Triskele Labs Blog

Another Breach...

Written by Nick Morgan | Apr 20, 2019 11:25:00 AM

Really Team Australia..... Really?! Another breach. So, I am one of those people who doesn't like WiFi on flights. No, it is not the whole hackability thing, but the fact that for 24 hours (I flew to LA via Auckland and add commute each way, it really is 24 hours), my team runs Triskele Labs. We can shake the tree and find out what breaks and I need to relinquish and knowledge share when I come back online.

A very relevant approach recently taken from the team at Kasada (seriously, if you haven't checked out the team, do it now). Thanks guys!

So, imagine how I am when I get a call from our CCO, when I land, that we must ensure we are reaching out to health providers to help and ensure they don't end up on the front page of the Sydney Morning Herald. As a large number of you know, Triskele Labs will help any Australian-based (and some Singapore) organisations.

We are extremely strong in the financial sector; largely across the mutuals and credit unions. So imagine my thoughts when I say, health providers?! Sure, we help a few but they make up 15% of our business at present. My question to our CCO, is why?

Then she drops the whole Cabrini thing... For those of you living under a rock like me for the last day, Cabrini had 15,000+ files encrypted through ransomware, ransom paid and files not decrypted (read more here, rather than me reinventing the wheel).

So, a few days after Landmark White happened, we are now facing another breach. For those of you who say, it won't happen to us, we are in Australia... Guess what. Two breaches in a few weeks of each other. It is happening! And this time, it is confirmed the group is out of North Korea or Russia. The frustrating part is, these attacks are preventable, and it is not hard! It seems like this attack took place through ransomware via email.

Seriously, did we learn nothing from Wannacry and NotPetya? Or did we all just sit back and think, 'Phew it wasn't me, so I won't do anything about it?' Now, on this occasion, something like a SOC would have done nothing about this. However, you know what would have? BASIC HYGIENE! Class-leading tools such as Mimecast (top right magic quadrant for a reason) for mail and Carbon Black (the only vendor with a perfect prevention score in the NSS labs assessment for 2017) for endpoint.

Seriously, why do we persist with tools such as Office365 for mail (we can bypass Office365 Advanced Threat Protection in three minutes - try us!) and tools like, Trend, which still rely on pattern files that we can slip some custom malware past in two minutes (Trend missed Netcat last week... yes, Netcat with a VPN to the Netherlands; see ya data!). These are basic hygiene items which we can fix immediately without much effort. Team, serious question - is it the cost? Mimecast is 60 bucks per use, per year.

Carbon Black is 60 bucks per endpoint, per year. For a 200 seat organisation, that is $12k + $8k for professional services ($20k annually) and $20k for an endpoint tool rated as number one by NSS Labs. $40k for basic hygiene to prevent 15,000 records being breached is a no-brainer, isn't it? Add encryption at rest and I know how comfortable I would feel if I was a CIO/CSO/IT Manager of an organisation of this size.

Team Australia, there is a lot more to do. Seems we must all start right back at the start with basic Risk Assessments and ensure we have 'fit for purpose' tools deployed. I am at RSA SF the next few weeks and I look forward to the Americans talking about Dark Web Monitoring and Advanced Persistent Threats when we can't even get patching, mail and endpoint security right. Can't we all just please get the basics right and use the best tools? They are the best for a reason!