-by Jennifer Lyn Walker
After an unfortunate incident last year, in what began the seemingly endless string of MFA bypass attacks, Cisco was extremely forthcoming with a public disclosure of what occurred and how it responded. Yesterday, in similar fashion, Dragos was the first to not only publicly disclose it had recently experienced a cyber incident (on Monday), but to deconstruct it in great detail. In Dragos’ words, “We want to share this experience with the community, describe how we prevented it from being much worse, and, hopefully, help de-stigmatize security events.” We should all be so transparent for the greater global good. Does it mean everyone needs to be public about who they are – absolutely not! I think I even heard Dragos’ CEO, Robert M Lee say something like, we don’t need to know the who (threat group) to defend against the what/how – a sentiment I have always ascribed. Whether it’s attributing an actor to a behavior, or a victim to an incident, the most important bits are what occurred and what lessons were learned.
Practice what you preach. “Dragos has a culture of transparency and a commitment to providing educational material to the community. This is why it’s important to us to share what happened during a recent failed extortion scheme against Dragos in which a cybercriminal group attempted to compromise our information resources.” And that, they did.
So, what happened? Yesterday, Dragos disclosed that on May 8, 2023, a known cybercriminal group attempted and failed at an extortion scheme against them. No Dragos systems were breached, including anything related to the Dragos Platform. The criminal group attempted to compromise Dragos’ employee onboarding process. As described, a process that is already robust, but as Dragos highlights, it will be making improvements, including adding “an additional verification step to further harden our onboarding process and ensure that this technique cannot be repeated.” The post details part of the onboarding process. Takeaway: How does your onboarding process compare? Would it withstand a similar attack?
A model to aspire. Dragos’ account includes a detailed timeline of events – including screenshots of various texts sent to Dragos executives to include references to family members and other contacts. Lessons learned and recommendations are also shared. Not everyone needs to be this detailed publicly, but in doing so, Dragos fulfills its commitment of transparency and helping the community defend against similar attacks.
Reporting is relative to resilience. As a reminder, receiving non-attributable reporting is why the ISACs/ISAOs exist. ISACs/ISAOs thrive on being able to help their sectors/communities understand the threats facing them. We do that best when we receive member reports that we anonymize and report out for the benefit of all members. Not everyone needs to be as forthcoming as Dragos or Cisco, but even sharing a little can go a long way.
Read all about the incident at Dragos.