Recent headlines would make it appear as if there has been a steep rise in the number of ransomware attacks of late – but whilst there has been an increase in the number of successful campaigns, it only points to the fact that security teams have been lax in taking adequate steps to secure their network assets.
That’s the belief of Optiv Security, which goes as far as to suggest that the vast majority of companies who give in to their cyber-tormentor are victims of their own making. The company is of the opinion that most businesses find themselves in a “pay up or perish” position because of rampant cybersecurity malpractices that makes them prone to ransomware attacks.
James Turgal, former executive assistant director for the FBI Information and Technology Branch (CIO) and current VP of Cyber Risk, Strategy and Transformation at Optiv, has personally helped many companies respond to and recover from ransomware attacks. We spoke with him to understand the evolving nature of ransomware campaigns and the steps businesses need to take to protect themselves.
What are some of the most common missteps you’ve encountered that could’ve protected businesses from ransomware attacks?
Every business is different. Some older and more established organizations have networks and infrastructure that have evolved through the years without security being a priority, and IT shops have traditionally just bolted on new technology without properly configuring it and/or decommissioning the old tech.
Even startups who begin their lives in the cloud still have some local technology servers or infrastructure that need constant care and feeding.
Some of the themes I see, and the most common mistakes made by companies, are:
1. No patch strategy or a strategy that is driven more by concerns over network unavailability and less on actual information assurance and security posture.
2. Not understanding [of] what normal traffic looks like on their networks and/or relying on software tools. Usually too many of them overlap and are misconfigured. The network architecture is the company’s pathway to security or vulnerability with misconfigured tools.
3. Relying too much on backups, and believing that a backup is enough to protect you. Backups that were not segmented from the network, were only designed to provide a method of restoring a point in time, and were never designed to be protected from an attacker. Backups need to be tested regularly to ensure the data is complete and not corrupted.
We often hear that companies have even had their backups encrypted by ransomware, because it was housed within the same network as the primary data. What other such cardinal sins have you encountered in your assessments?
I worked a number of cyber investigations in my FBI career where the company was so focused on driving the next digital transformation idea forward and missing the security of their current infrastructure during the process.
For example, I have seen many companies during their move to a cloud environment focus so intently on the cloud migration that they neglect the servers and infrastructure that are sitting in some closet they forgot about, collecting dust, not being patched, and still connected to the network.
All it takes is one open port or one unpatched vulnerability for the threat actors to exploit.
Shadow IT and shadow data repositories are a huge vulnerability, and they are exactly what the threat actors are looking for when they are probing your network endpoints.
Optiv works with hundreds of large enterprises in developing their ransomware response strategies. What are some common response strategies that you suggest all businesses should enforce?
Certainly, preparation is the key and not becoming a victim is always preferable to being victimized by ransomware.
However, the best response strategies are found in these areas:
1. Know your networks and infrastructure well enough, or if you use a third-party managed service for this expertise, to be able to assess the damage as quickly as possible. It’s critical to understand the extent of the compromise, have the capability to conduct a root cause analysis, regain control of your environment, and determine if and what data may have been stolen.
2. Know where your data is, especially for the “Crown Jewels” of the organization. If those are properly segmented and you have adequate (clean) data back-up repositories, then responding to an attack is much less of a fire drill.
3. Make certain you have a robust Incident Response (IR) manual that specifically deals with ransomware, and practice, practice, practice, all the way up to the Board level.
4. Make certain you have, on retainer, any third-party expertise (outside counsel, forensics, PR and communications experts).
Besides technical reinforcement, should companies also invest in upgrading their human capital as well, considering that most ransomware/malware exploit human behavior?
I have always said cybersecurity is more about people behind keyboards than the actual technology.
As technology evolves, with the evolution of artificial intelligence (AI), machine learning (ML) and cloud migration, new skills must be brought to the playing field. No matter the size of the organizations, businesses that seek to innovate faster than their competitors are fighting for the same qualified talent.
I want to emphasize the “Qualified” as there is not only a lack of people to do the work, but also a growing skills gap in those qualified to understand the complexities of modern networks.
Gaps in technology skills can hold a business back from achieving further success and far more negative business impacts can occur if you have a CIO [Chief Information Office] or a CISO [Chief Information Security Officer] who is ill-equipped to secure the organization but claims to senior leadership that the company is safe.
You’ve been involved with negotiations with threat actors behind a ransomware campaign for a long time. How have the interactions evolved over the years? Are you aware of any threat actor going through with their double extortion strategy and revealing confidential data to a rival?
One of the things I think companies miss is they tend to think these criminal threat actor groups are all independent and competing against each other.
These organizations sometimes share data and intelligence about victims. Once data is exfiltrated from a company and posted or sold on a dark-web forum, other criminal threat actors are using that data from another actor’s previous attack to stair-step to additional victims and further exploits.
With the advent of Ransomware-as-a-Service and Dark-Web malware shopping sites, like Silk Road and AlphaBay, the double extortion threat is real, and the threats are not just coming from single organizations, but sometimes criminal groups working together offering a malware service and Botnets to deploy the malware.
Talking about double-extortion, how does one tackle it? I mean even if the company has the means to restore from backups, and can retake control over its network, how does it ensure that the threat actors don’t reveal the data they have exfiltrated?
The threat of double-extortion is real, but with ransomware attacks there has always been the threat [that] cybercriminal attackers will leak the data exfiltrated from the victim, so I don’t see that threat as really new.
Gone are the days when you could be a victim of a cyber-attack, either pay the ransom or restore your systems and not disclose the attack. Reporting requirements and future legislation will dictate transparency and disclosure.
How do you view AXA’s recent announcement that it’s withdrawing the ransomware cover for its French clients? Is this an effective strategy to dissuade ransomware attacks, in your opinion?
I believe the move by AXA was based upon their view of the challenges in the current cyber insurance market, related to competing pressure in the regulatory environment and from law enforcement.
There are cases I have worked where threat actors intentionally search through a victim’s infrastructure and data looking for whether the victim has cyber insurance. Some threat actors actually use the data from the victim’s own system in the ransomware notice indicating that there is no reason not to pay, because they are insured.
An argument could be made that cyber insurance emboldens the attackers, so limiting payments and coverage could discourage future attacks.
I believe the trend and the more likely response will be more to limiting cyber-ransomware payout amounts and certainly requiring policy holders to have and maintain a higher level of cyber maturity, conduct better and more regular risk assessments, and more closely align coverage to threats, which is in my opinion the better way to respond to cyber extortion than just simply halting payments.