This time 2 years ago I expressed this concern, “Destructive cyber-attacks are on the rise and I have a deeply held belief that they will continue to rise.” The attack on Colonial Pipeline was inevitable. But it is going to continue to get worse. Systems are too vulnerable and the political and financial motivations are too great for anything else to happen.
MITRE has devoted an entire tactic in ATT&CK to these destructive attacks: “TA0040: IMPACT – The adversary is trying to manipulate, interrupt, or destroy your systems and data”
TA0040 Impact covers both extortion-based attacks as well as attacks where the intent is not to make money but to simply destroy systems, data or otherwise deny and interrupt operations of an organization.
The interesting thing with Impact attacks is that you don’t need secret information that is valuable to the attacker. To be a target you just have to be an organization that either:
- simply needs to avoid interruptions of its operations
- has information of no direct value to the attacker but an obligation to protect for privacy reasons
- resides in a country that is a political enemy of the attacker’s country
And to be collateral damage you must need a nexus with an organization above. Case in point is MAERSK who suffered a global destruction of their Active Directory as a result of an attack against Ukrainian businesses.
Impact attacks include both classic ransomware (where data is encrypted), blackmail (where the attacker threatens to publicly post private information) and simple destructive attacks.
Encryption attacks require the attacker to encrypt data in situ, blackmail requires exfiltration but destructive attacks are much easier. And that makes sense. It’s all about entropy. It only takes a bomb seconds to destroy a building that took years to build.
In this webinar, we will explore a 3-prong defense for impact attacks:
- Prevention – stop the impact from happening in the first place
- Damage Control – limiting the degree of impact
- Fast Recovery – getting back online quickly after the impact
History proves that Active Directory is a prime target for impact attacks. Maersk immediately comes to mind but there are others. That’s why I’m excited that Quest has agreed to sponsor this real training for free session. My long-time colleague Brian Hymer will show you the latest version of Recovery Manager for Active Directory Disaster Recovery Edition that can automatically recover an entire forest from complete destruction in a matter of hours – something that would take weeks manually. A key new feature Brian will briefly show you, is the ability to recover AD without relying on bare metal restore, which is important incase your DCs were already compromised when they were backed up.
Please join us for this real training for free session.