I’ve been watching all the articles and news reports flying around on ransomware, and I am not very impressed. Most of the advice is well-intentioned, but little of it comes from working CISOs who know that ‘peddling the bike faster’ will not work. We all know that patch efficiency, antivirus software, and endpoint administration have improved many-fold in the last decade. They are necessary as a base, but insufficient to deal with ransomware. That’s just the reality.
I will be honest with you – large companies hire people like me at a gold-ounce per hour to advise on issues like this. Everyone else is forced to read articles. Since this destructive attack is emerging as such a frightening global issue (as I predicted here), I decided to make believe that you were paying a gold-ounce per hour for guidance, and below summarizes what I would advise.
To reduce the risk of ransomware and related destructive attacks, security teams need to focus on the following four non-trivial business initiatives, none of which can be outsourced, and all of which will require daily attention: Information architecture, resilience methodology, prevention programs, and response planning. The paragraphs below summarize these initiatives in sufficient detail so that you can craft your own program.
An information architecture is a collective understanding of the minimum information needed for an organization to function. Each employee contributes by being introspective about their own set, and the owners of each system contribute by defining their own minimum required information. This collective task must be managed professionally and must be maintained vigorously. It is a required Step One in reducing the destructive malware risk. You need to know what you need to work.
To illustrate, when employees self-evaluate their minimum needed files, they discover to their astonishment a much smaller set than expected. My heartfelt advice to these employees is to get rid of everything else. I know that a percentage of you must consult with lawyers and records management policies, but if you can avoid talking to your pack-rat hoarding legal staff, then do it. Dump everything you don’t need.
For systems, the process is more complex, and requires competent system administrators to carefully orchestrate a dependency graph. If your main HR application, for example, pulls from a list of files kept on a Windows server, then you need to know that. Those files become part of the collective information architecture for your organization. I told you this was not easy, but the process simply cannot be skipped. I’m sorry.
A resilience methodology involves the people, processes, and technology required to keep the organizational mission moving forward. That is why resilience is more than just backing up files. It includes everything necessary to continue to operate. For example, if required files are backed up to the cloud, but a destructive BIOS attack has zapped your computers, then there might be no reasonable place to host and use backed up data.
Most of your employees will quietly create their own resilience plans, often keeping self-purchased memory sticks in the top drawer to store copies of important presentations, proposals, and other documents. The challenge for security teams is to support this process with properly selected off-line storage and recovery procedures. If this is ignored, then you deserve what you get when a stick is lost with sensitive customer records.
The best resilience methodology is one that allows for rapid restoration, perhaps using virtual access to the cloud, with a minimum of disruption. The cutover should be tested thoroughly and shown to be resilient itself from destructive malware. Back-up tools are worthless if they are vulnerable to the same ransomware or other attack that they were intended to mitigate. Demand evidence of separation from your vendor, perhaps via strong authentication protocols.
Prevention programs include anti-malware software, patching processes, and security protection tools for email, web, and other services. Most security teams have these tools in place today, so this area is more about improvement and extension, than about introducing some amazing new solution. This illustrates why articles telling us to patch and run AV are so annoying: People who ignore these obvious steps also do not read security articles!
Meaningful differences do exist in endpoint malware prevention products, so you should do your homework. Three techniques exist to detect ransomware and other destructive Trojans: Signature-based patterns, behavioral analytics, and machine learning. You should ask your vendor how they support each – and what their process is for maintaining currency as the threat evolves. Your endpoint security vendor should have an R&D team.
Prevention can also include several common-sense initiatives that will reduce risk, but that might not be popular with your CIO. Diversity of computing infrastructure, for example, is an amazing means for reducing cascade risk – so be careful if you are 100% Windows across the board. Even your supply chain team can provide useful assistance by demanding things like non-mutable BIOS in the computers you purchase and use. This reduces destructive attack risk.
Finally, response planning is the fourth initiative required to reduce the risk of ransomware and destructive malware. It involves a comprehensive understanding and set of procedures to detect, respond, and recover from a destructive attack. For response planning to be effective, it must involve high-quality documentation, training, and testing – in contrast to boring response plans in PowerPoint decks that sit collecting dust on executive shelves.
The litmus test for response planning effectiveness involves checking whether employees would know what to do if they experience that threatening “morning-screen-of-death-message” found so often in ransomware attacks. If the entire place goes into a frenzy of confusion, then you’ve not planned properly. On the other hand, if employees calmly recognize a condition they’ve been trained to expect, then you’ve done your job.
Recovery is often performed by storing copies of the information architecture in a public cloud and allowing employee access from their personal devices. This is a cheap, simple way to keep the business moving forward while the attack is being investigated. Tools exist to properly protect the cloud-based archive, and to keep your compliance team from jumping off a bridge, so do your homework and you’ll find lots of options.
If you select this method, then pick one day each quarter and test the cutover. You’ll be glad you did.
The Ransom: To Pay or Not To Pay?
As for whether to pay a ransom, I suspect that you might disagree with my advice: First, I believe you should follow the steps outlined above to deal with subsequent ransomware attacks. No one should ever have to pay a ransom. But if you are a victim and have no other options – then pay the damn fee. Yes, you can call law enforcement and they might help, but I would advise getting your stuff back and then taking steps to never let it happen again. (I know many of you will disagree with this advice. Sorry.)
Now, here is what you must do immediately to reduce the risk of ransomware and other destructive attacks – and this is the same whether you have four people or four-hundred people on your security team: Forward copies of this article to your team and have them read it. Then, schedule a meeting and assign one person to each of the four initiatives described above. Have them sketch a plan outline for their assigned initiative. These outline sketches will be your starting point.
Expect the overall implementation process to take months or years, depending on the size of your company, but this is how it must be done. Buying some tool, or pledging to patch faster, or asking your sysadmins to check for this file extension or that, and on and on – will not work. This is a challenge that must be managed methodically and professionally. So, go and do as I recommend right now. Do not delay even fifteen minutes on this. Go and do it now.
The good news, by the way, is that you don’t owe me any ounces of gold for this advice. It’s yours for free. Perhaps you can use any consulting fees saved here to jump start your new program. Consider it my donation to the cause.
Now go get on it.
About the Author:
Dr. Ed Amoroso is Chief Executive Officer of TAG Cyber LLC, a global cyber security advisory, training, consulting, and media services company supporting hundreds of companies across the world. Ed recently retired from AT&T after thirty-one years of service, beginning in Unix security R&D at Bell Labs and culminating as Senior Vice President and Chief Security Officer of AT&T from 2004 to 2016.
Ed has been Adjunct Professor of Computer Science at the Stevens Institute of Technology for the past twenty-seven years, where he has introduced nearly two thousand graduate students to the topic of information security. He is also affiliated with the Tandon School of Engineering at NYU as a Research Professor, and the Applied Physics Laboratory at Johns Hopkins University as a senior advisor. He is author of six books on cyber security and dozens of major research and technical papers and articles in peer-reviewed and major publications.
Ed holds a BS degree in physics from Dickinson College, an MS/PhD degree in Computer Science from the Stevens Institute of Technology, and is a graduate of the Columbia Business School. He holds ten patents in the area of cyber security and media technology and he has served as a Member of the Board of Directors for M&T Bank, as well as on the NSA Advisory Board (NSAAB).
Ed’s work has been highlighted on CNN, the New York Times, and the Wall Street Journal. He has worked directly with four Presidential administrations on issues related to national security, critical infrastructure protection, and cyber policy.