Many trucking companies are still running their systems on traditional, on-prem software, but it’s not secure anymore – at least not as secure as the newer solutions on the market: cloud-based platforms.
Bob Sommer, an owner at TwoSommers, a software that runs a cloud-based TMS for bulk carriers, said to prevent a ransomware attack within traditional software, providers would have to recode. That’s because security is implemented with APIs, but it doesn’t distinguish who the user is that calls the API. Many of those systems, he said, were written to allow anyone who is authenticated to request the API.
“A lot of these legacy technologies, they stop at the authentication level. Once it hits past there and they start running the APIs, they have no ability to monitor or protect two more layers deep into the process,” Sommer said. “That doesn't work today because if someone were able to get access to that account in your database, they get access to all your data, and they can lock it down.”
TwoSommers is built in such a way that every person has an identity all the way down to the database, so if there ever is an attack, the hacker can only obtain whatever information a specific user had.
Having multiple layers is key, he said.
It starts with multifactor authentication, followed by secure APIs accessible to specific users only, then monitoring each account for suspicious activity.
Implementing these steps to prepare ahead of an attack is the first step in incident response.
Preparation is not only the time to buy tools but to get them tuned as well as establish incident response and business continuity plans, Art Ocain, Airiam vice president of cybersecurity and incident response, said during a recent session at the National Motor Freight Traffic Association Cybersecurity Conference.
“Everybody should be in a preparation phase whenever you're not actively fighting an incident,” he said. “A lot of people don't really think about it. They're just, ‘okay, we're not in an incident. We're not on fire. We don't have to do something now.’ The threat actor is still trying to attack everyone all the time; they're not taking a break.”
NMFTA Cybersecurity Engineer Ben Wilkens said incident response is a series of steps. Following preparation and detection analysis are containment, eradication and recovery efforts.
“It's about building those layers of protection,” Wilkens said, but even then, hackers can worm their way in.
Gaps in incident response
Ocain said the biggest pitfall he sees is when companies don’t take preparation seriously, but another gap he noted is detection.
He said most IT professionals at trucking companies aren’t prepared to dive into threat hunting. Even if they buy the right tools, he said they’re useless without hiring or outsourcing cybersecurity analysts. He suggests carriers outsource managed detection and response or a security operations center to help them with detection and threat analytics.
Another gap missed in incident response, he said, is containment and eradication.
“A lot of the time, people jump right to recovery and they say, ‘Okay, we had an incident. We understand kind of what happened, and let's start recovering our environment,’ without making sure the threat actor is really eradicated from the environment, without really creating a contained environment,” Ocain said.
For example, they may reinstall the server so the malware isn’t there, but it doesn’t address user access and how the bad actor entered the environment in the first place.
Ocain advised teams to create a quarantined environment to recover into while ensuring containment is effective and the threat actor is completely eradicated.
An unfortunate overlook comes during the post-incident process, Wilkens said. The biggest downfall Ocain said he sees post incident is corporate amnesia.
“Right after an incident, the CEO is like, ‘Okay, we need to spend all kinds of money – whatever it takes – to make sure this doesn't happen again.” Ocain said. “By the time you start implementing any of those, the pain is gone, and the company almost has amnesia and forgot about it.”
Response timing
Sommer said he gets notifications daily where thousands of hackers are trying to infiltrate his company’s network. That’s nothing new, but the speed at which these attacks are occurring is increasing.
Artificial intelligence is the reason why, Ocain said.
Basic attacks like phishing are still there with AI enabling an increase of other attacks like token theft, multi factor authentication to access an environment, compromised firewalls and CAPTCHA attacks.
But the timing is the biggest change.
“As AI has been improving, phishing ability, testing ability, automation that the attackers are using in place to test everybody's environments that they're trying to attack, the time span between initial access and action on objectives is really short,” Ocain said. “It used to be months. They would gather a bunch of initial access, and then they would sell a database of 1,000 victims to a ransomware group … Now, they might still be selling it in that same method, but they might buy it on Tuesday and they're in your network on Thursday. So by the time your threat intelligence realizes that your stuff was on the Dark Web for sale, they may already be acting on objectives, or it may be too late.”
Wilkens said breakout time from initial access to lateral movement was down to 48 minutes, according to Crowdstrike’s 2024 annual report. From June to August this year, he said ReliaQuest found that the average breakout time is down to 18 minutes with some clocking in at about six minutes.
“The basics still hold: the same controls are still important,” Wilkens said. “But the mindset about the timelines involved has to change when we think about incident response.”
