In the first blog in this series, we defined “Disruptionware” and showed how it was growing as a threat to many types of industries throughout the country and the world. The threat was especially noticeable within the healthcare industry and for government institutions. In our second blog, we talked about the different types of tools and attack matrixes that Disruptionware uses to cripple and/or damage unsuspecting businesses and how destructive those attacks can be. This third and final discussion will delineate what businesses can do to defend themselves against a Disruptionware attack and what cyber defenses are at their disposal to alleviate the damages caused by this new and dangerous attack medium.
When considering potential cyber defenses to an attack, it is important to remember what Disruptionware is capable of from an offensive standpoint. One should think of Disruptionware as a large “toolbox” of cyber-attack tools, and in that toolbox a number of potent weapons are available to a cyber-criminal, including:
- Ransomware
- Wipers
- Bricking Capabilities
- Automated Component attacks
- Data exfiltration tools and
- Network reconnaissance tools
The Institute for Critical Infrastructure Technology (ICIT) was one of the first cybersecurity think tanks to conduct a “deep dive” into the dangers of Disruptionware. As ICIT describes, Disruptionware is a concept designed to do more than just “ransom” someone’s data. Rather, Disruptionware is a category of malware “designed to suspend operations within a victim organization through the compromise of the availability, integrity, and confidentiality of the systems, networks, and data belonging to the target.” The attacker uses Disruptionware to literally disrupt the actual operations and production in manufacturing and industrial environments or to “achieve some other strategic goal.”
A number of defenses are available for victim businesses to prevent or even defeat a Disruptionware attack. These include:
- Creating multiple redundancies and backup systems to restore data if attacked. These backup systems should not be attached or connected to a main network or they could be lost as well
- Ensuring that up-to-date and well-tested Incident Response and Business Continuity Plans are in place. Updating these plans and ensuring that these plans are tested at regular intervals are essential
- Conducting regular tabletop exercises that include participation by C-Suite Executives, facility and operation managers, IT managers, and legal teams
- Making sure networks already fully encrypt both data at rest and data in motion
- Checking with the business’ cyber insurance company to verify whether existing policies cover ransomware attacks
It is also important when preparing a defense to any cyber-attack — especially one as dangerous as Disruptionware — that the business monitor and assess its network capabilities and vulnerabilities. At a minimum, this entails checking both inventory network assets and increasing network visibility, in order that IT personnel are able to move quickly should a Disruptionware attack occur. Perhaps most importantly, the business should monitor and audit all user accounts for unusual network traffic and user activities so as to investigate and act as timely as possible.
Finally, the business should practice strong “cyber-hygiene.” Some important steps that a business can take immediately to defend its network from all types of cyber-attacks include:
- Regularly patching systems and having a viable patch-management system
- Disabling macro scripts
- Limiting unnecessary Internet exposure
- Disabling secure Server Message Block (Port 445)
- Disabling Remote Desktop Protocol
- Managing and securing third-party Service Level Agreement access to the network and using effective security auditing
- Training employees to recognize and avoid phishing emails
Disruptionware will be changing the face of many cyber-attacks for the foreseeable future. For the reasons given throughout this blog series, Disruptionware represents a powerful and dangerous new form of cyber-attack, especially to the unprepared, as it is fundamentally designed to destroy a company’s physical infrastructure and data — not just to hold the data for ransom. The best way to defeat a Disruptionware attack is to begin preparing for it today.