Another week, another shortage it seems. COVID-19 conditioned us to expect this, but the most recent shortages (such as gasoline, beef, chicken, and pork) are due to cyber-attacks involving ransomware. The UK’s National Crime Agency (NCA) details that the overall threat from cybercrime has significantly increased in the past year [1].
Several factors are likely driving the increase in ransomware attacks, including growth in Ransomware-as-a-Service (RaaS), employee’s working from home – which led to unprotected access to company networks, and an increase in ransom payouts. Other secondary factors, such as global economic impact of the pandemic, may have also lead to the ransomware increase. The impact that ransomware has had on organizations, including significant downtime, are indicative of the continuing lack of cyber preparedness amongst nearly all sectors. Many organizations continue to avoid even basic cybersecurity controls and Business Continuity – Disaster Recovery (BC – DR) preparations.
Even though the number of ransomware threats have been on the rise, it's likely that we are more aware of the attacks because they’ve become more impactful to everyday life. The Colonial Pipeline attack caused a brief gasoline shortage as well as a price spike. The JBS attack has caused a price spike and shortage of beef and pork. Earlier in the year, in what was perhaps the scariest attack, a Florida municipal water plant was attacked, and the attackers were presumed to have been trying to poison the water supply! All of these are very impactful for everyday folks and would increase the chance that a cyber-attack makes the nightly news.
So, what can be done to prevent or prepare for a ransomeware attack? The short answer is that organizations can do a lot to prepare and potentially prevent an attack. As with all things in cybersecurity, it begins with better understanding your risk and threats. Understanding your organizations cyber risk exposure, the business impact of an event, and the likely threats should guide your decisions toward data protection, risk mitigation, and breach preparedness. You gain this understanding of your risks and threats through a risk assessment.
Once you have a better understanding of your cyber risks, it’s time to plan. Remember the adage, “Failing to plan is planning to fail”. Having a workable plan for Incident Response, Disaster Recovery, and Business Continuity is critical to survive a ransomware attack. Building those plans is far from wasted effort. Most Cyber Insurance providers will credit you with discounts for investing in these plans. Your plans should be built around business resiliency, with a focus on the top five or ten technology dependent business processes that are required for the organization to stay open. The first technology-dependent business process you need to focus on should be the most obvious: the ability to pay staff. They don’t work for free.
Once you know what is important to “keep the lights on” and you have your assessed risk or gap assessment, it’s time to fill those gaps. I like to focus on Prevention, Detection, and Recovery when it comes to security controls for ransomware and keeping it simple is critical. Two of the most impactful preventive security controls are Security Awareness Training and Vulnerability Management.
Nearly all ransomware events start with a single successful phish. An entire organization can be compromised and rendered nonfunctional because a single email user clicked on a malicious link or email attachment. Training users not to click on links and open attachments is critical. Security awareness training has one of the highest “return on investments” (ROI) of any security control, but it must be tested and reinforced [2]. Testing is easy, you need to phish your employees. This gives you an idea of how well they can detect a phish and resist attempts to get them to click. There are many solutions and companies (including IE) that can phish your employees for you.
Vulnerability Management is also critical for prevention. Nearly all malware, including ransomware relies on an exploitable vulnerability in software or the operating system. If that vulnerability is patched or removed, then the likelihood of a successful attack (attack surface) is reduced. Vulnerability management is a two-part process involving vulnerability detection (vulnerability scanning) and vulnerability mitigation (patching). Vulnerability management also has many secondary benefits, which can include configuration management, asset management, and strategic risk reduction.
Threat detection is a little more discretionary as there are many options to choose. It’s generally a good idea to build threat detection around the cyber risk and the operational capabilities of the team. Host-based tools, such as Endpoint Detection and Response (EDR) and DNS protection tools are critical, as assets are not likely to stay behind the perimeter firewall, especially since the work from home initiatives started during the pandemic, which are not likely to go away completely.
Threat detection on the network and domain level is also very important. Various solutions exist, such as Extended Detection and Response (XDR), IDS/IPS, and logs from segmentation boundaries (such as layer 3 devices) will aid in detection, however we do recommend using a SOAR or SIEM to enable incident responders and threat hunters to be more efficient and capable. It is also important that incident responders and threat hunters are properly trained and can participate in Red Team / Blue Team exercises to hone their skill sets. It is also critical to incorporate the Incident Response Plan and the necessary actions upon detection.
The recovery process should be aligned directly with the Business Continuity and Disaster Recovery plans and processes. These processes should be trained and tested regularly. Tabletop exercises and aligned white box penetration testing are very helpful for the training, testing, and finding any gaps.
When it comes to Cybersecurity, many organizations have a lot of room for improvement. The evidence is in the newspaper and online daily. It is no longer a tenable approach for organizations to take a lax attitude to cybersecurity. Most business processes within an organization are technology dependent and there are no longer any excuses for a weak resiliency. Unfortunately, a cyber breach is no longer a single business event, it can be nearly devastating for entire regions, such was the case for the Colonial Pipeline breach. The interdependencies between suppliers and critical infrastructure are now obvious and vulnerable. The Federal Government recognizes this, as evidenced by the release of the 14028 Cybersecurity Executive Order [3].
The time to act is now.
If you aren’t sure where to begin, or if you lack the manpower to effectively build a zero-trust environment for your organization, consider leveraging the support of experienced cybersecurity technologists. IE offers consulting services that cover the entire span of your environment, from security risk assessments to security awareness training, incident response, and disaster recovery, we can help you fortify your security protocol, and recover faster from disruption. Schedule a consult today with myself or any member of the IE Security Team.
Sources:
[2] https://resources.infosecinstitute.com/topic/the-roi-of-security-awareness-training-2/
https://www.bbc.com/news/technology-56933733