The Drive By
In the masterpiece movie "Analyze That", there's a scene between mafioso Paul Vitti, and actor Tony Bella, who's playing a character based on the former. It goes like this:
Bella: I'm looking for something to do when my character finds out he's being indicted. I was thinking of punching the wall, but I did that when they killed Uncle Lenny, and I did it again when Franny left me. Oh, and I punched a car, a van actually, when Peezee screwed up the big drug deal. So I'd like to find something different, that doesn't involve, you know, punching anything.
Vitti: Try kickin' something. Let me know how it works out.
Bella: Wait, Paul. That's interesting. Like what?
Vitti: I don't know. You could kick a guy in the face.
Bella: Who?
Vitti: Just some guy! You knock him down, give him a couple quick kicks in the head while he's on the ground.
Bella: Why?
Vitti: Why not? Because he's there and you're pissed off.
A beautiful exchange, and it is undeniable that this is De Niro's best performance since The Godfather Part II. A true thespian.
But, wait! Why are we talking about this? Well, because it describes this incident almost perfectly: Stryker is there, and Iranian-backed hackers are pissed. It is very hard to believe that this was some sort of targeted operation, mainly because Stryker doesn't seem to have anything to do with anything. They were there.
Perform some hack of opportunity, claim that it was your intention all along, overstate your capabilities, and now everyone's talking about you. Can't get much more RoI than this, really. Classic playbook.
It does have some interesting implications, though: if there's no rhyme or reason, just "he's there and you're pissed off", then anyone, anywhere can catch some strays. The whole "why would anyone target us?" approach to risk management, an approach that was stupid to begin with, becomes even more problematic. As long as "you're there" and "they're pissed off", you're a target. It doesn't matter if you're not critical infrastructure, if your data is uninteresting, if you're just a little old shop: you're a target.
And this is just the current tHrEaT lAnDsCaPe. We all know that shit is eVeRcHaNgInG. Today it is threat actor A, tomorrow it's threat actor B, a week from now it's both + threat actor C. The only way to minimize the chances of catching said strays, is to, well... not be there. And I don't mean that in the "move to the mountains and go live off the grid" sense. It's more along the lines of "don't do the stupid shit everyone seems to be doing". When a pack of wolves is hunting everybody, you don't have to outrun everyone: just the slowest runners.
I am 1000% sure (I'm not. It's a figure of speech called hyperbole) that this Stryker situation could have been prevented by a couple of Yubikeys, but it seems like it's better to go through this kind of disruption than spend $150 on prevention. If things continue in this trajectory, and I am positive they will, the number of attacks like this one will only increase.
Granted, this will be a problem to some people. Maybe even most people, but, as usual, the people not affected by this kind of thing ain't you. Because you ain't rich enough.
What to do, then? Fuck if I know. Maybe just don't leave your ass hanging out? Do some threat modeling? Risk analysis? Controls testing? You know, basic stuff that's been around for literal decades? Not to blame the victims here, but no one is going to look out for you.
Time for a shameless plug? Hell, yea! Need help with this kind of stuff? We can do that for ya. We do have an actual consulting arm, don't you know? Like, legit. First four hours of consulting are free because that's how we get ya. Hit me up at sc at crankysec dot com, and I'll get you sorted out.
- Previous: Molto Bene