Cybersecurity Saturday

From the cybersecurity policy front —

The Wall Street Journal reports

The Biden administration said it would pursue laws to establish liability for software companies that sell technology that lacks cybersecurity protections, concluding that market forces alone aren’t sufficient to guard consumers and the nation.

Free markets and a reliance on voluntary security frameworks have imposed “inadequate costs” on companies that offer insecure products or services, according to a national cybersecurity strategy released Thursday. It says the administration would work with Congress and the private sector to create liability for software vendors, sketching out in broad terms what such legislation should entail. * * *

In addition to making a forceful call for expanded liability, the plan reiterates several top priorities that have frequently been listed by various senior cybersecurity officials in recent years, such as urging more collaboration and threat-intelligence sharing with the private sector, forging international partnerships to develop cyber norms, and modernizing federal technology. While much of it is consistent with the goals of past administrations, the focus on liability and mandates on critical infrastructure largely depart from President Biden’s predecessors.

The strategy also emphasizes the need for persistent use of offensive cyber capabilities, such as those housed at the U.S. Cyber Command, to disrupt and dismantle cyber threats to the U.S. The strategy’s language effectively endorses steps taken during the Trump administration to allow the military to be more active with offensive cyber weapons. Mr. Biden’s strategy replaces one issued by former President Donald Trump in 2018.

Security experts and former officials said establishing liability for software manufacturers was the most significant—if hardest to achieve—element of the strategy.

Security Week offers insider observations on the new strategy.

Here are links to the White House’s fact sheet and an informative report from Health IT Security.

The document is divided into five pillars, representing key focus areas: defend critical infrastructure, disrupt and dismantle threat actors, shape market forces to drive security and resilience, invest in a resilient future, and forge international partnerships to pursue shared goals.

Each pillar has significant implications for critical infrastructure entities, including those in the healthcare sector. Namely, the National Cybersecurity Strategy highlights the need to further prioritize Internet of Things (IoT) device security and to transfer some cyber responsibilities away from software users and onto vendors.

“We must make fundamental changes to the underlying dynamics of the digital ecosystem, shifting the advantage to its defenders and perpetually frustrating the forces that would threaten it,” the document states.

“Our goal is a defensible, resilient digital ecosystem where it is costlier to attack systems than defend them, where sensitive or private information is secure and protected, and where neither incidents nor errors cascade into catastrophic, systemic consequences.”

Cybersecurity Dive discusses the path to implementing this strategy.

From the cyber breaches front, Security Week points out four recent healthcare sector data breaches.

From the cyber vulnerabilities front —

Cybersecurity Dive informs us

  • Nearly one-third of companies lost money following a phishing attack in 2022, Proofpoint research found. 
  • The 76% year-over-year increase in phishing attacks resulting in a wire transfer or invoice fraud reflects threat actors’ resolve to narrow their scope and steal money more quickly, according to Proofpoint’s annual State of the Phish report released Tuesday.
  • “We saw a significant jump in the direct financial loss,” said Sara Pan, team manager of product marketing at Proofpoint. “What that really implies is that we’re seeing attackers being more impatient and really wanting to claim their trophy right after a successful phishing attack.”
  • The Cybersecurity and Infrastructure Agency (CISA) added one more known exploited vulnerability to its catalog.

From the ransomware front —

  • Bank Info Security reports on an FBI report on ransomware attacks against critical infrastructure in 2022.
  • Bank Info Security adds,
    • Based on known ransomware attacks, security researchers say the volume of such attacks seems to have remained constant in recent years. Ransomware incident response firm Coveware and cryptocurrency intelligence firm Chainalysis last month reported that blockchain analysis revealed a notable decline of 40% in the dollar volume of ransom being paid to criminals.
    • Coveware ascribed the decline directly to the FBI, which has “subtly but effectively shifted strategy from pursuing just arrests to putting a focus on helping victims, and imposing costs to the economic levers that make cybercrime so profitable.” Making a particular impact, Coveware says, is FBI agents quickly landing on-site to assist, including by helping senior executives and boards of directors understand their options.
  • The FBI and CISA issued an alert on Royal Ransomware.
    • Today [March 2, 2023], the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released joint Cybersecurity Advisory (CSA) #StopRansomware: Royal Ransomware to provide network defenders tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with Royal ransomware variants. FBI investigations identified these TTPs and IOCs as recently as January 2023.
    • Royal ransomware attacks have spread across numerous critical infrastructure sectors including, but not limited to, manufacturing, communications, healthcare and public healthcare (HPH), and education.
    • CISA encourages network defenders to review the CSA and to apply the included mitigations. See StopRansomware.gov for additional guidance on ransomware protection, detection, and response.
  • The Bleeping Computer’s Week in Ransomware is back!

From the cyber defense front —

CISA announced

Today [February 28, 2023], CISA released a Cybersecurity Advisory, CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks. This advisory describes a red team assessment of a large critical infrastructure organization with a mature cyber posture. CISA is releasing this Cybersecurity Advisory (CSA) detailing the red team’s tactics, techniques, and procedures (TTPs) and key findings to provide network defenders proactive steps to reduce the threat of similar activity from malicious cyber actors. 
  
As detailed in the advisory, the CISA red team obtained persistent access to the organization’s network, moved laterally across multiple geographically separated sites, and gained access to systems adjacent to the organization’s sensitive business systems. This cybersecurity advisory highlights the importance of early detection and continual monitoring of cyber assets.  
  
CISA encourages critical infrastructure organizations to apply the recommendations in the Mitigations section of this CSA to ensure security processes and procedures are up to date, effective, and enable timely detection and early mitigation of malicious activity.

Cybersecurity Dive observes

  • The Cybersecurity and Infrastructure Security Agency is urging critical infrastructure providers to harden their defenses and enable phishing resistant multifactor authentication, after conducting a red team assessment of a large organization over a three-month period in 2022.
  • During the voluntary assessment, a CISA red team was able to gain access to workstations at separate geographic locations using spearphishing emails. The red team leveraged that access to move laterally around the network, gaining root access to multiple workstations adjacent to specialized servers. 
  • The organization largely failed to detect multiple actions by the red team, including lateral movement, persistence and command and control activity. However, the use of strong service account passwords and MFA prevented the red team from accessing a sensitive business system.

The American Hospital Association adds,

“This highly detailed and technical report is an excellent guide to help implement specific cybersecurity tools that will help detect a cyberattack in the early stages and significantly reduce its spread and impact,” said John Riggi, AHA’s national advisor for cybersecurity and risk. “The ‘red team’ or penetration test used a common combination of voice and email social engineering techniques to gain trust of the end users and compromise their credentials, which reaffirms government and AHA cybersecurity guidance that relatively low-cost basics such as establishing phishing-resistant multi-factor authentication are essential to reduce cyber risk. I would strongly encourage hospitals and health systems to explore the possibility of leveraging CISA’s authority and capacity to provide free technical assistance, including red team penetration testing.” 

Also, an ISACA expert explains why “LastPass Hack Highlights Importance of Applicable Acceptable Use Policies.”