• United States




Ransomware attack drives city to seek greater network visibility

Mar 18, 20198 mins
Network SecurityRansomwareSecurity

After being hit with the Cryptolocker ransomware, the City of Westland realized it needed more insight into network traffic, not just at the perimeter.

network security digital internet firewall binary code
Credit: Thinkstock

Local governments have been under siege from ransomware attacks in recent years. Colorado announced a state of emergency and called in the National Guard’s cyber team to help after its Department of Transportation was hit with SamSam ransomware in February 2018. March 2018 saw the City of Atlanta crippled by SamSam in an attack that cost an estimated $2.6 million to fix (against an original ransom of $52,000). In January 2019, the website for Dublin’s Luas tram system also fell victim to an extortion attack.

“Just like everybody else in the world, local government is attacked very, very heavily,” says Craig Brown, chief innovation officer for City of Westland, Michigan. “Right now, it seems like there’s a trend that hackers consider local governments to be low-hanging fruit because of the lack of budgets you find in a lot of technology departments, and it’s unfortunate.”

In February 2018, Westland suffered a ransomware attack that, despite not causing as much damage as it might have, made the city realize it needed to change how it thought about security.

Small but savvy IT team

Located 16 miles west of Detroit, Westland is home to over 84,000 residents. Brown was appointed chief innovation officer in October of 2018, having previously worked various IT roles at the city for the last five years, and in the technology department of the University of Michigan Hospital before that.

“I embody the traditional role of a chief information officer with the added twist that we’re responsible for providing innovation through technology to all departments of the city,” Brown says. “We manage work processes, trying to help develop them to be better, smarter, faster, more cost effective. If it touches electricity we manage and develop it.”

Brown and his team of five are responsible for enabling, provisioning and securing citizen data and ensuring the reliability of the city’s operations. The team’s remit includes the city’s information websites and social media, network infrastructure, databases, servers and various city services including water, sewers, trash, help to senior citizens, the building department, public access TV station and even the HVAC systems on the government buildings.

Because of the small size of the city’s IT team, everyone is a generalist. All five are part of the security cyber team along with the database team, the networking team and so on, but Brown says there is a constant drive for self-improvement around skills and knowledge, and the city isn’t hampered by a lack of resources. 

“We like to consider ourselves on the cutting edge for technology and innovation,” he explains, “Whether it’s a faster or more cost-effective process or just a better way to reach out to our residents or allow them to reach out to us, we’re constantly redeveloping all of our workflows and processes.”

A close call with ransomware

The ransomware attack on Westland began when an employee fell for a phishing attack and clicked a link carrying the Cryptolocker ransomware as its malicious payload. The ransomware encrypted files on devices and demanded $25,000 per device to unlock.

“It immediately impacted a second endpoint and then a connected server. However, we were able to stop it; we recognized where it was, which was immediate, we were able to stop it in its tracks before it could spread any farther,” says Brown. “It was very surprising that we were able to stop it as quickly as we did.”

As only three endpoints were affected – and full backups were available – the city did not pay the ransom and was able to recover from the attack with minimal disruption. However, it made the city’s IT team realize that a change of focus was needed in its security approach. Its security solutions, such as Sendio email security and Trend Micro OfficeScan endpoint protection, were all focused on detecting and stopping threats at the point of entry.

“It [our security focus] was primarily perimeter level, and we really needed something to look inside and help us notice things that bypassed our perimeter security to get a way in. We need to make sure that we understood exactly what was going on inside our network and be able to immediately see if something was abnormal, so we could remediate right away.”

The decision was made by Brown and then-CIO Dan Bourdeau that the city needed greater visibility and real-time telemetry into what was going on inside the network. “We already had very strong security infrastructure in place, but our brush with the Cryptolocker attack really made us look around and decide that we needed ways to strengthen our security and add additional layers that we didn’t already have in place,” says Brown.

“We had tools to see what was going on in our environment, but they weren’t very detailed. It didn’t give us a level of information that was really necessary for us to truly see everybody that could have potentially impacted so it took us more time to make sure that everybody that was connected on that that section of our network was fine.”

Real-time visibility

To gain greater visibility into its network, Westland decided to deploy Darktrace Enterprise Immune System. “We started to look at various platforms that were on the market and reached out to our peers in other municipalities to gather information about the various platforms out there. After reviewing different demos, Darktrace resonated with [then-CIO Bourdeau] as being the right platform for us,” says Brown. “We needed something that was easy for us to quickly see what was going on in our network and the graphical interface Darktrace provides is great for that. Add in the timeline feature and reporting, and it was a win.”

The company now has visibility of network traffic across its entire estate – including the city’s servers, endpoints such as smartphones, laptops, and tablets, and any automated processes going on between devices — and the system has learned the normal day-to-day behaviors that environment and will flag any potentially suspicious or abnormal activity.  “It’s allowed us really to get an idea of what our staff in the city is doing on a regular basis involving their technology and logging how much how much data is flowing back and forth,” says Brown

Brown says the city’s previous solution would only provide visibility into the network at that time, and the IT team wouldn’t have any insight into what was going on between that and the next time they logged into the software. “We realize just how lacking it was in information. If we had Darktrace at that time [of the ransomware attack] we would have seen that suspicious behavior immediately and known immediately which endpoints were impacted, not just having to go through manually and check everything afterwards.”

As an example of the visibility Brown and his team were able to get, he says upon first installing the appliance, they discovered an employee that was using BitTorrent on a jailbroken personal phone on of the city’s guest wireless networks. “We were able to see exactly what device, who was doing it, what part of our network it was on, and the times that they were doing it, and we were able to trace back exactly who it was that was using it.”

Calculating security ROI

It can be hard to justify budgeting for technologies that don’t provide an obvious return on investment. With something like network visibility, which doesn’t even have obvious metrics such malware attacks blocked, this can be even more of a challenge. “It’s all about prevention cost,” explains Brown. “What is the value of that prevention compared to the cost of the appliance? You have to think of the worst-case scenario that could be possibly remediated by a device and figure out what the cost would be for that scenario.”

In his example, if an organization that has minimal defenses gets hit with a Cryptolocker attack that wipes out half of its equipment once per year faces remediation costs of X, that X is part of the ROI every year that you have the security appliance that prevents that attack.

“We have over 350 endpoints, so if that Cryptolocker attack will have gone through our entire system the ransom would have been rather large. We were able to stop it after three devices.”

Creating a culture of security

As well as gaining network visibility, Brown says one of the next security initiatives is a training program to help employees understand what email phishing is and what to do if they think an email they’re receiving is a phishing attack versus a legitimate email. The city already pushes a culture of not blaming employees in the event of falling for phishing attacks.

“We make sure that they understand that they need to talk to us and we’re here to help them when those things happen and it’s not something for them to hide,” he says. “I’ve seen that in other cities and other environments, where people don’t want to tell their technology departments they did something wrong.”

Brown says this culture of employees sharing with IT if they see anything out of the ordinary or do something that they recognize is bad is one of the reasons why the city was able to quickly react to its own ransomware incident. “As soon as the people that were impacted clicked on those buttons, they immediately told us what they did as soon as they saw this message, so that helped us be able to stop it before it got worse.”