Cyber Plans: What to Do If Your System Is Attacked

The FBI warns that cyber attacks have shifted from the private sector to nonprofits and local governments because of the lack of investment in security measures and upgrades. Prevention isn’t inoculation, so in this post we’ll look at the most popular ways criminals are using to gain access to systems, how to plan for a service interruption, and list some resources that can help improve your security. This is first installment of a 2-part series on cybersecurity preparation.

Two Major Entry Points: RDP and Email

The top two ways to enter a system are via Remote Desktop Protocol and via email. Remote Desktop Protocol (RDP) is a vulnerability that doesn’t rely on duping an email recipient and is now the number one entry point for hackers. Systems that use an outdated RDP are at risk, and a hacker can gain a user’s credentials to enter the system. They can retain that access and sell it to other attackers or install malware for future attacks.

In a recent ransomware attack in Washington State, hackers gained entry to the system via the Remote Desktop Protocol using credential-stealing malware. Once in the system, the hackers escalated their privileges, giving themselves a higher level of permissions. They remained in the system for about a month prior to launching the attack. Then, they began encrypting all 40 servers.

Some of the system vulnerabilities in that attack were a firewall more than five years old with incomplete rules, no advanced features, and inadequate activity logging (which helps discover malicious activity in the network). Additionally, there was a lack of controls on the RDP, little or no email filtering, inconsistent employee training, and insufficient IT staff. Server patches — updates released by a software company to fix security vulnerabilities — had not been applied.

Email is the second major point of entry, and criminals try to mimic a legitimate sender that the recipient may know to improve the chances that staff may be duped into clicking on links that then install malware. This is not the only way malware can get on your system: it can be installed from an infected thumb drive or from an employee clicking on an infected link online.

Estimated costs of the event mentioned above were:

• $40,000 for hardware upgrade
• $80,000+ for legal and forensics costs
• $1.1 million for “soft costs”, such as 100 employees being unable to access digital work resources for 4 weeks

We’re Infected: What Now?

If your system has been attacked, security specialists recommend prioritizing preserving evidence, stopping the spread of the attack if possible, communicating clearly, and tracking cost. These are not the only concerns you will have, but mitigation and preservation are key.  Assuming the hack has taken your system down:

• Declare an emergency. This allows municipalities to waive competitive bidding requirements and award all necessary contracts to address the emergency situation, per RCW 39.04.280 (1)(c).  It is prudent to check in with the State Auditor’s Office to confirm that the facts align with the definition of “emergency” in RCW 39.04.280, and you will want to contact legal counsel also.
• Contact the FBI — They won’t send a squad, but they do track these events, and your information is important to them.
• Get in touch with your insurance carrier.
• Don’t destroy evidence: reimaging the machine (removing and reinstalling the operating system) destroys the data and/or potential trail left by the hackers. As much as you want to get up and running again, don’t immediately reimage your machines.
• Prioritize the restoration of services, with no immediate access to finance services.
• Make a communications plan and schedule — include legal counsel when developing this.
• Contact other agencies you may be connected to and alert them to scan their systems for suspicious activity.
• Keep the public well-informed in plain language.
• Keep detailed cost-tracking for potential insurance recovery.

Prevention for Cyberattacks

Here are some ways you can reduce the opportunity for attacks and fraud:

Don’t list all staff with full titles, emails, and phone numbers. Consider listing only department directors and their phone numbers and provide a "contact us" portal instead of putting email addresses on the website. As we saw with the electronic vendor fraud in Ellensburg, impersonation is one of the ways criminals defraud or attack systems. Easily accessible staff emails and contact information may help criminals impersonate a staff member and gain access to your system. The City of Bellingham’s website is an example of giving enough information for each department to be contacted without listing all staff.

Consider using managed detection and response (MDR). MDR is a security operations center as a service that may be a good solution for jurisdictions with limited IT staffing. An MDR can monitor daily activity, network to endpoints (devices like laptops or phones that are outside the firewall or on the periphery of the network, with which workers can connect to the network), and cloud services. The City of Snoqualmie issued an RFP for Managed Detection and Response platform and security assessments in May, 2019.

Regularly consult Microsoft’s Update Catalog. Microsoft’s Update Catalog is a listing of updates (patches) for Microsoft servers, drivers (for printers and scanners), and critical updates for multiple versions of Office. It is searchable, and the updates can be distributed over your network. The FAQ on this site has an overview of what’s in the catalog, frequency of security update releases,  and explains the difference between using the catalog and the Windows Update feature on some versions of Windows.

More generally, you can get help from the Microsoft Community site. This site can be especially useful for jurisdictions with limited or no IT staff. You can easily search topics and software versions to troubleshoot issues, or you can post a question for others to answer.

In Part 2 of this series I will look at how organizations can make an emergency plan for a cyber event. Stay tuned.

Resources

Hacktober is hosted by the state Office of CyberSecurity. The goals of this event are to increase awareness and knowledge of cybersecurity issues. From October 1-31, Hacktober will offer several lunchtime presentations at Washington Technology Solutions in Olympia. For example, on October 16, Steve Schommer will discuss the ransomware attack on the City of Sammamish. Some of their learning sessions are available via Skype.

National Cyber Awareness System Tips: This section of the Department of Homeland Security’s Cyber Infrastructure website has information on threats, hoaxes, and safety in plain language for non-technical computer users. 

Multi-State Information Sharing and Analysis Center — The Center for Internet Security

FBI’s Ransomware Brochure