Weekly Video: September 12, 2022
9–12–2022 (Monday)
Hello and welcome to another edition of Cyber Risk at Deal Speed, your weekly video rundown of cybersecurity news and strategy for investors, deal teams, and the management teams of portfolio companies.
I’m your host, Shay Colson, Managing Partner for Cyber Diligence at Coastal Cyber Risk Advisors, and you can find us online at coastalcyber.io
Today is Monday, September 12th, and we’ve got a spate of headlines - yet again - involving ransomware.
This week we’re going to walk through three examples to try to better understand this threat - its potential for impact - and the mitigation techniques against it.
And we’re going to do it in 5 minutes or less.
LA Unified School District
International Hotel Group
Intermittent Encryption
LA Unified School District
As schools start back up again in the United States, we’ve seen threat actors focus on these vulnerable organizations as a way to increase their leverage and improve their odds of actually getting paid on their ransom demands.
In fact, the threat is so significant, that the FBI and CISA have released a joint advisory warning that threat actors are specifically targeting them.
Hit last week was the LA Unified School District, the single largest school district in the US with more than 640,000 students, 1,300 schools, and an annual budget of approximately $14B.
In the communications that the district has released, they indicate that they were able to detect some of the malicious activity and contain the impact of the event to a certain degree - and crucially did not have to close school because of this incident.
Other districts, as well as colleges and universities, have suffered incidents to the extent that schools needed to be closed, so in that sense this is a win for LAUSD.
But, it’s also been tremendously disruptive, and stolen the focus from returning to school and building habits and pedagogical infrastructure for successful learning and engagement by students.
The district has reset all of their student and employee passwords as a result of this attack - approaching nearly one million accounts - and needed special hotlines and websites to help facilitate that process.
This highlights one of the biggest challenges of ransomware - not the amount of money demanded in payment, but the amount of disruption that these events cause to the business and its ability to operate.
International Hotels Group
We witnessed another operational impact - this time perhaps more critical - last week as the International Hotels Group (IHG) - parent of Holiday Inn, Crowne Plaza, Kimpton, and others - was hit with an attack that brought their systems down to the point where customers could not make reservations.
Through a very vague statement about “unauthorized access to technology systems” published via the London Stock Exchange, where the company is traded, we learned that something is happening and they’re working on it. That’s really about it.
Meanwhile, IHG is getting lit up on Twitter and other place by frustrated customers and potential customers, and the social media team is left to deal with the fallout.
These two incidents highlight the two different approaches to responding to these incidents - and, at least to me, it’s clear that more communication is better. The vague, “minimum necessary notification” approach of IHG is not helping to restore trust or generate compassion during this difficult time.
Intermittent Encryption
Attackers, meanwhile, are continuing to evolve their own capabilities to be more effective, introducing “intermittent encryption.”
With this method - because their goal now is no longer data exfiltration, but rather simply operational disruption - they’ve realized that they don’t need to encrypt the entire data set to be effective, they can encrypt only part of every file - rendering it inoperable, but also cutting the time down in half.
They are literally developing toolkits that let them choose which interval to encrypt files, essentially offering a throttle to control the velocity of the attack.
They are also adopting leading edge programming languages, such as Go, to further increase their deployment speed and reduce their likelihood of detection by traditional defensive tools.
To give you as sense of this - the leading malware strains can encrypt approximately 25,000 files per minute - or take about 5 minutes to encrypt an entire 50 gigabyte workstation or server.
This number is going to continue to drop, so defenders are going to need to put an increased emphasis on their preventative controls, their detection capabilities, their response protocols, and their system and network segmentation to limit the impact when these incidents do occur.
If we look to the lessons from the week, we also need to focus on operational resilience and communications - both internal and external - that can help our business manage through these events.
Understanding which systems and functions truly are “business critical” - and then investing in supporting those - will be worth it when the chips are down and the attack is on - something that doesn’t appear to be slowing down any time soon.
I would also add that these types of impacts, particularly on public sector entities, increase the likelihood of both prescriptive regulation in terms of minimum security controls and law enforcement and intelligence operations against these threat actors - but the bottom line is that the preparation and the pain still sits with each individual business.
If you haven’t done so recently - please encourage your portfolio companies to review their Incident Response Plans, conduct their tests (tabletop or a full walkthrough) and put their communications protocols in place.
Fundraising
Fundraising is back in a big way this week, booking $18.6B in newly committed capital, led by Baring Private Equity Asia’s new $11B flagship fund - its largest to date.
Best of luck to all the funds with new capital to deploy.
You can find all the links to the stories we covered below, find back issues of these videos and the written transcripts at cyberriskatdealspeed.com, and we’ll see you next week with another edition of Cyber Risk at Deal Speed.
LINKS:
https://www.cisa.gov/uscert/ncas/alerts/aa22-249a
https://techcrunch.com/2022/09/07/ihg-hotels-outage-cyberattack/