Hack me once, shame on thee. Hack me twice, shame on me.
The popular email marketing company, MailChimp, suffered a data breach last year after cyberattackers exploited an internal company tool to gain access to customer accounts. The criminals were able to look at around 300 accounts and exfiltrate data on 102 customers. They also accessed some customers’ AIP keys, which would have enabled them to send email campaigns posing as those customers.
This data breach attack wasn’t especially noteworthy — until less than six months later, it happened again. As before, an intruder accessed internal tools to compromise data on 133 MailChimp accounts. The breach was made possible by a social engineering attack on employees and contractors to gain access to employee passwords.
The attack engendered follow-on attacks. One of MailChimp’s customers was the cloud service provider, DigitalOcean. As a result of the attack, that company was unable to communicate with customers for a few days and had to request that customers reset their passwords.
After the first breach, MailChimp told TechCrunch it had added an unspecified “additional set of enhanced security measures” and replaced its CISO.
The experience of getting attacked in a similar manner as a previous attack isn’t rare. In fact, it’s very common.
MailChimp is just one example of many
Repeated attacks are actually the norm, not the exception. Some two-thirds (67%) of companies attacked get attacked again within one year, according to a global study by the security posture management company, Cymulate. And 10% of companies experienced 10 or more incidents within a single year.
For ransomware attacks specifically, the number of companies suffering repeated ransomware attacks rose to 80%, according to an international Cybereason survey.
Which raises the question: Why are repeat attacks so incredibly common?
What goes wrong in attack recovery that invites new attacks?
Here’s an under-appreciated fact about what happens after a cyberattack: Malicious actors learn what’s possible.
In the MailChimp example, cyberattackers learned that 1) internal tools were vulnerable, and 2) they could be used to steal customer data.
Once that knowledge was out there, it gave cyber crooks an incentive and a target. In other words, we can assume that the most likely next attack will target the same vulnerabilities as the last attack. The second a cyber incident is publicized, the clock starts ticking on a copycat attack.
The worst thing a company can do is nothing.
The best thing is to focus like a laser beam on the specific vulnerabilities that lead to the attack in the first place so that copycat attackers can’t exploit the same issues.
What should companies do to prevent repeat attacks?
While, of course, all companies should do all they can to prevent cyberattacks, it’s especially important to prioritize protection against the kind of attack that has already occurred.
The right response to a major cyberattack is to launch a thorough reset of the organization’s cybersecurity approach and posture. The SolarWinds hack is one great example.
In December 2020, we learned of a sophisticated supply chain cyberattack launched by a nation-state using the SolarWinds Orion network management system. Through this software, the Russian-backed cyberattackers (APT29, aka Cozy Bear) breached systems inside multiple U.S. and European government agencies and private companies, including multinational drug and biotech company AstraZeneca. The attack was discovered by the security firm FireEye when it was itself compromised by the attack.
Changes to industrial and national policy after the SolarWinds catastrophe are well known. But less appreciated are the steps SolarWinds itself took after the attack. They handled the aftermath well.
SolarWinds added a cybersecurity committee to its board of directors, added former CISA Chief Chris Krebs and former Facebook and Yahoo Security Chief Alex Stamos as consultants to the board, and they instituted major changes to how they build software to support strong cybersecurity.
Of course, it’s unlikely most companies are going to bring on board two of the most prominent names in cybersecurity. But the SolarWinds example captures the necessary spirit of change — boosting security best practices into everything from how leadership leads to company code.
Effectively regrouping after an attack
After a major attack, every organization should do some soul-searching. It’s important to evaluate how leadership failed to lead, how the company failed to invest, how the policies were inadequate and how the company culture around cybersecurity was insufficient to prevent malicious attacks through social engineering or other methods. The result of this postmortem should be:
- Changes in the org chart: Additions to the staff of senior-level security specialists like a CISO, a change in who reports to whom or the injection of strong cybersecurity experience to the board of directors.
- A total overhaul of cybersecurity training for employees
- Strong improvements to how and when patching and updates happen
- The overhaul of the security posture to embrace Zero Trust.
In short, the particular vulnerabilities that opened the door to a cyberattack need to be aggressively prioritized for remediation. Because the bad guys see the published details of a cyberattack as an instruction manual to launch another one.
If you are experiencing cybersecurity issues or an incident, contact X-Force to help: U.S. hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.