If a group of IT security experts from Ontario municipalities left a recent meeting A: worried, B: feeling vulnerable C: discouraged or D: all of the above, that would not have been surprising, especially after what they had just been told.
The session, which took place earlier this month in Guelph at InfoSec 2022, organized by the Ontario division of the Municipal Information Systems Association (MISA), examined the many emerging ransomware attack threats they all continue to face.
According to Andrew Hunter, a cyber security advisor with Ottawa-based security firm Field Effect, municipalities are a key target to attackers for a number of reasons: “First and foremost, they have data, they own data and criminals are after that. They can monetize it and they can leverage it for other attacks.”
In addition, he said that unlike a small-to-medium-sized business that might be forced to fold because of an attack, a municipality must continue operations, and a perpetrator conducting a ransomware-based attack knows that.
Aside from the fact so much valuable data exists, risks to a municipality, said Hunter, who formerly worked with the Canadian Security Intelligence Service (CSIS) as the deputy director general of the scientific and technical services branch, are also the result of the following:
- Large and complex network environments
- The fact many operate a legacy infrastructure
- A lack of cybersecurity expertise, guidance, and investment
- The fact municipalities transact large amounts of money with contractors/vendors.
Familiar ransomware patterns start with reconnaissance (‘recon’), which leads to the initial access of the systems, followed by on-going access and the physical theft of data, he said.
“To be honest, most days, recon starts on LinkedIn. You can probably find out the tech stack and the security stack of an external organization just from LinkedIn, because you will find the IT engineers, and you will see what experience they have and what platforms they use. You can suss out what is going on at work without doing anything.”
Another tool in the toolbox for attackers is Shodan, which Hunter described as the “most dangerous search engine in the world. Shodan does a continuous scan of the entire Internet – a database that is growing all the time.”
He added there’s tradecraft (defined as techniques, methods and technologies used in modern espionage), “that they (attackers) have plugged into to interact with a service so that they can tease out more information. You can search across the entire internet in sort of an instant, without even generating any network traffic yourself. It is done for you.”
Cybersecurity head hunting firm Cyber Talents described Shodan in a blog as the “search engine for hackers. In contrast to Google, which is searching the Web for simple websites, Shodan is also a search engine, but one specifically designed for IoT devices. It ranks the unseen pieces of the internet that most users would never see.
“In a search, any connected device may show up, including servers, traffic lights, home automation systems, cashier machines, security cameras, control systems, printers, webcams and others.”
In his presentation, Hunter, also provided examples of attacks on Canadian municipalities that included:
- Two Ontario towns, one of which had a population of 20,000. It was attacked in April 2018, and it impacted all systems and servers. Downtime lasted seven weeks, the ransom was three bitcoins (the closing price that month was US$9.240.55), and a complete system rebuild cost C$251,759.
- The other, with a population of 16,000, was hit five months later, suffered a 48-hour blackout, paid a ransom of eight bitcoins (the closing price that month was US$6,631.01), and in terms of downtime, there was a 48-hour blackout and a complete system rebuild, in which costs were not disclosed, had to take place.
- Whistler, B.C., which was attacked in April 2021. No ransom was paid, but upwards of 800 GB of data was stolen, which resulted in the need for a complete system rebuild.
- In Banff, Alta., a ransomware attack in March was leveled at the town’s hosting infrastructure and critical servers. It has not been disclosed if a ransom was paid, however, the cost of a complete system rebuild was C$656,000.
- And last, but not least, the big one, which occurred two years ago in Saint John, N.B..
That attack, said Hunter, started when the city’s network was breached through a phishing email. Malware was uploaded to the city’s systems a few days later, and the next day the city discovered a ransomware attack was underway. In this case, the ransom demand totaled upwards of C$20 million (670 bitcoins), while the system rebuild cost C$2.9 million. Of that total, local taxpayers ended up being on the hook for C$400,000, with an insurance settlement covering the rest.
The result of this activity, and other attacks like it, is this, he said: “The attack surface of municipalities remains critically high. Looking at the raw data, I am not sure things are getting better.”
It is caused by several factors, said Hunter including the fact there is an acute expertise shortage. In Canada, there are an estimated 25,000 unfilled cybersecurity jobs, and worldwide that number totals 3.5 million.
The other issue is what he described as a fragmented approach by computer security vendors: “The industry has really failed. I am in the industry, and I get it, but a lot of these solutions are a part of the problem – a small slice of the pie, but they do not work together well.”
The “solutions” he referenced included firewall and antivirus offerings, security information and event management (SIEM) and log-based analysis, vulnerability and attack surface management, endpoint detection and response (EDR), network detection and response (NDR), extended detection and response (XDR), security orchestration automation response (SOAR), artificial intelligence (AI) and machine learning, and managed services of disparate tools.
“The slice of the pie that they are addressing is often not the most critical thing to fix in an environment. We all get distracted and start talking about that ‘thing’ that the industry has presented that will keep us secure and the reality is, it is not.
“There are a lot of vendors and security providers who are trying their best with these tool sets to provide a complete service. But really integrating, especially the EDR, NDR … – pick your acronym – it is hard to integrate these tool sets together because they were not designed and built to work together from the ground up.”
AI, said Hunter, is “really good at identifying pictures of cats and dogs, it has nailed that. What it cannot do is detect an unknown cyber threat because it does not know what bad looks like. It is good at a few things like anomaly detection, but if you do not have the right data, and you do not have a training set that says, ‘this is what I’m looking for,’ it is not that effective.”