Following reports that multinational energy company Enel Group has been hit by a second data ransomware attack this year, Security on Screen’s panel of cybersecurity experts explain what security teams should be doing to ensure their company stays ahead of the attackers.
“When multinational companies are hit by attacks and data breaches, it should be a clarion call for every serious and responsible organisation to reassess and make appropriate course corrections,” says Trevor Morgan, product manager at comforte AG. “It means making sure that you not only shore up your entire data environment and the defensive perimeters around it, but also consider how to secure your sensitive organisational data if it happens to be apprehended and brought outside that protected perimeter.
“A data-centric approach means applying strong security mechanisms such as format-preserving encryption or tokenisation to your sensitive data so that threat actors cannot compromise that data if they manage to breach your perimeter,” he continues. “Tokenisation in particular replaces sensitive data with benign tokens which don’t convey any real meaning, so sensitive information cannot be understood or compromised. Data-centric security travels with the data, and it’s a perfect complement to strong perimeter defences. It renders stolen data worthless to attackers.”
“To keep hacking groups at bay, organisations need to minimise the time it takes to respond to a threat,” says Israel Barak, chief information security officer (CISO) at Cybereason. “This can be achieved by deploying threat hunting services around the clock. In addition, operating a unified security operations centre (SOC) provides visibility into the IT and OT environments because attackers are looking to use IT environments as gateways into OT environments.”
Of course, one of the key points is staff training. “Ransomware attacks are almost always the second step of an intrusion so avoiding ransomware in the first places involves general best practices,” notes Chad Anderson, senior security researcher at DomainTools. “Security training to keep employees from opening a malicious document in a phishing email is a good start. Additionally, patching for common vulnerabilities and network segmentation will keep ransomware from spreading if it does find its way into your network. The goal here should be not to stop all together since attackers will constantly be trying to find a way through — and almost always will at least once at some point — but to make it expensive for the attacker and reduce damages if there is an incident.”
“Email phishing is a popular choice for attackers and not clicking attachments from unknown correspondents will lower the chances of being attacked,” agrees Paul Norris, senior systems engineer at Tripwire. “Have antivirus software installed and ensure system and device backups are conducted on a regular basis. This will help reduce the overall impact that an attack will have.”
One of the key factors is to ensure that the security and IT team know what to do in the event of a cyberattack. “It is critical that regular testing be a focal point in this sector,” states Barak. “Tabletop exercises that enable a red and blue team to role play different catastrophic scenarios and the real time response to those scenarios is critical when having to actually have to deal with a threat in real time. Never underestimate the value of tabletop exercises in shoring up weakened defenses and helping executives understand the importance of security.”
While prevention is important, companies also need to consider what to do if they are in the unfortunate position of being victim to a data breach. “If you have been compromised assume the data has left your possession,” says Bindu Sundaresan, director at AT&T Cybersecurity. “Root cause analysis should be able to help determine if indeed it was done, but that is concluded after the incident is wrapped up and has no bearing on the decision to pay.”
“If you are unfortunate enough to become affected, paying a ransom should be avoided as it won’t guarantee that your data will be retrieved,” adds Norris. “Security awareness is key and should not be overlooked as a critical component in any organisations security defence.”