Ransomware: Bridging The Divide

Problem

Almost everyday we are reading of Ransomware incidents, where organisation's business operations are coming to a grinding halt due to a cyber attack that involves the deliver of malicious software - holding this business systems to Ransom.

• The Risks of Ransomware are Rising – SMEs Should Take Note

• Managed Service Providers: Still Not Appreciating the Risk of Ransomware

• COVID-19 Pandemic Sparks 72% Ransomware Growth, Mobile Vulnerabilities Grow 50%

Traditionally, these style of cyber attacks would incapacitate business operations, however, these have now evolved to allow the ex-filtration of sensitive data.

The criminals have identified that many companies have divide between what is deemed to be a valued asset and what is actually effectively being risk managed.

For example, already this year, there have been a number well-known companies that have succumbed to these threats:

• Blackbaud.

• Orange S.A.

• Collabera.

• Telecom Argentina.

• University of San Fransciso (UCSF).

• Honda

How can such notable businesses be so vulnerable to these well-known style of attacks (evident since the AIDS Trojan, in 1989)?

Cause

I believe the main cause for this has been created by a focus on the compliance against security controls, rather than towards risk management (aka Risk Management versus Compliance: The Differentiator).

It's either (using the words of one of my old bosses):

"It's like you're trying to 'Boil The Ocean!'"

Or;

• Being complacent to the protection of a business' valuable assets.

Many of the efforts that are being made in the 'Engine Rooms' (IT Operations & InfoSec) are either misguided or unappreciated by the 'Captains' (Senior Management).

However, in larger organisations, keeping the engine turning can become extremely daunting task - especially with restricted resources or multiple security tools creating lots of noise.

Actions needed

Ransomware is an ever present threat for any business, with an internet-facing presence. Consequently, it is essential that an organisation 'Slices n Dices' their Cyber Security efforts to address this specific threat.

This increasing threat profile, lead me to develop the BRIDGE acronym, in order to help businesses to address the Ransomware threat.

Business Context

Before doing anything else, it is essential that an organisation look at their operations to identify the assets that, if infected with Ransomware, would present the most significant damage to their business operations.

What is an asset?
A major application, general support system, high impact program, physical plant, mission critical system, personnel, equipment, or a logically related group of systems.
CNSSI 4009-2015

Risk & Resilience Profile

This involves looking at your business from an external perspective (carrying out Reconnaissance and identifying infiltration opportunities).

• This requires you to carrying out the very same actions that an attacker might apply against your organisation (Step 1 of Carbon Black's Cognitive Attack Loop):

What opportunities are you providing the Cyber Criminals?

You will be looking to identify the public-facing risk and resilience opportunities you are presenting for the criminals:

Risk = Probable Frequency and Probable Magnitude of Future Loss

• An asset: A major application, general support system, high impact program, physical plant, mission critical system, personnel, equipment, or a logically related group of systems.

• A threat: Cyber Criminals

• An effect: Loss of Confidentiality or Systems/Data availability

Resilience = The measure of how well an enterprise can manage a cyber-attack or data breach while continuing to operate its business effectively.

If we were to look at the Risk & Resilience profiles from the aforementioned Ransomware victims, you can gain valuable insight into why they might have been targeted.

You can clearly see a commonality between each of these victims of the Ransomware cyber attacks:

• Their profiles had a marked drop in the run up to the attacks.

Identify

The next step is to identify the business critical operations and their associated vulnerabilities, before identifying the most suitable mitigation controls to be applied against these business processes.

There are now a number of industry guidelines that you can use as a reference.

For example,

• Center for Internet Security Controls 20 Critical Security Controls (CIS 20 CSCs)

• CISA

• NIST Cyber Security Framework v1.1

Detect anomalies

Start by understanding what normal should look like and what should be in place to support a specific business process.

This is your baseline!

Then by using your suite of security tools, monitor for the presence of abnormalities or suspicious activities. This should involve an integrated use of your security tools.

For example (not an exhaustive list).

• Firewall Monitoring - Titania Nipper.

• Network Monitoring - ExtraHop RevealX.

• System Configuration monitoring - Titania PAWS.

• Data Store Monitoring - Spirion.

• Malware Monitoring - McAfee.

• Vulnerability Monitoring - Qualys.

• Perimeter Monitoring - Security Scorecard.

• User & System Monitoring - CyberEasy.

• File Integrity Monitoring - OSSEC.

• Risk Monitoring - Acuity STREAM.

• Employee Awareness Monitoring - KnowBe4.

• Supply Chain Monitoring - ATLAS.

Govern

Set the tone at the top, with defined policies, procedures and user awareness training that must be adhered to for the mitigation of the Ransomware threat.

Include Ransomware measurements (aligned to the Business context) into the periodic security metrics reporting.

Evaluate general security controls

Establish a formal internal audit and penetration testing program, to ensure the security controls remain effective.

Any controls that are deemed to be below expected levels must be subject to a formal risk assessment.

Net benefits

The Ransomware threat can appear to be an extremely daunting task to mitigate against. However, by 'Slicing n Dicing' your business and prioritising the processes that are most important you can really help to make a difference, whilst providing adequate re-assurances to business key stakeholders.

Without a formal approach to BRIDGE the gap between what organisations believe to be effective defences and what the criminals are seeing as their opportunities, the numbers of businesses (and their customers) will continue to grow, business leaders will continue to appear ignorant to the risks and Cyber Security teams will increasingly suffer from Cyber Security fatigue.