Hunters of lost data: From the everyday life of an Incident Response Team
January 20, 2023
Sophos
Schwachstellen, Cybersecurity, Zukunft, Datenschutz
Peter Mackenzie, director of incident response at Sophos, is something like the Indiana Jones of the cyber landscape: he and his team tirelessly scan computer systems looking for anomalies that indicate a cyber threat. In most cases, victims call in the experts because they have been the victim of a ransomware attack, for example, or are still in the middle of one. The crux: when such a ransomware incident paralyses computers, it is not the beginning of a cyber attack, but the aggressive finale. "I often describe ransomware as a receipt that the criminals leave for last. Many of the victims we ask about when what happened say that the encryption started at one o'clock in the morning and they received alerts as a result. When we then examine the systems, we often find that the fraudsters have already been on the network for a fortnight and have made their preparations," says Peter Mackenzie.
Cybercrime has long been professionalised
Whoever now thinks that a person or a group hacks the keyboard day and night, finely stores the encrypted data and returns it d'accord to the crooks' honour after extorted payment in order to make a nice life for themselves on the Copacabana with the looted dough, has seen too many movies of the 80s. In reality, cyber attacks have long been professionalised. There are specialised providers for every area of an attack, ranging from "We'll get you into any network" (there's already the Initial Access Broker profession here....), to "We'll buy stolen data", to "We'll do the blackmailing". Expert knowledge is not necessary, and even those who shy away from accessing the dark web can become cybercrook apprentices via Google and how-to videos on YouTube.Too much enthusiasm can also go wrong, as the recently described case of multiple attackers proves, who, as competing ransomware groups, attacked the coincidentally common victim in a kind of shift change and sabotaged each other in the process.Sloppiness in device maintenance becomes an Achilles' heel
According to Mackenzie, one aspect is immensely important for the fraudsters after entering the network: what do I have access to? To do this, they scan the network, not even specifically for anything in particular, but more like a thief in an office hallway, pushing every doorknob, eventually a door opens.The opportunities for clever fraudsters are immense these days. So if there is a suspicious impulse on a system, security software detects it and eliminates it, that doesn't mean the problem is solved. In most cases, sloppy handling of updates, patches and equipment of each individual device is the small beginning of a big disaster.Modern cyber defence only with up-to-date software and human expertise
Cybercrime has long been professionalised
Whoever now thinks that a person or a group hacks the keyboard day and night, finely stores the encrypted data and returns it d'accord to the crooks' honour after extorted payment in order to make a nice life for themselves on the Copacabana with the looted dough, has seen too many movies of the 80s. In reality, cyber attacks have long been professionalised. There are specialised providers for every area of an attack, ranging from "We'll get you into any network" (there's already the Initial Access Broker profession here....), to "We'll buy stolen data", to "We'll do the blackmailing". Expert knowledge is not necessary, and even those who shy away from accessing the dark web can become cybercrook apprentices via Google and how-to videos on YouTube.Too much enthusiasm can also go wrong, as the recently described case of multiple attackers proves, who, as competing ransomware groups, attacked the coincidentally common victim in a kind of shift change and sabotaged each other in the process.Sloppiness in device maintenance becomes an Achilles' heel
The Incident Response Team not only stops the attack, but also analyses the processes in the systems, what the cyber crooks did and for what purpose. Also whether they have built in backdoors for a later return.
According to Mackenzie, one aspect is immensely important for the fraudsters after entering the network: what do I have access to? To do this, they scan the network, not even specifically for anything in particular, but more like a thief in an office hallway, pushing every doorknob, eventually a door opens.The opportunities for clever fraudsters are immense these days. So if there is a suspicious impulse on a system, security software detects it and eliminates it, that doesn't mean the problem is solved. In most cases, sloppy handling of updates, patches and equipment of each individual device is the small beginning of a big disaster.Modern cyber defence only with up-to-date software and human expertise
Peter Mackenzie, after all his experience in dealing with cyber threats on a daily basis in businesses large and small, advises prevention. The following questions help to identify the weak points in the company and to take precautions (tools, experts, services, etc.) for them. And preferably immediately, in order to be able to react quickly in an emergency.What happens if we have a ransomware attack?What happens if our backups are deleted?What happens if someone tells us we have an attacker in our network?Security is a comprehensive and time-consuming process that requires continuous maintenance and correction. Software that initially detects anomalies and MDR (Managed Detection and Response) experts who identify and stop attacks around the clock and limit the damage to systems are essential foundations of modern prevention and defence against cyber attacks.