Below is a compilation of thoughts on ransomware from a leadership perspective from various SANS Cybersecurity Leadership instructors and authors. Learn more about ransomware here.
Live Stream on Ransomware + Healthcare with Doc Blackburn
Download Doc's notes from this Live Stream here for later reference.
As a leader, it is important to understand and manage the risk of ransomware. However, it's easier said than done. Stepping into the shoes of an executive of an organization like Colonial Pipeline (before the incident), a person would probably ask questions such:
- What are the cyber security risks and concerns the organization faces?
- What is the cost to the organization if it falls victim to a cyber-attack?
- What is the likelihood of being compromised and what is the impact of that compromise?
- Are we doing the right thing to comply with regulations?
- What is "enough" to not stop operations and overdo security?
- Would the answer to these questions help that executive really know and feel informed when the organization is hit with ransomware, like Colonial Pipeline was? Surprisingly, the answer is… probably not. This is because the risk and answers provided most likely would not take into consideration the large impact like what was experienced this past weekend with the Colonial Pipeline ransomware incident. Cyber operations and effects are inherently difficult to fully identify, manage, and control. Malware can go to unintended places and do unexpected harm. In addition, cyber security and IT generally work in distinct silos from operational technology. This reduces the chances of anyone at the decision table being able to see the full picture and impact of what could happen in a cyber incident Colonial just experienced causing a downstream effect we all are experiencing.
The best thing we can do as leaders is to:
1) Give some level of oversight to ensure that risk is fully identified;
2) Trust those in the organization to either mitigate, reduce, or transfer the risk of a cyber incident through expectations already defined;
3) Decide and set the expectation of what the incident handling and response would be in cases of a cyber-attack. With this, consider:
A. Do you buy cyber insurance?
If so, keep in mind that it is the best interest of the insurance companies to pay the least amount of a claim. This means the cost to the ransom may be less than the cost of recovery and appropriate incident handling. Hence, it really means, that the insurance firm most likely will not cover the full cost of the incident.
B. Do you ensure that all security protocols and practices are in place despite the cost to operations and the organization?
This would require additional investment into cyber security and IT as well as Operational Technology (OT); new systems, better and more backups, additional technologies, additional talents and resources… It would require integration of IT and OT as well some change which may take down the business operations. How much of a budget is enough?
C. Do you respond to the incident by paying the ransom?
U.S. CISA and the FBI do not encourage paying a ransom to criminal actors. The agencies said; "Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or may fund illicit activities. Paying the ransom also does not guarantee that a victim's files will be recovered."
However, what happens if you don’t have good back-ups? What happens if you don’t have the ability to recover the files other than the chances of getting those files from the very criminals that took the availability of those files away from you (your organizations)? Although the agencies say that there’s no guarantee that a victim’s files will be recovered, our experience is that these criminals have incentive to ensure that the files are recoverable so that other victims will pay. They too have a reputation to uphold. These criminals, like the Dark Side, have a standard business model and are more interested in money than data. Their model often includes a help desk that has excellent customer service to ensure payment is received and files are covered.
D. Do you buy bitcoin in advance and hold it in case of this type of situation?
This is a contingency aspect to be considered as part of the plan. The purchase of the Bitcoin should not be considered as an investment; however, if the organization purchased Bitcoin a few years back the value of the bitcoin since 2014 has increased over 5000%. Although the currency is volatile, what has been of a guarantee is that criminals want that form of payment. The increased value, thus, becomes a reduction cost during ransom because if you buy Bitcoin at a lower value the new increased value because the gap of cost “earned” for the cost of ransom. Keep in mind that a tax and financial expert (e.g. finance dept and CPA) would need to be consulted on that asset holding
There are many aspects to consider and manage as a leader/executive/decision-maker of an organization faced with the likely chance of being a victim like Colonial Pipeline. The best thing to do is to understand the current state of organization risk to cyber attacks and improve it as well as the management of that risk.
My-Ngoc Nguyen is a SANS Certified Instructor
(From his LinkedIn post.)
Lots of messages about ransomware are being broadcast out.
I wonder if we are talking to the right audience sometimes. Seems like we frame our messages for those within the security field when we need to be talking to the business owners and the business leaders.
When I look at the list of the organizations hit by the DarkSide group I see a lot of what appears to be smaller organizations ranging from energy companies, non-profit, retail, and even auto sales.
There's not just one sector that needs to pay attention to this. If you own a business, lead a business, or are the technology or security decision maker, please take a step back and think about what you can do to protect your organization from attacks like this.
I get that organizations view security as a cost center but investing even in the simple things can make a difference.
Some low-cost wins for example:
- Policies and procedures
- Security awareness training
- Host based firewalls (already included in the Windows and Mac operating systems)
There are many more opensource and free tools out there to better secure networks. I realize that a lot of companies lack the expertise or have access to the talent to install and configure a lot of these. Please consider finding a way of investing in at least getting these up and going.
From there, at least dedicate someone part time to taking at look at these tools to see what you might be missing. Again, something is better than nothing and part time is better than no time. Take the time to take a step in the right direction.
Take the time to get a security audit to see how your current architecture could be better secured without a lot of investment. In my experience organizations are usually not getting the full benefit out of what they already have.
For this next part I'm going to talk about what I've done and I'm going to name vendors. This is not an endorsement, but statements based on my own experiences.
Yes, these cost money, and yes, they are expensive, but weigh this against your entire organization being offline and a 7-figure ransom being demanded.
Vulnerability Management: Pay attention to your public facing assets. Patch and update these on a regular basis. My experience with Nessus and Insight VM was perfect for this. This will help you keep those public facing assets secure and hardened against attackers.
Endpoint Protection: I've utilized Check Point End Point for a 500+ deployment and does an amazing job of protecting against ransomware. You need a dedicated admin for this in my opinion.
CrowdStrike Overwatch: I tested this for the SANS Analyst program, and it does an amazing job of preventing attackers from gaining access to an endpoint. They also have a team of threat hunters monitoring your logs and alerts. It's like having an extended staff focused on security.
I stopped 100% of malware with the combination of Proofpoint and a Check Point firewall.
Proofpoint was filtered the email which then handed it off to the Check Point Firewall MTA where it was further examined. When you enable Threat Emulation and Threat Extraction this is a lethal combination for inbound malware over email. This is a more expensive and complex solution, but it works.
Again, none of this is an endorsement and I wasn't asked to mention any of these. This is all based on my own experience.
I hope some organization finds value in all this. The past year has been difficult, and we've had enough challenges keeping business running. We don't need ransomware attackers making it worse.
Joe Sullivan is a SANS Associate Instructor
Lance just posted a new blog looking at the human perspective of risk:
Cut Through the Noise: Are Password Managers Still Safe and Secure
Lance Spitzner is a SANS Senior Instructor
Leading incidents that have caused serious business impact such as a ransomware attack requires a leader to confidently see an incident to completion. Top technical teams need to have clear direction from the top to put their skilled puzzle pieces together to complete a complex puzzle. Crisp communication to key stakeholders is a must. As a leader, you deftly balance all of these requirements to bring your organization back to an operational state. You drive not only a technical investigation but you also drive an all hands on deck crisis recovery mission. A ransomware incident will immediately test all of these variables during one of the most stressful moments in a company’s history. Your leadership could be the difference between a company recovering from a ransomware incident or incurring long term reputational damage from an incident mismanaged.
Kevin Garvey is a SANS Associate Instructor
G. Mark Hardy
Ransomware: To Pay or Not to Pay?
What if we choose to pay a ransom? If you are a security professional, this is not your decision -- it is reserved for the highest levels of management. Engaging with ransomware operators involves risk beyond loss of payment: reputation, reporting (accounting), and violating laws or sanctions.
There are many valid reasons NOT to pay. For some, it's moral: don't support criminals. For others, it's patriotic: ransomware payments benefit illicit actors and can undermine the national security and foreign policy objectives of the United States. But what it often comes down to is practicality, particularly if the cost of downtime is orders of magnitude greater than ransom amount.
Ransomware has morphed in recent years. Initially, it was an availability attack. Today, it is often also a confidentiality attack. In the future might we see an integrity attack? That's a question for another time. Meanwhile, if you pay, do you get your files back?
- 98% of ransom demands are payable in Bitcoin
- 99% that pay receive decryption tool
- 96% report tool decrypted and recovered files
That sounds like pretty good odds. There is peer pressure among ransomware operators to deliver encryption keys when paid. Why? Because word gets out if you pay, you get your files back. Victims will therefore continue to pay. Notpetya was an exception -- at first it looked like ransomware, but soon was reclassified as a nation state attack. The ransomware portion of the code was never meant to offer a redemption option (when this was first announced, I thought a bullet was going to be administered in Moscow.) But that is the exception rather than the rule.
When advising management on making the decision to pay, first check the laws. The US Treasury Department Office of Foreign Assets Control (OFAC) designates, inter alia, malicious cyber actors, often naming the ransomware developer personally. For example:
- Cryptolocker: Evgeniy Mikhailovich Bogachev
- WannaCry 2.0: Lazarus Group, Bluenoroff, Andariel
- Dridex: Evil Corp, Maksim Yakubets
These "Bad boys" listed on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List) represent illegal destinations for payment of any kind. Before recommending paying a ransom, "pull the string" to see where it may be going. Note that OFAC also includes sanctions from Belarus to Zimbabwe, with Cuba, Iran, Libya, North Korea, Somalia, Sudan, and Syria holding semi-permanent status.
Penalties for violating the OFAC SDN list may be worse than the ransomware event. Criminal penalties exist up to $1 million and/or 20 years prison, and civil penalties go up to $250,000. In addition, the law allows government seizure or forfeiture of goods involved.
Note that these rules also apply to those facilitating ransomware payments on behalf of a victim -- a genuine concern for consultants and third-party advisors.
OFAC does list mitigating factors in assigning penalties, including "the existence, nature, and adequacy of a sanctions compliance program." Thus, ask if such a program exists in writing. If not, get busy. Also, "under OFAC’s Enforcement Guidelines, OFAC will also consider a company’s self-initiated, timely, and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus. OFAC will also consider a company’s full and timely cooperation with law enforcement both during and after a ransomware attack to be a significant mitigating factor when evaluating a possible enforcement outcome."
Paying the ransom isn't as simple as opening up a bitcoin wallet and transferring funds. There are many legal considerations today that can sway a board or executive's decision. Ensure you are aware of the constraints and rules so that you do not inadvertently make recommendations counter to law or prudent business practice. It's worth the time to do your homework.
For more information on this topic, tune into the CISO Podcast episode entitled, "Slay the Dragon or Rescue the Princess" at https://cisotradecraft.podbean.com/e/ciso-tradecraft-slay-the-dragon-or-save-the-princess
Additional Podcasts from G Mark Hardy
G Mark Hardy is a SANS Principal Instructor