Prevention and preparedness revisited: Cyber-defence after Kaseya ransomware attack

Wed, 7th Jul 2021

FYI, this story is more than a year old

Part of the job of cybersecurity leaders is to look at discrete events and connect the dots. Discern patterns, frame a bigger picture, and go beyond dire warnings — toward strategies for a brighter digital future. The Kaseya ransomware attack that unfolded over the weekend, however terrible, presents an emphatic dot-connecting opportunity.

The Kaseya attack hit thousands of victims — most, in Kaseya's own damage report, smaller organisations with thinner wallets. It made economic sense for the attackers because Kaseya served as an efficient distribution hub for their poison-pill software. Kaseya VSA, the company's widely used IT automation SaaS offering, became the unwitting delivery system — at the service of the black hats.

Shocking? Anything but. It's the same strategy evident in the SolarWinds attack in late 2020. There, too, infiltration of one SaaS vendor victimised a long list of targets.

The conclusions write themselves:

Hijacking SaaS providers makes launching mass attacks on small targets cost-effective.
Reliance on traditional attack prevention strategies has led, repeatedly, to costly and humiliating comeuppance. Malware regularly penetrates target perimeters undetected.
Most of us are not revisiting our cyber-preparedness posture with half the urgency now appropriate. The similarities between SolarWinds, Colonial Pipeline, JBS, and Kaseya attacks are clear enough. They give us a clear learning curve to climb. By and large, we're not reacting.

Procrastination has its allure, and perhaps it's human nature. But better to invest in preparedness than post hoc crisis management. After the SolarWinds attack, Vectra surveyed 1,112 security professionals working in mid-to-large-sized organisations. A key finding mentioned in the report:

“[A] high level of confidence was revealed amongst security teams in the effectiveness of their own company's security measures: nearly 4 in 5 claim to have good or very good visibility into attacks that bypass perimeter defenses like firewalls.”

In truth, no application, network, or data center is invulnerable. If an organisation's decision-makers harbour a false sense of security about their ability to fend off hackers, they are likely not armed with the necessary tools to succeed.

The Kaseya attack is yet another reminder that complacency can exact a terrible price. With the risk of harm no longer limited to sprawling enterprises with deep pockets, the incident should trigger new security discussions in more IT departments. There should be fresh scrutiny of SaaS subscription relationships and the security policies of managed service providers; when a business relies on products like Kaseya VSA, you're only as secure as your provider. As companies become more reliant on data storage and SaaS solutions outsourced to the cloud, vulnerabilities may grow.

Last year we said it would take months to figure out the full scope of damage in the SolarWinds attack; now, we are saying precisely the same about the Kaseya ransomware attack. Nevertheless, we should be optimistic that we, as a digital society, will connect the dots and turn this tide.

For years we've understood the virtues of robust network monitoring and rapid detection of inevitable breaches. President Biden's May 2021 executive order makes attack detection — and better investigative and remediation capabilities — priorities for the federal government. Business leaders worldwide should respond to the Kaseya ransomware attack by hastening their own migration to a more effective cybersecurity strategy.

The Kaseya calamity can one day be remembered as a tipping point that led eventually to a better security posture. If that comes to pass, the cyber-attackers will have done us an unlikely, unintended service.