A Cyber Christmas Carol

by Jennifer Walker

This post was originally informed by a TLP:GREEN FB-ISAO Monthly Threat Briefdistributed on 19 December 2019.


What could we possibly learn about cybersecurity from the Charles Dickens classic: A Christmas Carol, you ask? Well, pardon our parallels and allow us some latitude as we explore this holiday classic with a cyber theme. In A Christmas Carol, Ebenezer Scrooge (the community of faith) is visited by the ghost of his longtime partner and friend, Jacob Marley (FB-ISAO) warning Scrooge that he’s doomed if he doesn’t change his ways. Jacob then foretells Scrooge that he will be visited by three spirits who will show Scrooge visions of his past, present, and a very unpleasant future should the trajectory of his life remain unchanged. Like the Christmas spirits, the cybersecurity community takes a similar approach at the end of each year by reviewing past events and incidents, looking at the present, and applying lessons learned to increase future cyber readiness. With that in mind, FB-ISAO presents some of these cyber events to help inform the community of faith toward a positive future trajectory of cyber resilience.

  • The Ghost of Cyber Past. This spirit takes us on a journey of the most notable cyber events of the past decade. An enlightening summary about some of the most influential events that shape cyber-present and yet-to-come. Not all of the biggest incidents are represented, but each event depicts a new trend or watershed moment in cybersecurity. Like Scrooge, if given the opportunity of hindsight in light of past cyber events, what changes will you make for a more promising future? But at the very least, the events beg the question, “Do you member when?”
    • Stuxnet (2010). An advanced computer worm designed to sabotage Iranian nuclear centrifuges. I know, this incident wasn’t relevant to most, and certainly less for FBOs. But a vivid depiction of Stuxnet proved to the public consciousness that cyberattacks weren’t just the work of hoodie-clad teenagers holed up in their parent’s basement. Stuxnet was serious, and forever changed how businesses approached cybersecurity. Was news of Stuxnet the first time you perceived cyber threats might actually be real, even if you thought, “it won’t happen to me”?
    • Target Breach (2013). The massive point-of-sale (PoS) compromise that enabled the siphoning of credit and debit card, and personal data of over 40 million guests. Target’s transparency began the long, storied future of major retail data breach disclosures and brought the issue closer to home for the general public. In weeks to come, details of the breach would be a poignant example of how malicious actors attack less cyber secure SMBs to gain access to the big target (pun intended). This incident remains a bit of a poster child as far as cybercrime data breaches go. When was the last time you shopped at Target?
    • Anthem, Inc. & Office of Personnel Management Breaches (2015). Two more widespread data breaches. Personal health records (Anthem) and security clearance, personal, and fingerprint data (OPM) were stolen by Chinese state-sponsored cyber espionage threat actors. Over 100 million combined records were pilfered in what is believed to be an attempt of the Chinese government to amass intelligence on U.S. citizens. These thefts validated the value of Personal Health Information (PHI) and remove all question that our sensitive personal data is in the hands of our adversaries. Is there any expectation of privacy or confidentiality anymore?
    • Mirai (2016). Malware designed to infect unsecured connected consumer devices (internet-of-things) and enslave them as part of a massive botnet to wage further cyberattacks. Mirai was the first botnet of its kind and used to launch some of the largest DDoS attacks to date. Mirai (and its ilk) exploit the convenience and plug-n-play nature of IoT, including industrial control devices running our nation’s critical infrastructure. Do you remember that day the internet died?
    • (Ransomware) WannaCry and NotPetya (2017). Global ransomware epidemics that leveraged previously leaked source code from an exploit (EternalBlue) stolen from the NSA. These weren’t the first ransomware strains we’d seen in the cyber community, but like what Stuxnet did for advanced cyber threats, and Target did for data breaches, WannaCry brought ransomware into the public consciousness. The sad part about these outbreaks – they could’ve been prevented. But as is the case all too often, previously released security patches weren’t applied in a timely fashion. WannaCry (May) was a rude awakening, but NotPetya (June) still caught many with their cyber pants down. Hmmm, I feel like I’ve been here before – DejaBlue (and BlueKeep)…
    • Equifax Breach (2017). Ouch! I don’t think much needs to be said here. First we had Target losing credit, debit, and personal data. Then personal health records and sensitive security clearance details stolen from Anthem and OPM. Now, the entire credit histories of over 145.5 million Americans, British, and Canadian citizens are siphoned. This is beginning to look a lot like a complete identity picture floating around. How? Failure to apply patches for known vulnerabilities. Is it Patch Tuesday yet?
    • Magecart (2018). E-commerce website online payment skimming malware. As if ATM skimming and PoS malware weren’t enough, Magecart pretty much represents both. Simply staying away from shady online stores may not keep your credit card data safe – Magecart actors infect well-known, high-profile, reputable, SSL protected websites, reminding us there are no safe websites, only less risky ones. Is your online holiday shopping done yet?
    • More Ransomware (2019). “Big game hunting” ransomware campaigns that have been particularly targeting municipalities, schools, and managed service providers (MSPs). Most notably, twenty-two government entities in Texas were infected with ransomware in August after the compromise of a single MSP they all had in common. This onslaught of attacks primarily highlights two things: the importance of encrypted, validated, off-site backups, and the necessity of third-party risk management programs. Have you tested your backups recently?
  • The Ghost of Cyber Present. This spirit gives Scrooge a unique glimpse into his life as others see him and how past choices led him here. Like Scrooge, we can learn a lot from assessing past events and how they inform present circumstances. FB-ISAO reviewed some of the most concerning threats faced in 2019 and how they’ve unfolded in the current threat environment in light of past decisions – many incidents were even a combination of the two, and more often than not were precipitated by the ever-popular phishing-based email account spoofing tactic.
    • Ransomware. The threat responsible for one of the biggest cyber events of the decade (More Ransomware) was undoubtedly one of 2019’s most widespread threats. Like Scrooge, it seems the majority of businesses and enterprises alike have failed to heed spirits’ warnings on the importance of backups as the best mitigation against a crippling ransomware attack. Furthermore, to add insult to injury, ransomware gangs are now outing victim businesses who do not pay up by threatening to publicly release data that has been stolen (not just encrypted).
    • Supply Chain. As if past events were not enough to convince you of the importance of supply chain security and third-party risk management, there were countless incidents in 2019 that highlighted this unabating problem. Yet many organizations still fail to properly vet these relationships and end up paying the price when they are compromised through a vendor. Supply chain risks are a concern for all types and sizes of organizations. With the latest ransomware attacks targeting MSPs, it’s particularly important for organizations to remember that while you may outsource your IT (and/or cybersecurity) services, you can’t outsource your risk.
  • The Ghost of Cyber Yet-to-Come. Short of the ability to time travel, Scrooge gets an opportunity that none of us will ever have – a glimpse of things yet-to-come if he continues down the same path. For the rest of us, if we learn from others’ successes and failures, the past may not come back to haunt us. That said, with prognostications in hand, and a view of the past and present, FB-ISAO offers its top cyber concern for 2020 to help you take a step forward to invest wisely into your cybersecurity posture for the coming year(s). That doesn’t mean treat other threats with less importance, but if you haven’t addressed this threat by now, please do so before it’s too late.
    • Even More Ransomware. In 2018 it looked like ransomware was going to take a backseat in 2019 to other threats, like cryptojacking and cloud-based threats. But it didn’t take long to resurge and catch many organizations unprepared. Will Tiny Tim die, laments Scrooge. If the shadows of ransomware remain unaltered by the future, many more organizations will fall victim and further legitimize the ransomware economy. The cybersecurity community expects more targeted ransomware attacks, and actors will increasingly leverage common techniques of phishing and computer vulnerabilities, such as exploiting the Remote Desktop Protocol (RDP).

Jennifer Lyn Walker is a cybersecurity professional with over nineteen years’ experience supporting critical infrastructure and SLTT governments. As Director, Cybersecurity Services for FB-ISAO and Gate 15, she advises and consults on cyber threats related to homeland security for critical infrastructure and vital lifeline sectors, including WaterISAC. She is experienced in malware analysis, threat assessments, cyber threat intelligence, compliance, and cybersecurity awareness.


Join FB-ISAO! We welcome faith-based organizations, charities and critical partners to join FB-ISAO. Access our TLP AMBER and TLP GREEN reports, join our collaborative forums, working groups, participate in leadership opportunities and take the next step in enhancing your organization’s preparedness, security and resilience!