The Cyber Optimist Weekly

As the discussion on incentives for cybersecurity grows, the Canadian Parliament heard this week from the Center for International Governance Innovation (CIGI), a thinktank and non-profit. In the?hearing, CIGI explained that compliance with the CyberSecure Canada framework and others such as ISED and the CSE's is effective for protection against cyberattacks. The problem? Small and medium businesses most often fall behind in their implementation. To address this and incentivize further compliance, CIGI suggested to MPs that a tax break for cybersecurity be implemented. The tax break would be tied to implementation of CyberSecure Canada and compliance with it. Although this hasn't been adopted, it's an interesting and valid conversation about cybersecurity at small and medium-sized organizations.?

Closing the Book On Indigo

CIGI's proposal is interesting, because we were reminded this week that large organizations still grapple with cybersecurity. Indigo suffered a cyber incident, which forced all of its online services and website offline. To paraphrase the company's website, shopping can only take place in stores - the website is currently only for window-shopping.?

What do we know so far? It's common for organizations to keep mum about cyberattacks when they immediately happen to facilitate their response. We know that the relevant authorities in Canada were called-in, that customer credentials were sold on the black market and likely used to drop ransomware. We cannot say for sure what took place, but we can make some educated guesses.

• The social engineering hypothesis.?The attack was deployed when an employee fell prey to a phishing email. This could have been a phish with a malicious attachment, such as a PDF, a OneNote document, or Excel file, linked that would have launched the malware upon opening.
• The technology hypothesis.?The attack took place through an infected computer connected to Indigo's environment.
• The lateral movement hypothesis.?Threat actors penetrated Indigo systems and used lateral movement in trusted networks to break into corporate systems and carry out a double extortion operation. They could have exfiltrated data after taking the systems offline and maybe even encrypted it.?

The MO of the attacker makes us think of operators like Play Ransomware as culprits. A new group, Play is a cybercriminal group affiliated to Russia. It's likely tied to other Russian-backed threat actors such as Conti, Quantum, or Hive. We say this because Play uses exploits such as Microsoft Exchange, Fortinet, and the VMware infrastructure - all equipment that could reasonably have been used at Indigo.

Indigo's response to this attack has been sophisticated. They've been proactive in communicating with the relevant agencies and customers on the response. This makes us this that their crisis communication and incident response contingencies are in an excellent state and that they've implemented good safeguard.

The Value of Preparation

The example of Indigo shows us that no organization is truly safe from cyberattacks and that preparing for incidents is a must for organizations of all sizes. Consider the following practices:

1. Going beyond training.?Having up to date and interactive training programs is necessary, but by no means is it the entirety of awareness. Beyond module completion, think about building a culture of cybersecurity in your organization. Have discussions about cybersecurity with staff, use videos and posters to raise awareness, hold town halls about it. Doing so, you'll ensure that your organization sees cybersecurity as part of its mission, not just modules to complete.
2. Planning, planning, planning.?Don't stop at creating your incident response plans and playbooks, test them continuously. When you see a new development in the cyber landscape, update your incident response documents to make sure that they stay up to date and potent in the face of cyberattacks.
3. Simulate.?Make phishing simulations part of training and run it regularly to see how proficient in cybersecurity your staff is. Don't stop there, consider tabletop exercises to see how well you respond to a cyberattack threatening to cripple your organization. Tabletop exercises let you see the pitfalls of the incident response process in your organization and lets you fix them to stay a step ahead of threat actors.?

Ultimately, these pieces of advice and Indigo's incident response tell us that we can pre-empt cyberattacks and finetune our response to them. Take these steps into account to make sure that, no matter how threatening an attack may seem, you are always in charge and not the hackers.

Events of the Week

• ItWorldCanada: Give tax break so small Canadian firms can invest in cybersecurity, Parliament told
• CTV News: Indigo offers fresh details on cyberattack on bookstore's website, payment system
• Avertium: An In-Depth Look At Play Ransomware