Obliteration of Operations
Cisco’s 2017 Midyear Cybersecurity Report (opens as PDF) defines and forecasts Destruction of Service (DeOS). The new breed of attack locks enterprise systems, destroys data including backups, and eliminates the safety net that organizations use to restore their systems and data following malware infestations, ransomware campaigns, and any other severely-disruptive cyber-incident. These attacks appeared last year with Petya, which was more about destruction than Ransomware.
“Botnet activity in the IoT space suggests some operators may focus on laying the foundation for a wide-reaching, high-impact attack that could potentially disrupt the internet itself,” says the Cisco report.
With an understanding of how these attacks operate, the enterprise can reinforce its defensive measures and better mitigate DeOS and its devastation.
Detailing DeOS inner workings
DeOS attacks infect systems via Phishing emails and software vulnerabilities. The “self-propagating, network-based ransomware worms” destroy data by making it impossible to recover. DeOS can do this, for example, by encrypting information on a machine then replacing the master boot record (MBR), which is necessary to boot into the operating system, with a custom bootloader.
After that, if the DeOS attack can reach backups from any of the infected systems, it can destroy these, as well, effecting the complete annihilation of the data. DeOS attacks can propagate by manipulating administrative privileges and using further exploits to get to those backups.
Preventive measures must address each stage of the DeOS attack. The increasing likelihood of this kind of attack heightens the criticality of using adequate education, training, prevention, and remediation techniques against phishing.
Education and training must continually expose employees to the latest examples and earmarks of phishing. Companies must phish their employees to determine who fails against what kinds of phishing. You must reinforce appropriate behavior, so employees don’t click on fictitious email links and attachments but rather ignore or report the bogus messages.
Reinforcements can include rewards such as gift cards or cash for those who report phishing attacks and penalties such as written reprimands together with further retraining for those who don’t improve over time.
Both employees and security technologies need to improve their capacity to identify phishing emails. Successful phishing emails communicate failure, use an authoritative tone, express a shared interest, and send notifications, says new research from Carnegie Mellon University (CMU). Fake emails communicating failed password attempts were among the most successful phishing ploys, according to the CMU research. Vendors need to factor these qualities of successful phishing in when upgrading both training and security products.
Enterprises need to weigh the risks of patching against the dangers of vulnerabilities that permit DeOS attacks. Patching has its risks such as vulnerabilities inside the updates and upsetting the delicate balance of software dependencies. Organizations that are more concerned about DeOS and its severity should monitor threat intelligence about specific vulnerabilities and accelerate the patching process as much as possible.
Organizations should use real-time monitoring to identify suspicious behavior such as the rapid encryption of a vast number of files at once, which is typical with these attacks, then drop the connection, block the activity, and revert the files.
Organizations should remove administrative privileges from machines wherever possible and ensure that no attacker can reach any backups during a DeOS attack.
Every layer counts
Layered defenses mitigate DeOS and other attacks by forcing criminal hackers to get through every safeguard to be successful.
David D. Geer (https://www.linkedin.com/in/daviddgeer/) writes about cybersecurity and technology for national and international publication. David’s work appears in various trade magazines from IDG in the U.S. and around the world in several languages. ScientificAmerican, The Economist Technology Quarterly, and many magazines and companies have used David’s content. David’s Google Scholar Page is at https://scholar.google.com/citations?user=ZkKA3fsAAAAJ&hl=en.
To learn more about how to install a layered defense approach, read "Defense-in-depth and the Distributed Gateway Platform"