It may seem counterintuitive to have offensive cybersecurity specialists such as red-teams working alongside incident response specialists during an incident, but it’s happening.
In this episode of the Claroty Nexus Podcast, Bishop Fox CEO and Cofounder Vinnie Liu explains that this scenario is playing out with increasing frequency. Organizations in healthcare and other critical industries, for example, bring in offensive specialists in an attempt to find and lock down other exposures to avoid reinfections or separate intrusions that could lead to further data loss or reputational damage.
“A trend we’ve seen in the last year or two anywhere from the Fortune 10 to the Fortune 500 is the need to restore trust with your customers and your partners,” Liu explained. “Yeah, you’ve had a fire in your apartment, but do you have someone checking the other apartments—the other applications, the other services you’re providing to demonstrate there’s no fire in these.”
Offensive, proactive security testing during active incidents, Liu said, ensures that organizations understand other exposures have been shuttered because attackers generally have a “backup plan” to get back into systems. This is especially crucial for ransomware victims in critical industries where data theft and extortion threats around leaking stolen data compound the loss of system access from the crypto-malware.
“Oftentimes, we get deployed alongside the ‘firefighters’ [incident response teams] in order to ensure secondary or tertiary attack vectors can’t be taken advantage of,” Liu said. “We’re deployed during an incident in that way. We’re also seeing that as part of the trust restoration and the trust maintenance process.”
The trust aspect to this scenario, Liu said, is gaining steam because suppliers and partners, in addition to customers, must be reassured that an incident has been eradicated.
“Companies that have had incidents must demonstrate that they have not only put out the fire, but that it’s safe to use going forward, and that it’s been tested” he said. “That’s where we’ve been brought in a number of situations to provide that assurance as an independent third party. People don’t want that self-verification or assessment any longer.”
Ransomware incidents are prime areas where this is happening because incidents are severe and there is a threat of ongoing attack, Liu said.
“The nature of your relationship with an attacker has fundamentally changed,” Liu said, noting that previous generations of data theft extended mostly to selling it on the dark web. Ransomware actors targeting hospitals and other data-rich environments will now expect an ongoing dialogue with victims over ransom payments that includes tight, pressure-filled deadlines to force a victim’s hand into paying.
“The business model is changing as well. It’s not just ‘we’ve encrypted your systems, but we might sell your data, and that’s the fee for us not selling it.’” Liu said. “What you’re seeing is that there’s a whole ransomware supply chain. And everybody’s got to get paid. And if someone is not getting paid, that might result in secondary or tertiary attacks and payments.”
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.