{"id":52024,"date":"2021-07-09T09:00:00","date_gmt":"2021-07-09T13:00:00","guid":{"rendered":"https:\/\/live-jc-marketing-site.pantheonsite.io\/?p=52024"},"modified":"2021-08-20T18:11:56","modified_gmt":"2021-08-20T22:11:56","slug":"notes-from-our-ciso-on-the-kaseya-ransomware-attack","status":"publish","type":"post","link":"https:\/\/jumpcloud.com\/blog\/notes-from-our-ciso-on-the-kaseya-ransomware-attack","title":{"rendered":"Notes from Our CISO on the Kaseya Ransomware Attack"},"content":{"rendered":"\n
Over the July 4th weekend, a supply-chain ransomware attack infected Kaseya VSA software, targeting managed service providers (MSPs) and spreading across their customers. This was an attack of opportunity; cyber criminal group REvil took advantage of a U.S. federal holiday to mount a zero-day-driven supply chain attack while companies had lower employee headcounts and compromised response readiness. <\/p>\n\n\n\n
The attack was also opportunistic in the sense that it targeted MSPs, which sit high-up in the IT supply chain and have the ability to drive exponential spread across smaller and mid-sized businesses. The breach hit around 60 MSPs and spread to up to 1,500 companies<\/a>, with REvil claiming that it infected over 1 million systems<\/a>. <\/p>\n\n\n\n Supply-chain attacks are becoming a more common method of attack for highly advanced criminal activity. They present criminals with the opportunity to access hundreds of customers through each infiltration point, leading to widespread campaign behavior. <\/p>\n\n\n\n In 2019, the largest exploitation of a supply chain risk occurred with the SolarWinds Orion platform compromise<\/a>, affecting more than 30,000 public and private organizations around the world. Disguised as an update from SolarWinds, the Orion product deployed SolarWinds-signed malware to impersonate users and access files and processes on SolarWinds Orion machines.<\/p>\n\n\n\n In addition to the exponential spread of each attack, ransomware attacks compound on one another: Every time a campaign collects ransom, the cyber criminals responsible are able to fund additional criminal ventures. Perhaps an example of this, the Kaseya attack closely followed a ransomware attack by the same group on a meat processing company last month, which paid the requested ransom<\/a>. <\/p>\n\n\n\n The REvil attack has shaken buyer confidence \u2014 and rightfully so. As SaaS and cloud-based models become business standards, companies need to continually assess the security of the services and vendors they use. <\/p>\n\n\n\n At JumpCloud, we take this responsibility extremely seriously. While we were not affected by this attack, we take it as a solemn reminder of our responsibility to protect our customers. We believe security should never be assumed, and our security and development teams\u2019 jobs are never done; rather, we\u2019re constantly working to understand new and emerging threats, identify and rectify vulnerabilities, and plan deeper, wider, and more robust response strategies. <\/p>\n\n\n\n As part of our ongoing security practice, we maintain diligent security controls, collaborate with our partners and customers on their security postures, prioritize third-party risk assessments, and practice in-depth risk assessments and incident response planning, often in coordination with other vendors. To aid in our ongoing efforts to minimize vulnerabilities and bugs in our platform, we also have a Vulnerability Disclosure Policy<\/a> that allows others to report suspected vulnerabilities to us responsibly.<\/p>\n\n\n\n The REvil attack only emphasizes the importance of our ongoing efforts to strengthen our platform security and development cycles and hone our risk assessment and response strategies. It also underlines our focus on ransomware response planning, table-topping, and industry collaboration.<\/p>\n\n\n\n This attack reminds us to be constantly vigilant, and should prompt companies to check-in on their security environment and policies. The nature of the attack reiterated the fact that the supply chain can be obscure and is often left unexamined; vendors and customers can\u2019t afford to rely on a surface-level assessment of their supply chain. <\/p>\n\n\n\n For security to be thorough and reliable, it needs to include a view of all the links in the IT supply chain and their security, and data needs to be protected at every point in the supply chain, including during transmission from one point to another. This means companies should examine both their internal security practices and the practices of those with whom they work and entrust data. They should collaborate with third parties in their supply chain to ensure secure data transmission and plan coordinated incident response strategies.<\/p>\n\n\n\n Security policies should be unique to each company and their vendor environments; however, the following areas are foundational to strong vendor and customer security: <\/p>\n\n\n\n The prospect of facing a security breach is just about every security team\u2019s nightmare; however, in today\u2019s threat environment where a cyberattack is less a matter of if<\/em> than when,<\/em> it\u2019s critical to be prepared. <\/p>\n\n\n\n Ideally, your security policies should block all attacks that come your way. But in the event of a breach, the first thing you will need is inside and outside counsel to help you understand how to move forward, from immediate mitigation steps to how to handle ransom requests. Make sure you know who these entities are for your organization \u2014 establish internal roles, responsibilities, and communication channels as part of your incident response plan, and consider partnering with a cybersecurity firm for external guidance. <\/p>\n\n\n\n Maintain close working relationships with customers and providers, and keep a constant eye on their permissions, activity, and security practices. If you ever suspect a breach or notice unusual activity, act quickly and communicate transparently with the parties involved.<\/p>\n\n\n\nNotes on Supply-Chain Attacks<\/h2>\n\n\n\n
Impacts and Response<\/h2>\n\n\n\n
Attack Takeaways<\/h2>\n\n\n\n
Looking Forward<\/h2>\n\n\n\n
Resources<\/h2>\n\n\n\n