Lessons from the Royal Mail Ransomware Attack

Just weeks ago, we spoke to Deryck Mitchelson, Field CISO at Check Point Software, about the weaknesses of critical infrastructure systems to cyberattack, especially ransomware. In the wake of the UK’s Royal Mail attack, which continues to paralyze Great Britain’s ability to send letters and packages anywhere abroad, we got back in the room with Deryck to discuss the lessons that can be learned from major critical infrastructure ransomware attacks.

Once more, with feeling.

THQ:

Well… here we are again.

DM:

Yes. The thing is, something like this was not unexpected. We’ve all had various conversations around critical national infrastructure, particularly around popular public sector organizations. I know Royal Mail’s not public sector as such, but it’s thought of as critical infrastructure, and it has all the hallmarks of being public sector left over from the time when it was. In other words, it’s not fully matured and digitally prepared for the 21^st century, so we shouldn’t really be surprised when it gets attacked.

It had an issue in November too, which was more about information access, letting customers using its click and drop service see some other customer information. But when you see that, and then you start to see things like this attack, for me, you start to see a trend, which is an organization that probably isn’t as mature as you’d expect, and doesn’t have the controls in place that you hope it does.

THQ:

We were going to say – the November incident felt like an initial probing, and now the overseas mail capacity is paralyzed. It has that sense of people pushing to see how far they can get, no?

DM:

Yes, and that’s often how these things work – the creeping infiltration. I’m a huge evangelist for the idea that whenever there’s an issue, you need to speak about it, you need to make it visible, so that others can learn.

That’s a huge thing around citizens that are impacted as well – they want to know as soon as possible when there’s been an issue, you know, rather than getting told three months later, with a small apology saying “it’s had very little impact.”

THQ:

Paging Guardian Media Group…

That’s me in the spotlight.

DM:

But there’s the other side to it, too – a company comes under the spotlight when it’s had a breach of some sort. Does that mean that threat actor groups then have a better look to see whether the company’s systems can be compromised? They’ve done that before, absolutely.

The reconnaissance for attacks like this starts months before they actually get deployed. So there’s no doubt that if they see some weakness, cybercriminals will then start to have a much deeper look to see whether they could potentially compromise that organization.

THQ:

And it works like a hole in the dam – the more interest that people show, the bigger the hole gets for next time…

DM:

Indeed – but it does put the right level of spotlight on the executive team. I’ve been saying this for years – cyberattacks can bring down organizations. They can stop organizations from functioning. And that vulnerability or brittleness starts from the chief executive down.

So I think being transparent and visible around issues means that there’s a focus both ways. There’s got to be a focus internally, down through the organization to say this is a top priority, we need to invest, we need to get this done and fix these things.

There’s also then more scrutiny from external stakeholders, too, from the customers that are using the services, and from investors. People say “What are you doing about this? We’re relying on this investment, and in order for us to be successful, please tell us this investment is secure.” That’s why it needs to be done. It’s just a shame that it’s happened again within three months at Royal Mail.

Transparency is key.

THQ:

Again, the Guardian case comes to mind. The group had a “potential” attack in December, and only in mid-January did it finally come out with a statement saying “Yes, that was a cyberattack. Yes, it was ransomware. And yes, our UK staff’s data were compromised – but not our subscribers’ or readers’ data.” Presumably that’s been an anxious month for Guardian stakeholders, internal and external.

DM:

I published an article in in December calling for organizations to actually be forced to put something up on their on their websites to be transparent around the number of breaches they’ve had, what they were and what the impact was. You know, in many ways, you look at things that you get from Trustpilot and you look at other third party websites. Google does that as well.

I do think we need a lot more visibility and transparency on organizations. I think as consumers, we need to have more choice to say whether we want to transact with an organization. Is this an organization we think is secure enough for us? Do we want to give them our personal information? Our financial information? Do we want to give them our confidential information? And I think we’re near that tipping point of consumers starting to say, “We understand you can’t be 100% protected from ransomware. But are you doing enough?”

Building blocks.

That’s the question I asked – Could you do more? And for me as a consumer, if you could do more, then I’m really keen to see what’s stopping you from doing more.

It’s not because the technology is not there to block most ransomware.

THQ:

Speaking as a representative of a firm that makes that technology…

DM:

Absolutely, we make a platform that blocks most ransomware. Other companies are available… But it’s a question worth asking – are these major critical infrastructures just investing in things that are not quite as good? Or do they not have the money to invest in the technology at all? Do they have people issues? I’m just keen to see what their remediation and improvement strategy is. What has the chief executive signed off?

Is the chief executive aware of these issues, but not releasing the investment funding to fix the issues? Is there an unfortunate culture in the organization? If I’m doing business with you, I want to know these things about your business – or your organization – so that it feels as safe as it can be.

THQ:

Royal Mail is an odd case, because it used to be fully public sector, but now is private sector delivering what is still thought of as public infrastructure. So it’s a complex business infrastructure in its own right. Do we think that having been hit by this Lockbit ransomware attack, it will learn its lessons, or will it go back to business as usual, focusing more on profitability than cybersecurity?

Learning lessons?

DM:

I’m in two minds as to whether organizations really do fully learn from being hit by ransomware. I think some organizations do. But you do regularly see organizations that get breached again and again.

For me, it’s about how organizations show they’re really taking on board what’s happened to them. The Royal Mail will have a myriad of systems, some legacy, some new. They’ve obviously got some DevOps and a lot of segmentation in place as well, because this breach has not impacted all their transactions, only the section dealing with mail that’s going abroad. But there’ll be a lot of legacy systems in there as well, there’ll be a lot of different systems that all try and interact and speak to each other, it will be very complex, but it will not all be new and shiny, so it’s probably at a different level of risk. It’s certainly much more difficult to manage in that state. It takes a lot of effort and a lot of conversations internally around the levels of risk, the levels of vulnerability that you need to focus on.

THQ:

So, initial lessons from the Royal Mail ransomware attack would be what?

• Report even minor intrusions, as they could be the start of reconnaissance for something much bigger.
• Come clean with the public and visibly post your breaches, so you’re not seen to be hiding important information.
• Invest in the best possible anti-ransomware tech you can afford.
• In multi-system infrastructures, work on upgrading vulnerable systems.
• And presumably train staff thoroughly in avoiding things like phishing and business email compromise.

DM:

Good start. But there’s more.

 

In Part 2 of this article, we’ll find out what else the Royal Mail ransomware attack can teach us about infrastructure security – and why organizations should learn their lessons the first time around.