Skill shortages, sick leave, remote work scenarios and massive ransomware attacks behind us and the holiday season ahead: the end of the year could become a challenge for many IT and cybersecurity teams.
A current international study by Cyberreason draws the conclusions that the threat of cyber-attacks increases at weekends and on holidays. Criminals take advantage of the quiet times to infiltrate as deeply as possible into the networks without being disturbed. Outside business hours, companies respond later and maybe less efficient to security alerts: Out of 1.026 respondents, 86 % stated that they already had to interrupt their weekend or holiday due to a ransomware attack at least once.
A study by Mandiant Intelligence comes to a similar conclusion. In 76 % of the cases investigated between 2017 and 2019, the ransomware attacks started outside the respective business hours of the affected companies. In some cases, attackers even linked their attacks to the login and logoff behaviour of users, e.g. via active directory group policies.
Rapid response crucial for mitigation
Andreas Senn, Country Manager at Mandiant, a Google Cloud Company, says that the number of cyber threats and ransomware attacks still increases. “Spread over weekdays, we increasingly see that these start on Friday afternoon or at the weekend, as in many companies the IT security team is not on duty 24×7. Attacks at the weekend are therefore usually only discovered on Monday,” says Andreas Senn: “We also observe this effect during the Christmas season, when attackers take advantage of the situation that many employees in the IT security team are on holiday. Think, for example, of the log4j vulnerability that caused many companies sleepless nights before Christmas last year.”
Markus Riegler, Head of Managed Defense at IKARUS, also observes a tendency to weekend-attacks: “For example, I remember an incident that started on the Friday before the semester break. Half the IT team was on their way to a skiing holiday and we handled the IR case across the Austrian Alps.”
IT teams need to consider cases like these in their emergency plans. A delayed or slowed response can cause attackers to embed themselves deeper in the victim system, making countermeasures more costly and massively increasing the damage.
Emergency measures against cyber-attacks during holidays
Compared to the United States and the United Arab Emirates, European companies seem to be far less prepared for ransomware-attacks outside their usual working hours. However, it is never too late to set up measures to reduce the attack surface on the one hand and to remain responsive despite holidays and absences on the other hand.
- Create awareness for the danger situation – top-down from the management to the individual employees
- Define initial measures, chains of contact and decision-makers for security incidents outside business hours
- Implement network segmentation and regularly train to isolate and block malicious hosts, accounts, domains, etc.
- Disable critical accounts and unneeded remote control access for the duration of the absence
- Create incident response plan or hire incident response providers to respond to attacks quickly and professionally 24×7