
Reducing the likelihood of a successful attacked should be top priority. Several strategies are suggested in the Advisory to help reduce the chance that a threat actor can gain access to company systems. These measures include:
- Ensuring that all software is current and patched against known vulnerabilities.
- Closely monitoring all RDP services for unusual activity. This includes understanding the security posture of any vendor supplying RDP services and providing guidance to employees on how to properly configure and manage their RDP devices.
- Implementing cybersecurity training and testing programs, including the use of phishing tests and other exercises to ensure that all employees are aware of the appropriate steps they should take if they detect cyber activity.
- Requiring strong, unique passwords for all accounts, and requiring multi-factor authentication whenever possible.
However, even with these actions, there is no way to fully prevent a cyberattack. As such, there are also steps that can be taken to minimize the actual harm caused by an attack. These enterprise-wide measures can enhance the likelihood that even if a company falls victim to an attack, the threat actors will do minimal damage and not access key data, and include:
- Segmenting networks so that access to a single network access point does not give a threat actor access to the entire infrastructure.
- Implementing end-to-end encryption so that any intercepted communications or accessed data will not be useful to a threat actor.
- Monitoring all external remote connections so that any unapproved access is immediately recognized and addressed.
- Implementing time-based access for privileged accounts that allow users to request access to sensitive information on an as-needed basis and for only enough time as is required to complete their task.
- Tailoring permissions and privileges, and the ability to alter such credentials, to reduce the ability of threat actors to give themselves permissions and move within company systems.
- Having working backups for all data so that operations can continue as quickly as possible after an attack and the leverage available to threat actors is reduced.
Companies must also be prepared to respond quickly to cyberattacks, including determining the extent of the damage, reporting the attack to competent authorities, and taking steps to mitigate risk and reduce the likelihood of further attacks. The Advisory also lists the following resources:
- The CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide provides a ransomware checklist response guide for companies of all sizes and industries.
- A list of authorities to report incidents, including: local FBI Field Offices, CISA, U.S. Secret Service Field Offices, ACSC, NCSC-UK, and the United Kingdom’s Fraud and Cyber Reporting Centre.
- Incident response “best practices” that have been developed by the cybersecurity authorities in Australia, Canada, New Zealand, the United Kingdom, and the United States, and consolidated in the Technical Approaches to Uncovering and Remediating Malicious Activity Cybersecurity Advisory.
Conclusion
Cyber criminals continue to evolve and change their tactics to evade the scrutiny of cybersecurity authorities. Companies of all sizes must establish and reinforce their cybersecurity programs and infrastructure to reduce the risk of a cyberattack and mitigate the harm should such an attack occur. The Baker Botts Privacy and Data Security team stands ready to assist companies in developing programs and preparing for incidents.
ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.