On June 2, 2021, SafeGuard Cyber hosted an expert virtual panel that addressed ransomware threats and digital risks that are now facing many organizations. Included on the panel were:
- Julie Cullivan, Former Chief Technology and People Officer at Forescout, and EVP, Business Operations and Chief Information Officer at FireEye
- Otavio Friere, CTO, President & Co-Founder, SafeGuard Cyber
- Brian Honan, Founder, BH Consulting
- Joel Yonts, Chief Research Officer, Malicious Streams
During the discussion, the panelists discussed the ever-present threat of ransomware which has been a part of several recent high-profile attacks, including the assault on the Colonial Pipeline that crippled fuel sales in parts of the US for several days. They discussed cyber defense and security postures that organizations need to be thinking about in dealing with ransomware.
In looking at the entirety of the ransomware problem, Joel Yonts assessed, “Ransomware is now everybody’s problem. It used to be that certain types of attacks were more for intellectual property companies, others more for financial companies, and others for retailers. But now, ransomware attacks have something for everybody."
Because ransomware can lock a business out of its system and is a way for attackers to make quick cash, Joel said that for any company or sector he goes into, ransomware is one of the top discussions he is having. He added that ultimately, this is not a malware issue, but is more centered on the operations around the malware.
"We’ve seen them go to now offering to post data if the ransoms are not paid, or attacking backup systems to make sure the ransomware has the most punch," he said. "So, these operations around it are the evolution we are seeing now, and that is really magnifying the impact (of the ransomware).
"It’s an arms race, and at any given time, the attacker may evolve faster than you on how to get something installed on your system. But it’s the larger, how are you dealing with these operations, detecting these operations, that help you be successful in the long run, because that’s where you want to be. You want to be ahead of the curve with your strategy and have those conversations with the board.”
Otavio Freire surmised that: “Ransomware is ever-evolving and mutating, creating gaps in understanding the landscape. Enterprise security leaders try to make progress towards it with little pieces of the puzzle, but it’s really hard to have a full picture of the landscape because it’s so dynamic. So where we are today, feels like a ransomware pandemic, and it’s the result of years of evolution, and mutation, and experiments by these cyber criminals. The confluence of key elements such as bitcoin, stronger encryption, massive availability of computing power, and the shift of focus of these cybercriminals to the enterprise.
"In terms of trends, you do see some patterns. What we particularly worry about, and we get this from our customers, who are chief information security officers, is visibility. You can’t ultimately defend if you don’t really have the chance to see where these attacks are coming from."
Citing the writeup from FireEye following the Colonial Pipeline attack, Otavio said the two major trends he sees are that the attacks have become more targeted and social engineering-focused as means to take over servers, work stations, and networks; and fragmenting of the attack surface through businesses adopting new cloud communication channels.
"We are on the other side of the actual pandemic, hopefully, but during the pandemic, there was this huge push for digital infrastructure. We all have had to use apps like Zoom, MS Teams, Slack, and social media, and DMs, and WhatsApp to communicate. So what did that do for the cybercriminals and folks who are exploiting through ransomware? It fragmented the attack surface. It allows work stations to be connected to more channels, more apps, and there have become new ways to deliver ransomware into the infrastructure. Those are two trends we are seeing, but it’s not hopeless. You can focus on things such as backups and the strength of your processes to overcome this."
Brian Honan spoke to the need of making cyber defense more of an organizational priority: "Anybody who has worked in cybersecurity for a long time has had the frustration of not being heard by senior management or the board, and that cybersecurity has always been treated as an IT problem, therefore they’re dealing with this with IT budgets. As we look at ransomware, fundamentally, while some of it is sophisticated, it is still taking advantage of some of the fundamentals of security practice that we’re not following. We’re not doing a good job of cyber hygiene.
Brian said that ransomware is making cybersecurity more of a board-level concern and is no longer just an IT problem. He added this is a business risk problem, and therefore needs to be managed a better way. "I’m seeing that with our clients, who are asking how do we fix this problem, how do we prevent these problems? It’s up to business people to really take this seriously, and hopefully, we get the results to tackle it."
Julie Cullivan agreed, adding, “I think one of the things that’s really important is security leaders having these conversations with the board, turning it into a risk conversation and a conversation they can understand, as opposed to, ‘hey I just need more money’ and these are all the stats and metrics. It’s really being able to have a risk conversation and understanding the threat that is out there."
Facing the Risks
In assessing how to mitigate the threat of ransomware, Julie Cullivan started the conversation by saying, “There’s so much data out there, organizations have data everywhere now because of the transition to the cloud. These bad actors want to get that data and use that as leverage, and when organizations even make the decision to pay, they really don’t have a guarantee that they’re going to get all their data back or there still isn’t risk within their environment.”
Joel Yonts brought awareness to the regulatory and compliance ramifications of a ransomware attack: “One of the complications around data that I am seeing more and more, when there’s an incident, there’s the cyber risk associated with it and then there’s the legal compliance risk."
Historically, he said lost data was the barometer for disclosure in many cases. But what we find now with GDPR, in an unauthorized access, is even if data doesn't leave the company, the unauthorized access is forcing a disclosure. He added this is a different aspect of risk, further highlighting the need for extra layers of protection, because there’s some places ransomware can’t go, or you’re going to experience a great deal of pain.
"Everyone pays at some point, but you don’t want to be in a situation where you have no choice, and that’s where the prevention comes in. For publicly traded companies, you owe it to your shareholders to make good decisions for your company. It can get really complicated."
Brian Honan cautioned that paying the ransom is not guaranteed to resolve the impacts of an attack: “Even if you get a decryption key, you’re not guaranteed it’s going to work, you’re not guaranteed it’s going to bring your data back. So, you could be paying money for something you have no control or you’re going to get anything from. But you still have to go through your recovery processes, and go through every single system in your system in your environment to check and verify that it’s secure. Getting the decryption key is not a magic wand, and great, the problem is gone. You’re still going to have days, weeks, if not months, depending on the size of your estate, of recovery to follow up with that."
Brian said he has been a staunch opponent of paying the ransomware, but in some cases an organization may have no choice. Prevention is better than the cure, he added, and investing now may prevent pain later.
Otavio Freire spoke to the need for public-private collaboration in defending against the gangs of cyber criminals that are now posing a major ransomware threat: “When a corporation invests in understanding the ransomware gangs and collaborating with law enforcement, we all do have a part to play in the offensive element of this. Ransomware is a scary underground, a very large marketplace with software vendors and Ransomware as a Service, where groups that conduct the network intrusion then sell it off to someone to execute the ransomware, so there is a lot of money."
He said combatting ransomware requires a public-private effort. Critical infrastructure has to work closely with regulators, sharing intelligence, investing their own dollars to gather intelligence.
"If we don’t collaborate in this public-private way, the outside has so many resources, it’s just going to be incredibly challenging."
Please click here to listen to the entire ransomware webinar and get a free resource sheet on mitigating the risks of a ransomware attack.