Subscribe to get the latest
#60 Managing Risk in the Face of Ransomware
on Wed Aug 04 2021 17:00:00 GMT-0700 (Pacific Daylight Time)
On this episode, part one of two, Darren discusses security trends with frequent guest Steve Orrin, CTO of Intel, Federal. Over the past year, there has been a rise in the number and sophistication of cyber-attacks. The three key areas of recurring attacks are ransomware, supply chain attacks, and data breaches.
Over the past year, there has been a rise in the number and sophistication of cyber-attacks. The three key areas of recurring attacks are ransomware, supply chain attacks, and data breaches.
The attacks have become more sophisticated for several reasons. First, as security becomes better, the adversary must continue to become better. Organized crime, nation state actors, and other threat agents recognize it takes more sophistication to compromise and thwart security controls. Just like organizations have software development lifecycle processes, so does the malware community. They have tools and frameworks they build from and good processes for building quality into their systems. Different players purchase, sell, and borrow code. They learn from each other and share information on the dark web. They are not just ragtag teams of hackers; they run more like companies.
These threat agents are in a billion dollar-plus industry. Big money drives the need for maturity. We can’t just bolt on security anymore; it must be built in, and built in everywhere, not just in the products, but in the infrastructure and processes. That was one of the lessons of SolarWinds: Even if you build a good product, the infrastructure that supports it can be vulnerable.
Recent attacks show that no one is immune. Oftentimes organizations will mistakenly assume they are safe since they are not financial services, government, or other high value industries, but recent attacks on companies such as JBS Foods, McDonald’s, and Audi have shown that no one is immune. Companies, no matter their product, are reliant on their digital infrastructure to be functional; the attack on JBS Foods took down the world’s largest meatpacking industry.
No one thing serves as a silver bullet for preventing these attacks. There is hope, but it requires a lot of work. An organization must have the diligence to apply the right risk metrics to implement security correctly. If you don’t understand your risk, no amount of security controls will do the job because you don’t know if you are applying them to the right place.
The key is to start with the right set of policies and risk for your organization. One basic step is that even if your organization hasn’t yet fully figured out how to deploy a zero-trust architecture, denying all access requests until proven worthy is a step in the right direction. What this means is that there is a gate at every door, rather than a master key to everything inside. Default deny is a tenant of zero trust.
If a company’s strength is not in cybersecurity, or the funding is not available for a sufficient internal team, there are many resources to help. Managed security providers (MSP) are a good option, but there should always be at least one expert on the inside: a Chief Security Officer. This person has the local context of the domain experience to work with the MSP and bring that knowledge in and proliferate it throughout the organization. The MSP is managing your security tools and configurations, but you need someone to impart security wisdom to business and IT units. In light of recent attacks, a security team is not optional.
Every company should have a plan in place for a ransomware attack. Once it has already happened is not the time to figure it out. One basic is to back up your data regularly. Keep pristine copies of the data, systems, applications, and configurations in an offline, out-of-band storage environment. Six months of clean backup data is important because sometimes ransomware can be sitting in the backups before it is detected. Also, have the platforms or servers you need to run your database available offline so you can spin them up in a fall over or redundancy model.
This is basically business continuity planning. Just as an organization would have a plan for continuation in the event of a physical disaster such as a flood or power outage, there should also be a plan to continue with critical enterprise applications to get at least partially back up and running while the problem is being solved.
One step to accomplish this redundancy is to be able to burst to the cloud when necessary, keeping cloud resources in a pristine state and maybe even in a different cloud service provider. Another step is to have a canary in the mine. This means having systems deployed across the enterprise that have sensors turned to 11. To avoid performance, storage, and speed issues, you can deploy them in strategic places rather than system wide to serve as early warnings.
Creating a plan ahead of time will also help with the challenge of what to do in the moment of crisis, whether you pay the ransomware or call the FBI. The plan should be on paper and involve not just your tech people, but your lawyers, CEO, CFO, etc…, and everyone should have access to it. You should know how to buy bitcoin, and you should have the number of the local FBI offices and other information. Run the plan as an exercise to see if it works just as you would a disaster recovery or business continuity plan.
Some industries may think they are safe if they keep their operational technology (OT) and their informational technology (IT) separate, but they are not truly separated. For example, a manufacturing line may be running on computing machines, but much of what drives the supply chain, logistics, and overall organization are IT systems. If those systems go down, nothing is coming in or out. IT systems are mission critical and the learning of recent attacks is that we are reliant on digital technology for all of our businesses.