In a recent article looking at cyber security trends, we highlighted the potential for incidents to occur from supply chain attacks, as well as the prevalence of ransomware across the Internet. No organisation is safe from attack, as illustrated by the NHS 111 attack at the beginning of the month.
Advanced have been supplying the NHS 111 service with its Adastra management system since April 2020, providing support amid the COVID-19 pandemic. Other Advanced offerings to the NHS were also impacted as part of the attack, however the Adastra system was the most widely used as part of the non-emergency telephone service.
The NHS 111 attack was reported to have affected nine different trusts across the country, spanning patient referrals, access to medical records and ambulance dispatches to name a few. As part of the impact of the attack, services are only now just coming back to full operational status, with the remediation efforts taking several weeks in certain cases.
Advanced released a statement on 23 August with an update on the status of the various systems, and that they were progressing as planned with their investigations. It’s worth noting that, as of 19 August, Advanced had still not managed to restore their services to full capacity. As yet, no details have been released on the group or individuals responsible for the NHS 111 attack, nor the method of initial compromise. In addition, so far there have been no reports of customer or patient data having been stolen, however this is a small victory and does not mean that data was not at risk.
Ransomware is an always-evolving attack vector as criminal organisations experiment with the best way of exploiting victims for ransom, for example threatening to leak data instead of simply encrypting it. As a result, attacks can be more damaging than simply losing access to data, instead losing control of the confidentiality of the data itself.
Since the NHS 111 attack occurred on 04 August, it has taken almost two weeks thus far to investigate and rectify the incident, without a conclusion. It provides a stark warning to other organisations that the threat of ransomware should be taken seriously, and highlights the subsequent impact to regular business operations.
There are many costs as a result of such incidents, outside of potential fines and settlements, including third-party forensic investigators and the price of upgrading and testing systems. In addition, there is also the cost of potential downtime and loss of business following reputational damage, although these costs could be difficult to quantify.
Due to the increasing frequency of supply chain attacks, having increased by 300 percent in 2021, it is important to implement a plan in case of compromise. In today’s world, it is best to start from a position of assumed compromise and ensure that you have an Incident Response Plan (IRP) ready to go – we’ve provided some high level details of our own to get you started and will shortly be introducing our own service to assist organisations in the unfortunate event that they suffer a cyber security incident.
While having a plan helps respond to an incident, we’d much rather avoid an incident in the first place. Supply chain attacks can be difficult to prevent, however the risk can be limited by performing thorough due diligence when choosing to work with a supplier, to verify their processes and general cyber security posture. Ensure that your perimeter infrastructure is patched up to date and unnecessary services are disabled or protected by a firewall, and train staff to recognise remote attacks like phishing or password guessing against login interfaces.
For your own network, ensure access to resources is restricted by following the principle of least privilege, where staff are given the minimum level of privileges required to perform their role. This can be supported with a Zero Trust Model, which assumes all network activity is a security threat and implements steps to defend itself, for example requiring authentication to access privileged resources.
Ransomware can be a worrisome prospect and should certainly be taken seriously, no matter how large or important the organisation. Fortunately, due to its pervasiveness, there is a wealth of information, frameworks and techniques which have been developed to combat the threat.
As always when it comes to cyber security, being prepared is critical. Following on from the NHS 111 attack, ensuring you have up to date systems and your staff are well-trained in how to recognise and respond to an incident is crucial. This will mean you are well-placed to protect yourself from an attack and that the cost to your organisation following an attack is minimised.
Pentest People are well-placed to help, with both Penetration Testing Services and our Ransomware Defence Assessment, where our experienced team assesses how quickly you could recover from a ransomware incident.