Boeing ransomware attack commentary
November 2023 by Jim Doggett, CISO, Semperis
Following the news that Boeing has confirmed that it is investigating a cyber-related incident, the commentary from Jim Doggett, CISO, Semperis.
Boeing has recently acknowledged it is investigating a cyber related incident days after the Russian backed ransomware group LockBit posted info about an attack against the aerospace manufacturer. While Boeing conducts its internal investigation, there has been no indication given that any sensitive data has been stolen.
This latest ransomware attack is yet another reminder that even the largest organisations in the world are being victimised by the ransomware scourge. With certainty, Boeing employs some of the best security threat analysts and incident responders, with deep understanding and knowledge of threats and common infection points in networks. And yet, motivated and persistent criminals are successfully finding gaps in even the most secure organisations.
The bottom line is that you can’t pay your way out of ransomware. The good news is that solutions and strategies, when applied properly in advance, help combat these heartless and calculated attacks. Organisations should focus on the resiliency of their systems: hardening the critical systems before an attack, implementing measures to identify and stop attacks before they do significant damage and making sure they can recover quickly after an attack.
Additionally, companies need to know what their critical systems are (including infrastructure such as Active Directory) before attacks occur. It would be beneficial to run tabletop exercises that simulate critical systems’ recovery before an incident occurs. While cyberattacks that expose sensitive data are jarring, defenders can make their organisations so difficult to compromise that adversaries look for other companies to attack. Organisations should also regularly conduct security awareness training, adopt an around the clock threat hunting program, monitor for unauthorised changes occurring in their Active Directory environment which threat actors use in most attacks - and have real time visibility to changes to elevated network accounts and groups.