Colonial Pipeline and MITRE ATT&CK Tactic TA0040
Around this time two years ago, Windows and Active Directory security expert Randy Franklin Smith expressed this concern: “Destructive cyber-attacks are on the rise and I have a deeply held belief that they will continue to rise.” The attack on Colonial Pipeline was inevitable. But it is going to continue to get worse. Why? Because systems are too vulnerable and the political and financial motivations are too great.
MITRE has devoted an entire tactic in ATT&CK to these destructive attacks: “TA0040: IMPACT – The adversary is trying to manipulate, interrupt, or destroy your systems and data.”
TA0040 Impact covers both extortion-based attacks, as well as attacks where the intent is not to make money but to simply destroy systems, data or otherwise deny and interrupt operations of an organization.
The interesting thing with impact attacks is that you don’t need secret information that is valuable to the attacker. To be a target you just have to be an organization that:
- Simply needs to avoid interruptions of its operations
- Has information of no direct value to the attacker but with an obligation to protect for privacy reasons
- Resides in a country that is a political enemy of the attacker’s country
Case in point: Maersk suffered a global destruction of its Active Directory as a result of an attack against Ukrainian businesses.
Impact attacks include both classic ransomware (where data is encrypted), blackmail (where the attacker threatens to publicly post private information) and simple destructive attacks.
Encryption attacks require the attacker to encrypt data in situ, blackmail requires exfiltration, but destructive attacks are much easier. And that makes sense. It’s all about entropy. It only takes a bomb seconds to destroy a building that took years to build.
In this webinar, we will explore a 3-prong defense for impact attacks:
- Prevention – Stop the impact from happening in the first place
- Damage Control – Limit the degree of impact
- Fast Recovery – Get back online quickly after the impact
History proves that Active Directory is a prime target for impact attacks. Maersk immediately comes to mind but there are others.
In this real training for free session, Brian Hymer will show you the latest version of Recovery Manager for Active Directory Disaster Recovery Edition that can automatically recover an entire forest from complete destruction in a matter of hours – something that would take weeks manually. A key new feature Brian will briefly show you, is the ability to recover AD without relying on bare metal restore, which is important in case your DCs were already compromised when they were backed up.
Don’t miss this real training for free session.
Participar de evento