What We Can Learn From Cyber Attack on Baltimore

Cyber defenders for cities are stuck between a rock and a ticking time bomb. One city after another falls prey to a growing number of attackers. Those not yet struck await what seems inevitable. Their 3rd party cybersecurity assessments detail extensive risks that budgets do not adequately mitigate. And internal inertia slows and undermines what budgets might mitigate. An unsympathetic constituency may go nuclear after the loss of vital city services due to a ransomware attack. Non-technical peers lately offer little help but would likely unleash considerable blame after the expected ransom demand appears. Today’s cybersecurity choices have great consequences. Let’s look at some here.

Baltimore Attacked by RobbinHood

Baltimore was hit by the RobbinHood ransomware. The initial infection vector is unknown. However, one or more machines were initially compromised to steal privileged credentials. These were used to move laterally to other computers. The forensic report on the Baltimore incident will probably state that the Windows Domain was compromised, which ultimately represents the keys to everything. Malware is systematically installed on all systems that seem valuable. It disables security software, archives, and backups; wipes log data; encrypts hard drives; and issues the ransom demand.

Anti-Ransomware/Malware Offerings are Increasingly Reactive

Whether managed service or product solutions, nearly every option pitched to you is based on the “detect and react” paradigm. It’s about recognizing something bad and then some automated or manual reaction follows. As the characteristics of malware and hacker tactics are practically infinite, recognition before a compromise is problematic. Most offerings rely increasingly on the ‘react’ that follows later. High skilled personnel must monitor, triage, investigate, and respond to mountains of alert and indicator data. It is extremely labor-intensive. If you outsource that labor, know that that person will never know your ecosystem like your own people.

Disabled Security Software does NOT React Well

Attackers steal privileged credentials of your ecosystem’s computers and use them against you. These are used to disable security software. How would your in-house or outsourced personnel counter such attacks if their tools are dead?

Even When Not Disabled, Reactive Defenses Are Too Slow and Too Costly

Cyber gangs have access to automated tools that rapidly steal credentials to compromise other computers, even identifying the shortest path to the ‘keys to the kingdom’. Look at the dwell times reported in the Verizon Data Breach Report. Those are still measured in days/weeks/months, not milliseconds.

Because no single detection method is effective, many are used on the endpoint, before and after detonation. Many others are used within the network. Still others data mine everything else to detect what was not already detected. People are required to deal with this detection quagmire. Artificial intelligence does not really exist. Machine learning tools are over-hyped and under-deliver.

The “detect and react” paradigm costs too much and delivers too little. How many cities can afford that?

How to Choose Your Cyber Security Vendor

From a vendor perspective, there’s more money in ‘react’. Look at the trends in tool revenues. From a city’s perspective, there’s more cost in ‘react’. Vendors that offer ‘react’ have a license not to ‘detect’ (i.e., to prevent compromises). Third-party anti-malware test reports are expensive not just because they seem valuable but because the costs of conducting the tests realistically are very high. The conditions are generic and the temptation for shortcuts are great.

There’s ONLY one reliable and effective way to choose. Test the candidate tools in your environment yourself. If you don’t have the personnel, hire consultants. If you cannot afford them, partner with other cities. Find out what it takes to deploy and maintain the tools. Don’t settle for just a lab test. The most common regret for such tools is inadequate testing.

Evaluations: Use a Scoring System that Rewards Prevention

Test for effectiveness against ALL likely malware types. The Mitre Attack framework can help ensure you’re thorough. Don’t trust vendor-provided malware samples.

An ounce of prevention is worth an awful lot of staffing costs. Detect and react techniques are very labor-intensive.

More on Prevention: Something Unexpected About Patch Management

Cybersecurity advice regarding patch management is cliche. Some tools claim to mitigate risks from missing and broken patches, as well as zero-day attacks. Offerings that do so with “anti-exploit” features are ‘hit and mostly miss’. Some use HIPS features to do so but require expert care and feeding.

AppGuard is Unlike the “Detect and React” Alternatives

Instead of recognizing malware or its effects to successfully block attacks, AppGuard expects that any application or utility can go rogue at any moment. It applies zero trust controls WITHIN laptops, desktops, and servers to ensure that cybercriminals cannot use your own applications and utilities to cause harm.

This also means that risks from missing or broken application patches are practically eliminated. If your city is like so many others struggling with patch management, this alone is reason enough to evaluate AppGuard.

And as for malware/hackers stealing and using your privileged credentials against you, AppGuard’s unique containment and isolation controls have that covered.

AppGuard’s protections are real-time and preventative. Customers praise AppGuard for it's  "set and forget" capabilities.



If you have any questions about this blog, please email us at updates@appguard.us.


Subscribe to our blog to receive email notifications when new posts are added!