Cyber Attack on the City of Atlanta – A stark reminder of the need for and importance of ethical hacking

Thursday morning (22 March, 2018), the City of Atlanta’s computer systems fell victim to what’s being called a ‘cyber attack’. According to the information that we’ve seen thus far, the attack is apparently a ransomware attack demanding payment in exchange for the decryption keys to unlock the affected data. According to news articles, local, state and federal officials are investigating the attack but, ultimately, a number of the systems are still offline including both internal and customer facing systems. Officials have stated that, in response to the attack, the City of Atlanta plans to install updates, invest in upgrades and hire a third party ethical hacking / security company to assess the environment and identify (and resolve) any other vulnerabilities. While this is certainly unfortunate for the City of Atlanta, this is an excellent opportunity to touch on a few topics:

  • A ransomware attack is similar to any other ransom demand; the criminals have something of value and demand compensation before they will return it.
    • Do not pay the ransom. Doing so will encourage the attackers and will likely make you a target for further attacks. Instead, leverage your disaster recovery plan to clean up the mess and move forward. Once you’ve restored full functionality and updated your incident response plan, make sure to roll this experience into your ongoing security awareness training to prevent it from happening again.
    • Do you have disaster recovery plan? Backups. Fault tolerance. Alternate sites. Do you have a plan for dealing with an attack (cyber or otherwise)? If not, use the attack on the City of Atlanta as an example to work from; could you recover your data without paying the ransom? How quickly could you restore the workstations to working order? The servers? Could you determine what, if any, sensitive data was stolen? Do you have logs and other auditing processes in place that could be used to determine attribution? If the answers to any of these questions is no, now would be a good time to start working on them. I suspect that, Wednesday, the City of Atlanta had no idea that it was about to be (or had already been) compromised.
    • Have you tested your disaster recovery plan?  Do you know that it works?  Do you know how it works?  Do you know how long it will take to implement?
  • I haven’t seen anything specific on this yet but would wager that the attack vector used was social engineering; phishing, vishing, compromised websites, etc. There was clearly a technical attack (installing the ransomware) but would be very suprised if we learn that this wasn’t the result of someone opening, clicking a link or opening a file that they received via an ‘official looking’ email.
    • Does your organization provide security awareness training to your employees, team members, etc? Do your employees have ‘gray areas’ that an attacker can leverage? Are orders delivered via email and processed before being checked? Can employees clearly identify tech support before following instructions given over the phone and do they have a chain of commmand that would support them in questioning orders?
    • Does your organization employ tools and technologies (antivirus, IDS / IPS, egress filtering, data loss protection [DLP], etc.) to detect potential security problems that may be the result of a successful social engineering attack? Antivirus will ideally stop the virus from running. IDS / IPS will ideally generate an alert or actively stop an attack. Egress filtering will ideally prevent an attacker’s virus from ‘phoning home’ for further instruction. DLP will watch for signatures of sensitive data and generate an alert if there’s an unauthorized attempt to access or steal it.
    • Do you test the effectiveness of your security awareness training with offensive security engagements from independent third parties? Do you regularly engage an indepent third party to test the effectiveness of your security awareness training, administrative and technical controls? Do you review those results and roll them into ongoing security awareness training, and fine-tuning the administrative and technical controls?

This has, no doubt, been difficult for the City of Atlanta government offices and the people of Atlanta (needing to pay bills, fines, check on information, etc.). There are also reports that sensitive information *may* have been compromised on employees and citizens and the mayor is recommending that anyone who has done business with the City of Atlanta be vigilant in monitoring their credit for potential fraud or identity theft. If history is any indication, it will likely be career ending for some low-level employee that ends up being the scapegoat for what I suspect was a lack of vision or support from management and leadership.

The role of offensive security / ethical hacking is to help organizations to identify potential vulnerabilities and then help them define solutions to either remove or mitigate those vulnerabilities. The attack on the City of Atlanta is a stark reminder that the threat is real and the risk can be extensive. This attack also underscores the need for organizations to engage offensive security organizations to help identify and resolve vulnerabilities pre-emptively.

Piratica works extensively with client organizations to help identify vulnerabilities and quantify the risk that those vulnerabilites pose if a threat were able to exploit them. In the case of the City of Atlanta attack, the vulnerability enabled an attacker to move laterally through the City of Atlanta network and encrypt files. The risk was the loss of use of those files and the data, information and services that they provided and the cost, though it will be some time before there’s an actual dollar figure associated, will be extensive. If your organization would like additional information or to discuss securing your infrastructure, please contact us.

Links

Leave a Reply