A cyber-attack is something that every organisation and IT department dreads. Yet most organisations' approach to defending network infrastructures focuses on prevention, with little or no thought given to alternative methods beyond the first stage, such as damage limitation and recovery. In this blog, I share some thoughts on the recent Northern Lincolnshire and Goole NHS Foundation Trust (NLAG) network breach and offer potential steps that may help other organisations to reduce, if not prevent, similar incidents from happening.
I'm sure that over the coming days and weeks the NLAG story will develop and the IT community will form their own opinions on the suitability and effectiveness, not only of the protections deployed but the ability of the organisation to recover from this attack. Given that so little is known about the 'virus' that shut the systems down, it's difficult to say whether or not this attack could have been easily prevented from taking place. However, I'm sure that many NHS Trusts will be receiving frantic calls from manufacturers and account managers promising that their specific technology would have prevented what is currently an unknown attack. The adage of 'not if, but when' has never felt so true. Prevention against cyber-attacks is not 100% guaranteed. Given this, shouldn't we be changing our approach to how we defend our infrastructure? For example, focussing resource on breach limitation and remediation over the highly elusive malware detection and exploits. Yet many organisations still use the prevention of the execution of malware as the main and sometimes only defence against a major incident like NLAG are experiencing.
Challenges of a virtualised, complex environment
"A virus infected our electronic systems yesterday, and we have taken the decision, following expert advice, to shut down the majority of our systems so we can isolate and destroy it." - NLAG release
The small snippet of information released by NLAG indicates that they have taken down the majority of systems as they are unable to ascertain the extent of the breach. This is one of the challenges with our highly virtualised, complex network and server environment. The ability to scope limit has become an administrative nightmare using traditional network isolation (ACLs or Firewalls), though some organisations have moved towards more of a software based technology; mainly VMware NSX but also Varmour or Windows 2016's data centre firewall. All of these technologies aim to allow organisations to isolate virtual machines from each other. Visibility is one of the key challenges during any breach and the deployment of forensic endpoint tools can allow more rapid auditing and identification of compromised clients. When forensic endpoint is combined with SIEM tools, organisations can gain end to end visibility of an attack which is useful in the initial stages of a breach assessment. In a major incident any reduction in the amount of systems that need to be inspected can allow organisations to return to normal service quicker. Whilst it would be presumptuous to claim this would have stopped the breach, using these tools can make the recovery quicker if not easier.
Breach limitation and recovery
This highlights the need for a good backup solution that is able to roll back to a known good state of the system or data. Given the rise in crypto malware, the expectation of data integrity after a breach is that it's highly diminished and organisations should ensure they can roll all data stores back to earlier good copies. It seems obvious but organisations should be prepared to take an adversarial view and run known malware against data stores to prove they could recover from an attack. Using a ransomware simulator such as Shinolocker can ensure the backup strategy is effective.
This brings us to the subject of sharing services, which many public sector organisations have been moving towards in search of cost savings. When utilising hosted systems, organisations need to ensure that good levels of security are followed and scrutinised even when the hosting partner is another public sector organisation. This investigation phase is often overlooked or not as comprehensive as when systems are hosted by commercial entities. Being in the same sector doesn't provide any guarantee of security.
Effective communication is essential during any major incident and the way this is delivered can change public perception greatly. Breach notification is becoming increasingly important and organisations need to ensure they have a plan for informing their users and customers of a potential breach. Planning and preparation at this stage can ensure that accurate and relevant information is disclosed in the best way.
Cyber security in a post-prevention world
Could NLAG have done more to prevent the breach? I'm not sure anyone can make that call given the information available at the moment. As this incident develops I'm sure we'll see there is no one single product, or solution, that could have prevented this breach. However, organisations should take note that scope limitation and recovery are becoming more and more important, especially if you're hosting systems for other organisations. Our advice is to stop focusing resources only on prevention and ensure you are giving an equal consideration to service isolation, system recovery, and rollback.
Find out more
For more information about our security solutions, or to arrange a cyber security workshop with us, contact your Softcat account manager or get in touch using the form below.