It is important to understand that ransomware does not start with encryption. Most ransomware threats today are multi-stage attacks. To protect against them most of organizations have the right controls, such as Endpoint Security, EDR, Secure Web Proxies and Email Security in place already. However, they often lack the threat detection and response processes in the SOC to detect the attack in progress or investing in XDR capability to improve detection as well as rehearsing Incident Response processes are critical to ransomware resilience.
Another key attack vector for Transportation companies is cloud-native APIs and applications.
Today, more than 80% of all internet traffic belongs to API-based services. Cloud applications (SaaS, PaaS or IaaS) have transformed the way APIs are generally designed, used and exploited by software developers. APIs have evolved to be the backbone of most modern applications we consume today. The reach and popularity of some of these cloud applications, as well as the treasure of critical data they contain, make APIs a lucrative target for threat actors. The connected nature of APIs potentially introduces additional risks to businesses, as they become an entry vector for broader supply chain attacks. In most cases, attacks on APIs go unnoticed because they are generally considered trusted channels and do not benefit from the same level of governance and security controls.
How to react? In this context, gaining visibility into both application usage with the ability to examine consumed APIs should be a priority for organizations, with the aim of eventually having a risk-based inventory of APIs in use and a governance policy to control access to these services, but also into non-user-based entities within the infrastructure, such as service accounts and application principles that integrate APIs into the wider enterprise ecosystem.
For developers, developing an effective threat model for their APIs and implementing a zero-trust access control mechanism should be a priority, as should effective security logging and telemetry for better incident response and detection of malicious use.
A transportation company needs to protect customer data and maintain availability in order to answer customer needs. To do so, better ransomware and cloud security controls are key tools to enhance to level of protection.
Main security attention point to consider when coding:
- Misconfiguration of API’s resulting in unwanted exposure of information
- Exploitation of modern authentication mechanisms such as Oauth/Golden SAML to obtain access to API’s and persist within targeted environments.
- Evolution of traditional malware attacks to use more of the cloud API’s such as the Microsoft Graph API to land and expand we already saw evidence of this in the Solarwinds attack as well as other threat actors such as APT40/ GADOLINIUM.
- Potential misuse of the API’s to launch attack on the enterprise data such as ransomware on cloud storage services like OneDrive etc.
- The usage of API’s for Software defined infrastructure also means potential misuse leading to complete infrastructure takeover or shadow infrastructure being created for malicious purposes.