How a devastating ransomware attack forced a radical security rethink
"Like brain surgery without putting the victim to sleep"
SPONSORED - When hackers breached the IT systems at one of the world’s largest aluminium suppliers, Norsk Hydro, in late 2018, they built a foothold on the Norwegian company’s systems, moved laterally to capture administrative credentials and then in early 2019 detonated their digital bomb: a ransomware payload that locked thousands of servers and PCs, crippling the ability of Norsk Hydro’s 35,000 employees across 40 countries to work – forcing plants offline and ultimately costing the company millions in damages and lost orders.
Executives rapidly decided two key things within days of the attack. Firstly, that they were not going to reward criminals by paying the ransom; secondly, that they were going to be as open about the recovery and breach as possible, hosting regular press conferences, updates, and sharing forensic findings. The company was later thanked for its transparency by authorities, who said its openness helped prevent a string of other incidents.
Follow The Stack on LinkedIn
To those leading the IT team at Norsk Hydro and the subsequent recovery, it was a gruelling time: “Bringing up all servers from scratch and introducing a tiering model to them feels like doing brain surgery, without putting the patient to sleep. You forget everything about ITIL and change processes you know. All that counts is to react quickly and efficiently,“ as Remarc Bognar, Head of Network Architecture at Norsk Hydro puts it.
As his team -- on the second day of the incident – began a three-month process to recover from the attack, executives were forced into handwriting signs warning about the incident, texting them to plant and office managers around the world, to print in local printing shops and then post on entries, stairwells and elevators to warn arriving staff against switching anything computers on. As Remarc Bognar recalls: “I wouldn’t wish it for anyone. I can only recommend focusing on prevention over handling an incident response like this.”
Norsk Hydro ransomware attack triggers shift to Zero Trust
The incident triggered a major rethink about how the company approaches security – not least as a result of it finding numerous programmable logic controllers (PLCs) it had thought were air-gapped were, in fact, connected to its IT networks. Freshly empowered and resourced to rethink how the company approaches cybersecurity, Bognar started working towards significantly deeper traffic inspection, improved endpoint protection and more strategically, working with Zscaler (the only company designated a leader by Gartner in its 2020 Secure Web Gateways Magic Quadrant) to take a Zero Trust approach to the company’s security that swaps moat-and-castle network access for conditional user access at the application level. (Zero Trust is ultimately a framework, not a technology, that approaches all traffic -- including traffic already inside the perimeter -- as hostile.)
His move mirrors a broader industry shift by experienced cybersecurity professionals away from offices connected by MPLS WAN links to central locations like the data center -- with traditional security at the network perimeter provided by firewall appliances and remote users granted access applications via VPN. (Poorly managed VPN user accounts have been abused in the hacks of companies like Avast and Colonial Pipeline, while critical security vulnerabilities in widely used enterprise VPNs have been widely exploited.)
Norsk Hydro started taking a tiered approach, defining access rights to applications based on tightly circumscribed user groups, making it much harder for any intruder to a) see applications and b) move laterally inside a network if any intrusion takes place. (As Zscaler’s CEO put it earlier this year: “When traffic is flowing over the network, a traditional device like a firewall is trying to scan what kind of application it is, guess it and trying to stop it or not. With our proxy architecture where we examine every connection request [including encrypted ones] and decide to connect to a particular user. A user coming from company A, or company B, or company C, each looks like an untrusted user. It [also] allows us to do Zero Trust, which is probably the biggest thing to help you minimize the damage of lateral movement if something gets infected…)
When Remarc Bognar looks back at his company’s security posture before the attack, meanwhile, he reflects that traffic inspection was inadequate – he now takes a more layered response to security across the company, ensuring that SSL inspection is running in every location -- something that has become increasingly critical, given that between January 2021 and September 2021, Zscaler blocked more than 20 billion threats over HTTPS for its clients; an increase of 314% on 2020. This matters because SSL encryption is increasingly used to hide both malware and indeed data leakage; e.g. sensitive financial documents from an organization.
As he puts it: “When you are being hit, you should evaluate your security tools [and ask] do you have the appropriate tools in place? Is that system really scanning everything that is running on your network?
Zscaler recommends using cloud-native, proxy-based architecture to inspect all traffic for every user and decrypt, detect, and prevent threats that may be hiding in encrypted traffic; and deploying a zero trust architecture with deception to reduce your attack surface – an approach that makes applications invisible to attackers while allowing authorised users to directly access needed resources, but not the entire network. Norsk Hydro started its security journey after an attack that caused it real pain. The company emerged from it with real credit from law enforcement and cybersecurity professionals for its commitment to openness. But as Bognar mentions, it’s a trial by fire that others should be doing their level best to avoid having to endure.