Thousands of car dealerships’ operations slowed to a halt last Wednesday as their core dealer management system, CDK, shut down. CDK Global announced that they were investigating a cyber incident and “Out of an abundance of caution and concern for our customers, we have shut down most of our systems and are working diligently to get everything up and running as quickly as possible” according to spokesperson, Lisa Finney. The company said later that day that most of their critical systems were back online, but the next day they announced that another incident had happened.

A note was issued by CDK to clients that they were currently working on recovering from a “ransom event” and didn’t give a clear timeline on when systems would be back up and operational. In a story published on June 21 by Bloomberg, the news outlet said that the ransom demands were in the tens of millions and that CDK was planning on paying the ransom.

How does this affect dealerships’ security posture?

Aside from the concerns regarding the confidentiality of the data stored on CDK’s servers, questions have been raised regarding the potential impact that this attack could have on dealers’ internal networks. An “always-on” type of VPN configuration with a tunnel to CDK’s servers is typically used for many dealerships as a way for locally installed applications to access the dealer management system (DMS) provider’s resources. With CDK resuming services in the coming days, the fear of re-establishing the connection opens the door for whatever threat may have existed on CDK’s servers to infiltrate the dealership’s network.

CDK has released very little information regarding the details surrounding the attack, so without dealers knowing what exactly happened, opening that connection back up to CDK is a risky proposition.

To keep operations moving in the wake of the attack many dealers have had to revert to a manual process of pen and paper to get orders processed. Once CDK gives the “okay” that their systems are back online, dealers are going to be eager to continue operations as usual, although without knowing the impact of the attack, we would highly recommend taking precautions prior to redeployment.

What actions should be taken?

A multilayered security-in-depth approach can help mitigate potential attacks by preventing one weak link from compromising your whole organization. I would like to highlight a few key actions that dealers should take prior to re-enabling access to CDK servers.

1) Evaluating and Testing Network Segmentation

The principle of least privilege is a concept that entities should only have access to the resources required to function, and no more. Strict firewall and routing rules as well as VLAN segmentation of sensitive resources is critical when containing the spread of a bad actor. Once implemented, those controls should be tested to validate that the controls are functioning as required (e.g. allowing computers to access CDK but also have the ability to print on the dealership network).

2) Deploying and maintaining a robust EDR solution

EDR (endpoint detection and response) solutions will focus on monitoring endpoints in real time for malicious or anomalous activity and proactively responding to stop attacks in their tracks. Along with monitoring activity, some EDR products can give deep visibility into what processes were created, any modifications to files, and network connections that were made from the host. This information is critical when identifying and responding to a security incident.

3) Discuss the legal risk and insurance implications of this incident

Although little details are known about what happened to CDK’s systems and data, discussions should be had internally to understand the following:

• What is the impact (financial, operational) on our organization due to a cessation of services? Has a claim been made with the insurance carrier or broker?
• Who will be responsible for customer notification: the impacted vendor or our organization? Management teams should be working with their cyber insurance brokers to determine if a claim should be made. It is important to consider that if it is determined that a data breach had occurred and notifications need to be made and the vendor is not taking responsibility for costs, this cost may be passed on to the dealership. If the initial claim was not made at the time they became aware of the incident, the insurance carrier may deny the claim and the losses would be the responsibility of the dealership.
• What are our regulatory, statutory, and contractual reporting obligations?

4) Demand details from CDK regarding their due diligence of the investigation

To understand your level of risk based on this incident at CDK, it would be important to understand more about the incident at hand. Forensic reports may not be provided, however, it would be helpful to get your hands on details about how it happened, what the adversary did while on the network (e.g. was it just ransomware or did they also exfiltrate dealership information from their systems), if due diligence that was done that the threat was eliminated, and whether the vulnerability used to infiltrate the network had been identified and successfully removed.

5) Review your incident response plan

Once you’ve resumed CDK operations, what updates need to be made? Were the right people listed in the plan that needed to be contacted during this incident? What are the lessons learned? If you don’t have an incident response plan, it may be something to strongly consider developing.

Avalon Cyber is currently offering dealerships a free one-hour consultation. Our experts will provide live support and discuss the recommendations listed above or response initiatives specific to your dealership’s environment.

You can reach our team by calling our hotline – 1.877.216.2511 – or contacting us online.