On 22 March 2018, the public learned of a ransomware attack in the City of Atlanta information systems. The City of Atlanta held a press conference soon after the news broke and multiple news outlets covered the incident. In this article, I don’t want to re-hash the information already presented but rather highlight a few details that may have been overlooked and some lessons learned that can be taken from it.
Information / Cyber Security is tasked with protecting the confidentiality, integrity and availability of data and information. A ransomware attack, like the one launched against the City of Atlanta, attack the availability of information, rendering it unusable until disaster recover recovers from the incident or ransom demands are met. According to the FBI, more than 2,600 similar attacks were reported in 2016 and more than 3,000 in 2017.
- Takeaway – A ransomware attack is a profitable business for criminals, so all indications are that things will get worse (higher ransoms, more advanced attack tools, etc.) before they get better. Taking this into consideration when developing and implementing your organizations security strategy is a critical component in it’s success. A comprehensive disaster recovery plan that includes a backup process with off-site / off-line storage of known good backups; a process for testing and verifying those backups; and an understanding of how much data or information the organization can afford to lose before the damage exceeds the organizations acceptable risk.
The ransomware used appears to have been a variant of SamSam. Unlike social engineering tools used in many recent ransomware attacks and highlighted in the Verizon Data Breach Incident Report for the last several years, SamSam attacks known vulnerabilities or weak / default passwords in devices to gain access. These devices [with known vulnerabilities or weak / default credentials] would have to be exposed to the Internet for the attackers to access them and would have been unprotected and unmonitored (to some extent) in order for the attacks to succeed.
- Takeaway – We’ve talked [at length] previously about the explosive growth of social engineering attacks as a way to circumvent the ‘shiny boxes with blinky lights’ and noted that, for the most part, organizations are doing a much better job of securing what’s left of their perimeter with technical controls. That said, a quick look at sites like Shodan.io and Censys.io and reports of incidents like the City of Atlanta breach are clear indications that there’s still work to be done. Verifying what attack surfaces your organization has exposed with regular vulnerability assessments and then eliminating or mitigating the vulnerabilities found is [or should be] a critical part of a successful informations security strategy.
The ransomware affected at least five [of thirteen?] departments. I’ve not seen any specifics on the initial point of attack / entry but, based on multiple reports, the attacker was able to move freely from a host that was exposed to the Internet to internal devices on networks impacting residents water bills, police reports and court proceedings.
- Takeaway – Separating network segments either logically or physically (or both) and monitoring anywhere that traffic is able to move between segments can offer early insight into a potential attack. At the very least, segmenting networks by department and moving any / all devices that are exposed to the Internet to a DMZ (and then monitoring anamolous traffic between those segments) would make it more difficult for an attacker to move laterally and would give another opportunity to alert on strange or unexpected traffic.
After nine days of downtime, the City of Atlanta released a press release stating that employees can begin turning their computers back on and that “It is expected that some computers will operate as usual and employees will return to normal use. It is also expected that some computers may be affected…”. After nine days, not only was the City of Atlanta not sure that they had eradicated the threat but they weren’t even sure that they had contained it.
- Takeaway – PICERL – Prepare, Identify, Contain, Eradicate, Recover and Lessons Learned. That acronym is likely baked into anyone in the information security field and it represents ‘the way to do it’ in most incident response shops. Bringing devices back online after a compromise but before confirming that they are clean (e.g., recovery before eradication) could render any work done to that point moot.
According to reports (sources below), a Cyber Security Audit (vulnerability assessment?) was completed in the summer of 2017 that highlighted, among other things, extensive long-standing critical vulnerabilities and complacency on the part of the departments tasked with maintaining them.
- Takeaway – Knowledge without action is futile. The City of Atlanta did good by auditing it’s infrastructure; it’s failure to follow-through with the recommendations from the audit rendered it useless.