Earlier this month the U.S. Justice Department announced the National Security Agency (NSA), along with other agencies, had successfully identified infrastructure for Snake malware, which had been used by the Federal Security Service of the Russian Federation (FSB) to victimize organizations throughout the United States and around the world for nearly 20 years.
According to the release, the court-authorized operation, code-named MEDUSA, disrupted a global peer-to-peer network of computers compromised by sophisticated malware, called “Snake”. For nearly 20 years, versions of the Snake malware was used to steal sensitive documents from hundreds of computer systems in at least 50 countries, which have belonged to North Atlantic Treaty Organization (NATO) member governments, journalists and other targets of interest to the Russian Federation.
“We’re in a constant war. Not the war you traditionally think of, but a war that involves algorithms and encryption,” said Jess Parnell, VP of Security Operations at Centripetal. “The war on cybercrime is a war of knowledge and innovation, where victory lies not in the destruction of an enemy, but in the protection of our digital way of life… This is a huge step forward for The U.S. Justice Department and I applaud their dedication to taking the group down.”
Here, security industry leaders share their thoughts on the news and discuss what organizations can learn and apply to cybersecurity moving forward.
Security: What steps can organizations take to protect themselves from malware attacks like the Snake Malware network?
Camellia Chan, a CEO and Founder at Flexxon: Traditional cybersecurity solutions are built for protection at the external layers, but such a vast landscape leaves too many gaps for cybercriminals to penetrate. Threat actors are multiple steps ahead and continue to evolve their tech and business models to bypass software defenses. Therefore, software security solutions find it difficult to identify newly modified threats and confidential data remains at risk. Organizations need to think outside the box – enter firmware level protection, a way to take cybersecurity to the next level.
The next stage of holistic cybersecurity protection should incorporate hardware and embedded solutions into the overall infrastructure to stop hackers in their tracks in a small, sealed, and fully engineered environment at the data storage level.
Mike Parkin, Senior Technical Engineer at Vulcan Cyber: Threat actors can use many different attack vectors to land their malware payloads, so there is never just one thing. That said, user education is vital as an organization’s users are its broadest and most complex threat surface. They also need to make sure their operating systems and applications are kept up to date with a consistent and effective patch program, and they need to make sure applications are deployed to industry best practices with secure configurations.
Darren Guccione, CEO and co-founder at Keeper Security: Many times, malware attacks are the result of phishing, so basic cyber hygiene and employee training can go a long way in preventing network access. No matter how a threat actor accesses the network, though, the next step is to make sure they are unable to go any further.
Organizations large and small should implement a zero-trust architecture with least-privilege access to ensure employees only have access to what they need to do their jobs. Companies should also have security event monitoring in place. Access management software can help with privileged account and session management, secrets management and enterprise password management.
A zero-trust security model in conjunction with least-privilege access, role-based access controls (RBAC), a single sign-on (SSO) solution and appropriate password security can greatly decrease the likelihood of a successful attack and stymie the threat actor’s access. By adopting a zero-trust framework within their infrastructure, enterprise leaders will be in a stronger position to not only identify and react to attacks on their organization but also mitigate any potential damage.
Jeffrey Wells, partner at Sigma7: Organizations should take several key actions to enhance their security posture against malware attacks like the Snake Malware network. These include keeping software updated with the latest security patches, deploying robust antivirus and anti-malware solutions, implementing firewalls and intrusion detection systems with multi-factor authentication (MFA), conducting regular cybersecurity training for employees, applying the principle of least privilege, establishing routine data backups, implementing network segmentation, conducting vulnerability assessments and penetration testing, developing an incident response plan, monitoring network traffic with anomaly detection, enforcing strong password policies and actively participating in threat intelligence sharing communities. Organizations can bolster their defenses and adapt to evolving malware threats by implementing these measures. But, training and awareness are paramount.
Security: Given these networks often operate across borders, how can international cooperation be improved to tackle cybercrime?
Chan: Outcomes like Operation Medusa marks a significant milestone in the global fight against online crime and shines a light on global cooperation. This development is a positive step toward curtailing the rampant activities of cybercriminal networks, which have become increasingly sophisticated in their methods of stealing and selling sensitive data. Yet, this is only a part of the security battle. In this 20-year race to catch up to the malware’s creators, we have been playing a game of cat and mouse. It’s critical to immediately close the security gaps created by well-meaning protocols and inefficient cybersecurity solutions in the external layers once and for all.
Parkin: Dealing with international politics and geopolitical issues, it can be a real challenge to effectively cooperate across borders. Most Western countries can work together, though there are often jurisdictional challenges that get in the way. And getting cooperation from nations that can be uncooperative at best, and actively hostile at worst, can make it impossible to deal with some threat actors.
There is still the potential for organizations to cooperate with each other in ways that government agencies can’t, though there is still the challenge of competing business interests that don’t see the community overall as a priority.
Wells: A multifaceted approach is required to combat the growing threat of cybercrime. This entails enhancing information sharing and establishing consistent legal frameworks across nations. Harmonizing laws related to data protection, privacy, electronic evidence and cybercrime offenses is crucial to ensure a unified and effective response. Mutual legal assistance treaties can facilitate cooperation in investigations and enable cross-border data sharing, aiding in the pursuit of cybercriminals. Capacity building and training play a vital role in strengthening cybersecurity capabilities. Establishing joint task forces that foster collaboration among governments, law enforcement agencies and the private sector is essential. By encouraging information sharing, promoting best practices and undertaking joint initiatives, collective efforts can be harnessed to enhance intelligence gathering, incident response and overall cybersecurity capabilities. Effective cooperation and coordination among various government agencies involved in cybercrime investigations are paramount. This includes fostering collaboration between law enforcement, intelligence, diplomatic and regulatory bodies. Additionally, engaging professionals from different disciplines, such as technology experts, legal professionals, and policymakers, is crucial to address the multifaceted challenges posed by cybercrime comprehensively. Promoting and adopting international norms, agreements and principles are key to establishing responsible behavior in cyberspace. These frameworks provide a foundation for cooperation, define rules for state behavior and facilitate international consensus on cybersecurity issues. Encouraging countries to ratify and implement international cybercrime conventions and treaties, such as the Budapest Convention on Cybercrime, further strengthens the legal framework for international cooperation, extradition and joint action against cybercriminals.
Security: What do you see as the biggest cybersecurity threat facing organizations today?
Chan: The biggest threat may come from internal weak links. The majority of breaches organizations are experiencing are due to human error, poor cyber hygiene and outdated or inadequate cybersecurity policies. Thus, as defenders, we need to focus on people, process and technology.
Guccione: The biggest cybersecurity threat for an organization may be their own password and secrets management policies. More than 80 percent of breaches happen as a result of weak or stolen passwords, credentials and secrets. To achieve this, it is essential to use a password manager as a first line of defense. This will ensure employees are using high-strength random passwords for every website, application and system, and further, will enable strong forms of two-factor authentication, such as an authenticator app, to protect against remote data breaches.
Parkin: Even as our defenses improve, threat actors are developing more sophisticated attacks designed to get around them. Unfortunately, it’s difficult to predict where the next threat will originate. Though an organization’s user base remains its most complex and difficult to manage threat surface.
While I don’t consider advanced AI to be an existential threat as some do, I do see it being used effectively to help threat actors with social engineering campaigns which could become a greater issue.
Wells: The looming specter of Advanced Persistent Threats (APTs), particularly when supported by nation-state actors, poses a formidable challenge in the realm of cybersecurity. APTs, akin to elusive and astute spies, exhibit a remarkable blend of patience and precision. Picture a seasoned intelligence operative meticulously strategizing a protracted infiltration mission aimed at a prized target. The resilience and adaptability displayed by APTs render them highly successful adversaries, and their impact shows no signs of dissipating in the foreseeable future. These cunning threat actors capitalize on their ability to remain concealed and methodically execute their clandestine operations, leveraging advanced techniques to achieve their objectives. Moreover, despite the best intentions and training, the human factor introduces an inherent vulnerability. Even the most well-prepared individuals can inadvertently become conduits for compromising security.
Security: What lessons can be learned from the disruption of the Snake Malware network and how can these be applied to cybersecurity efforts going forward?
Chan: Neutralizing malware and other cyber threats with modern technology operations is key and this is a major takeaway that organizations should walk away with. To put it simply, out with the old, reactive and inefficient security methods and in with proactive, innovative and holistic approaches.
Parkin: The biggest takeaway I see here is “these things take time.” The Turla group operated for almost 20 years before being taken down, which is a long, long, time for a known threat to be active even when it’s operated by a state security agency. A related lesson is that an organization may be facing attack from a state or state sponsored threat who may have considerably more resources than a common criminal, and deeper motivations than simply criminal activity.
Wells: Early detection is paramount in combating cyber threats. By continuously monitoring systems and networks for suspicious activity, such as unusual network traffic, new or modified files, or unexpected system behavior, organizations can identify potential malware infections and mitigate the damage they may cause. Investing in threat intelligence is crucial for staying ahead of cybercriminals and APT groups. By understanding their tactics, techniques and procedures (TTPs), organizations can better anticipate and prepare for potential attacks. Organizations should implement a multi-layered security approach to provide comprehensive protection against sophisticated threats like the Snake Malware network. This includes deploying a combination of security solutions such as firewalls, antivirus software, endpoint detection and response (EDR) systems, intrusion detection and prevention systems (IDS/IPS) and secure email gateways. Regularly updating and patching systems is crucial to minimize vulnerabilities that malware may exploit. Employee education is vital in mitigating risks associated with social engineering attacks, such as phishing. Organizations can significantly reduce the likelihood of successful attacks by educating employees about these threats and training them to recognize and report suspicious activities. Having a well-defined response plan in place is essential to minimize the impact of a malware infection. This plan should include assigning responsibilities, isolating infected systems to prevent the spread of malware, and restoring systems to normal operation. Regular backups are indispensable for recovering from a malware attack, particularly in the case of ransomware that encrypts critical data. These backups should be stored offline or in a manner that is inaccessible from the network to ensure their integrity. Collaboration and information sharing plays a vital role in strengthening cybersecurity defenses. By actively sharing information about threats and attacks with industry peers, organizations can collectively enhance their ability to detect and respond to cyber threats.