Cybersecurity firms have a responsibility to keep their clients safe from digital attacks. But when they end up the victims, they potentially risk losing credibility with these customers, especially if their operations are disrupted.
It’s a potentially juicy extortion scenario for attackers, and we just saw an example of this play out last week when it was reported that Boston-based cyber-as-a-service company Cygilant was hit with a NetWalker ransomware attack and corresponding data breach. In such cases, the best response is generally for the infosec firm to practice what it likely already preaches to its clientele: be upfront and transparent.
“There is a lot of work that is required to regain trust,” said Jarad Carleton, the global program leader for cybersecurity at ICT at Frost & Sullivan. "And accomplishing that goal is dependent on communication and openness about what happened, why it happened, and what will be done to ensure it doesn't happen again.”
This is certainly not the first time a provider of cyber services has faced the embarrassment of being victimized. Just last month, cyber training provider SANS Institute acknowledged a data breach stemming from a phishing campaign. And in 2019 cyber firm Imperva disclosed a breach, while security and intelligence data mining company Verint was struck by ransomware.
Carleton looked even further back to find an example of what Cygilant and companies like them should do in a ransomware attack scenario: 2012, when a breach affecting endpoint security company Bit9. Years later, the company acquired Carbon Black and ultimately became VMware Carbon Black.
“The cause, revealed to me by a Bit9 executive I was working closely with at the time, was that the company had not been following the same security processes on all [its computers] that it recommended its own clients to follow,” said Carleton. “The executive was stunned by the revelations and he was clear there was no other option than for the company to fall on its own sword and work to show it learned from a very unfortunate mistake.”
“It didn't kill the company. In fact, it… continued to expand its business,” Carleton continued. “Further, the Bit9 brand didn't disappear until 2016, four years after the cyber incident.
“In short, it does hurt the reputation and the brand and their revenues, but it is not the end of a company, provided the company gets in front of the problem with customer and potential future customers.”
To that end, Ilia Kolochenko, founder and CEO of web security company ImmuniWeb, complimented Cygilant’s early efforts. “Details of this specific incident are unclear, but so far Cygilant’s response seems to be fast and professional,” he said.
And while it might reasonable to expect a cybersecurity company to thwart the infection in the first place, the truth is that even infosec firms are subject to the old axiom: it’s ultimately impossible to fend off every single attack, especially if the adversary is determined and cunning.
Indeed, “this incident is another convincing proof that no companies are immune to cyberattacks,” said Kolochenko. “Many cybersecurity companies are seeing a spike of sophisticated and targeted attacks against them, not just ransomware campaigns. Working from home significantly exacerbates the risks amid overall unpreparedness for serious security incidents. Cybercriminals prefer targeting third parties that have a privileged access to valuable data, oftentimes picking cybersecurity companies.”
SC Media could not find a reference to the ransomware attack on Cygilant's website. SC Media reached out to the company for additional comment and context surrounding the attack, and received a statement from Cygilant Chief Financial Officer Christina Lattuca acknowledging that “a portion of Cygilant’s technology environment” was affected by a ransomware attack and that “our Cyber Defense and Response Center team took immediate and decisive action to stop the progression.”
Lattuca also said the company is "working closely with third-party forensic investigators and law enforcement to understand the full nature and impact of the attack." TechCrunch first reported this same statement on Sept. 3.
It is still not clear if Cygilant has paid or entered into negotiations with their attackers, who reportedly had posted what appeared to be screenshots of Cygilant’s stolen internal network files and directories before later removing those images.
If they did pay or negotiate, that was a big mistake, opined Carleton.
“Paying a ransom sends the worst possible message you can send and paying ransoms is why this type of enterprise-class extortion continues to exist,” Carleton said. “I personally would reconsider my business relationship with a company that pays a ransom because it speaks volumes about how low on the security maturity continuum they are, i.e., that they are an underprepared company and likely one that is not addressing security vulnerabilities in Active Directory to find misconfigurations that actually end up helping bad actors who are behind ransomware extortion.”
Another example of a company to emulate, said Carleton, is aluminum company Norsk Hydro, which suffered a ransomware attack in early 2019.
“They… held regular press conferences about what happened, what was being done to ensure it wouldn't happen again, and what the company was doing to restart operations globally without the use of compromised systems that had to be rebuilt,” said Carleton. “For me, that was the apex of ethical business practices and the entire executive team there deserves another round of kudos for how they got in front of the problem and refused to bow down to extortionists.”
