Part of the job of cybersecurity leaders is to look at discrete events and connect the dots. Discern patterns, frame a bigger picture, and go beyond dire warnings—toward strategies for a brighter digital future. The Kaseya ransomware attack that unfolded over the Fourth of July weekend, however terrible, presents an emphatic dot-connecting opportunity.
The Kaseya attack hit thousands of victims, most, in Kaseya’s damage report, smaller organizations with thinner wallets: “dental practices, architecture firms, plastic surgery centers, libraries, things like that.” It nonetheless made economic sense for the attackers because Kaseya served as an efficient distribution hub for their poison-pill software. Kaseya VSA, the company’s widely used IT automation SaaS offering, became the unwitting delivery system—at the service of the black hats.
Shocking? Anything but. It’s the same strategy evident in the SolarWinds attack in late 2020. There, too, infiltration of one SaaS vendor victimized a long list of targets. And the apparent culprit in the Kaseya attack, the Russia-linked REvil, is also believed responsible for the Memorial Day ransomware attack on international meat processor JBS.
Connect the dots. The conclusions write themselves:
- Hijacking SaaS providers make launching mass attacks on small targets cost-effective.
- Reliance on traditional attack prevention strategies has led, again and again, to costly and humiliating comeuppance. Malware regularly penetrates target perimeters undetected.
- Most of us are not revisiting our cyber preparedness posture with half the urgency now appropriate. The similarities between SolarWinds, Colonial Pipeline, JBS, and Kaseya attacks are clear enough. They give us a clear learning curve to climb. By and large, we’re not reacting.
Procrastination has its allure, and perhaps it’s human nature. But better to invest in preparedness than post hoc crisis management. After the SolarWinds attack, Vectra surveyed 1,112 security professionals working in mid-to-large-sized organizations. A key finding:
“[A] high level of confidence was revealed amongst security teams in the effectiveness of their own company’s security measures: nearly 4 in 5 claims to have good or very good visibility into attacks that bypass perimeter defenses like firewalls.”
In truth, we know no application, network, or data center is invulnerable. If an organization’s decision-makers harbor a false sense of security about their ability to fend off hackers, they are likely not armed with the necessary tools to succeed.
The Kaseya attack is yet another reminder that complacency can exact a terrible price. With the risk of harm no longer limited to sprawling enterprises with deep pockets, the incident should trigger new security discussions in more IT departments. There should be fresh scrutiny of SaaS subscription relationships, and the security policies of managed service providers; when your business relies on products like Kaseya VSA, you’re only as secure as your provider. As companies become more reliant on data storage and SaaS solutions outsourced to the cloud, vulnerabilities may grow.
Last year we said it would take months to figure the full scope of damage in the SolarWinds attack; now we are saying precisely the same about the Kaseya ransomware attack. Nevertheless, we should be optimistic that we, as a digital society, will connect the dots and turn this tide. For years we’ve understood the virtues of robust network monitoring and rapid detection of inevitable breaches. President Biden’s May 2021 executive order makes attack detection—and better investigative and remediation capabilities—priorities for the federal government. I urge business leaders worldwide to respond to the Kaseya ransomware attack by hastening their migration to a more effective cybersecurity strategy.
The Kaseya calamity can one day be remembered as a tipping point that led eventually to a better security posture. If that comes to pass, the cyber pirates will have done us an unlikely, unintended service.