Building Cyber Resilience Against Ransomware

Tim SmitTimothy Smit
Sr. Global Privacy and Cyber Security Risk Leader, Lockton Companies

Timothy develops long-range strategies directing clients how to optimize their data effectively and responsibly.  He focuses on privacy compliance, data protection, and the use of or introduction to digital technology.  He assists in identifying data privacy risks, operational risk, process improvement, and conducting data flow mapping exercises.  Timothy conducts risk assessments and develop strategic solutions for managing those risks along with building incident response programs and plans to improve operational resiliency to a cyber or privacy event.

Over the past six months, ransomware attacks have increased exponentially.  In some reports, the figure is reported as a 700% increase since March 2020. (1)

Adding to the complexity of the ransomware difficulties, on October 1, 2020, the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory regarding potential sanctions for facilitating ransom payments.  That same day, the Financial Crimes Enforcement Network (FinCEN) issued an advisory on ransomware and the use of financial systems to facilitate payment.  Our summary of the Advisories and attendant issues can be found here.

Given that ransom payments may no longer be a viable option or at a minimum, paying ransom to threat actors may be more difficult, organizations need to focus on preventing, identifying, responding, and recovering which outlines the foundation of becoming resilient to ransomware attacks.

What can organizations do to minimize their risks of ransomware attacks? 

On September 23, 2020, the National Institute of Standards and Technology (NIST) published Special Publication (SP) 800-53, Revision 5 entitled Security and Privacy Controls for Information Systems and Organizations. The SP contains 20 security and privacy control families.  While we do not address all 20 control families, we have highlighted several prioritized and focused controls that should be considered and potentially implemented by organizations from a ransomware loss control perspective.

The controls below will also map to possible questions insurance carriers are starting to ask in their cyber applications to better understand what proactive controls have been implemented at your organization, which may make you a better risk to them.

With more people working remotely, the increase in end point devices for organizations to manage and protect continue to grow.  Following the cyber kill chain model (2), here are a few ways to help your organization protect itself.

Identification and containing the incident is critical.  According to the 2020 Ponemon Institute Cost of a Data Breach Report (3), the average time to identify and contain an incident was 280 days.  That number has risen due to workforce members working remote and not necessarily identifying or reporting an incident to their organization.

Implementing tools that protect your workforce and their endpoint devices, or endpoint and device protection and response, is where we will begin.

Training & Education

Implement recurring security trainings for your workforce presented on their primary means of communication, i.e., desktops, laptops, mobile devices, or smart phones.  Focused trainings delivered on those devices will help your workforce identify phishing attempts on their primary communication tools.

One of the most common ways ransomware is launched within organizations is through a phishing attack.

Train and encourage your workforce to report anything suspicious in real time.  Your incident response teams need that information as soon as feasible to confirm the integrity of your systems and/or to start their investigation on how/where an attempt to infiltrate originated, so they can respond immediately and potentially eradicate the possibility of further attempts.

Technical Controls

Several technical controls for different endpoint protections that remove the likelihood of your organization succumbing to a targeted attack include:

  • implementing prescreen links in emails
  • scanning for files with exploits and,
  • stripping and detonation of attachments

These controls protect your organization, if malware circumvents your current controls in place, by identifying those infected files, attachments, etc., expediting your response to those issues rapidly, allowing you to contain incidents sooner, decreasing the probability of infected files cascading and propagating throughout your network, both internal and externally.

Segmentation of networks.  This control indirectly self-contains malware from cascading to your entire organization, as well, reducing the overall possible business interruption impact on your organization.

The implementation of configuration management, a patch management program, and intrusion detection and prevention systems alerting your security operations center (SOC) provides a quick reactionary force to engage and contain abnormal activity before it becomes a larger issue.

Vulnerabilities exploited by the threat actor leaves a digital footprint within your networks and should be captured, investigated and responded to, where needed.  Those efforts are improved with the implementation of security event logging solutions, applying threat intelligence to those events, conducting analysis of behaviors captured and respond to those incidents, prevent catastrophic losses to your organization.

Data inventories and data maps of information flow paths aid your organization in classifying critical data while overlaying the proper controls to protect that data based on its data classification. The data inventory sheds light on end-of-life (EOL) systems, operating systems, etc. that currently do not have additional security updates or patches available, which exposes your organization at a much higher rate to new threat agents making you non-compliant with most regulatory requirements that explicitly state you must protect your network and data.

One example of that is the HIPAA Security Rule 45 C.F.R. § 164.308 (a)(5)(ii)(B), which highlights that the entity must have protection from malicious software which implies you must apply patches on all systems.

Another example is the global PCI DSS standards that require each entity to “develop and maintain secure systems and applications by installing applicable vendor-supplied security patches.” (4)

Best practices also address the following response and recovering control aspects to build a resilient organization to a ransom attack.

Data inventorying provides your organization with a catalog of systems, categorized on importance to business operations and organizational goals and objectives.  It provides your organization with a prioritized list of critical systems and assets to protect most, data being proactively backed up and protected while the data is at rest, and accessible only by authorized users.

Data must be backed up, protected from unauthorized access and alteration or deletion with a planned and tested restoration plan which empowers your organization to be resilient to cyber-attacks, including ransomware attacks.  Backups may be locally conducted and stored, or they may be virtual within a cloud environment.

Authentication Controls

Implementing multi-factor authentication (MFA) is critical to confirm the identity of those accessing your systems and/or devices.  For example, if your organization utilizes MS Office365 (O365), MFA implementation is free and available today to implement.  If your organization does utilize O365, ensure that the Advanced Threat Protection add-on is being utilized.

MFA should be applied to protect every account, including privileged accounts.  Also, if you allow work emails to be forwarded to personal email accounts, ensure that your workforce has enabled MFA on their personal accounts, especially in today’s work from home setting.

Even though MFA will not prevent phishing emails from being clicked on or executed, it can prevent a successful phishing attempt from exploiting credentials, by over 90%. (5)

Incident Response

Incident response is an organized approach to addressing and managing privacy and data incidents.  The goal is to identify, respond, contain, and recover from the incident limiting damages and reducing business interruptions.

Incorporating training to identify and how to and when to report an incident is one component of the incident response plan.  Investigating the digital footprints of a bad actor is another component of the incident response plan.

Your incident response plan is the cornerstone to building resilience within your organization, where building cyber resilience is a necessity today.

Cyber Insurance Carriers

Organization’s that currently purchase a cyber liability insurance program have access to all the above- mentioned recommendations and many other services that are provided either as complimentary or at a reduced cost.  The insurers are helping their clients proactively improve their overall risk posture while reducing the probability of a cyber event causing a loss, which triggers a claim.

 

Glossary:

Configuration Management – Configuration management is a system’s engineering process for establishing and maintaining consistency of a product’s performance, functional, and physical attributes with its requirements, design, and operational information throughout its life.

End-of-Life (EoL) – “End-of-life” (“EOL”) is a term used with respect to a product supplied to customers, indicating that the product is in the end of its useful life (from the vendor’s point of view), and a vendor stops marketing, selling, or rework sustaining it. (The vendor may simply intend to limit or end support for the product.)

Patch Management – Patch management is the process that helps acquire, test and install multiple patches (code changes) on existing applications and software tools on a computer, enabling systems to stay updated on existing patches and determining which patches are the appropriate ones.

Segmentation of Networks – Network segmentation is an architectural approach that divides a network into multiple segments or subnets, each acting as its own small network. This allows network administrators to control the flow of traffic between subnets based on granular policies.

References:

  1. https://www.zdnet.com/article/ransomware-huge-rise-in-attacks-this-year-as-cyber-criminals-hunt-bigger-pay-days/#:~:text=It’s%20something%20that%20cyber%20criminals,%E2%80%93%20and%20blocked%20%E2%80%93%20ransomware%20attacks.
  2. https://www.varonis.com/blog/cyber-kill-chain/
  3. https://securityintelligence.com/posts/whats-new-2020-cost-of-a-data-breach-report/
  4. https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security
  5. https://www.knowbe4.com/how-to-hack-multi-factor-authentication