I've been watching the articles and news reports fly around this week on ransomware - and I am not much impressed. Most advice is well-intentioned, but little of it comes from working CISOs, who know that peddling the bike faster will not work. We all know that patch efficiency, anti-virus software, and endpoint administration have improved many-fold in the past decade. They are necessary as a base, but insufficient to deal with ransomware. That's just the reality.
I will be honest with you - large companies hire people like me at a gold-ounce per hour to advise on issues like this. Everyone else is forced to read articles. Since this destructive attack is emerging as such a frightening global issue (as I predicted), I decided to make believe that you were paying a gold-ounce per hour for guidance, and below summarizes what I would advise.
To reduce the risk of ransomware and related destructive attacks, security teams need to focus on the following four non-trivial business initiatives, none of which can be outsourced, and all of which will require daily attention: Information architecture, resilience methodology, prevention programs, and response planning. The paragraphs below summarize these initiatives in sufficient detail so that you can craft your own program:
An information architecture is a collective understanding of the minimum information needed for an organization to function. Each employee contributes by being introspective about their own set, and the owners of each system contribute by defining their own minimum required information. This collective task must be managed professionally, and must be maintained vigorously. It is a required Step One in reducing the destructive malware risk. You need to know what you need to work.
To illustrate, when employees self-evaluate their minimum needed files, they discover to their astonishment a much smaller set than expected. My heartfelt advice to these employees is to get rid of everything else. I know that a percentage of you must consult with lawyers and records management policies, but if you can avoid talking to your pack-rat hoarding legal staff, then do it. Dump everything you don't need.
For systems, the process is more complex, and requires competent system administrators to carefully orchestrate a dependency graph. If your main HR application, for example, pulls from a list of files kept on a Windows server, then you need to know that. Those files become part of the collective information architecture for your organization. I told you this was not easy, but the process simply cannot be skipped. I'm sorry.
A resilience methodology involves the people, processes, and technology required to keep the organizational mission moving forward. That is why resilience is more than just backing up files. It includes everything necessary to continue to operate. For example, if required files are backed up to the cloud, but a destructive BIOS attack has zapped your computers, then there might be no reasonable place to host and use backed up data.
Most of your employees will quietly create their own resilience plans, often keeping self-purchased memory sticks in the top drawer to store copies of important presentations, proposals, and other documents. The challenge for security teams is to support this process with properly selected off-line storage and recovery procedures. If this is ignored, then you deserve what you get when a stick is lost with sensitive customer records.
The best resilience methodology is one that allows for rapid restoration, perhaps using virtual access to the cloud, with a minimum of disruption. The cutover should be tested thoroughly and shown to be resilient itself from destructive malware. Back-up tools are worthless if they are vulnerable to the same ransomware or other attack that they were intended to mitigate. Demand evidence of separation from your vendor, perhaps via strong authentication protocols.
Prevention programs include anti-malware software, patching processes, and security protection tools for email, web, and other services. Most security teams have these tools in place today, so this area is more about improvement and extension, than about introducing some amazing new solution. This illustrates why articles telling us to patch and run AV are so annoying: People who ignore these obvious steps also do not read security articles!
Meaningful differences do exist in endpoint malware prevention products, so you should do your homework. Three techniques exist to detect ransomware and other destructive Trojans:Signature-based patterns, behavioral analytics, and machine learning. You should ask your vendor how they support each - and what their process is for maintaining currency as the threat evolves. Your endpoint security vendor should have an R&D team.
Prevention can also include several common-sense initiatives that will reduce risk, but that might not be popular with your CIO. Diversity of computing infrastructure, for example, is an amazing means for reducing cascade risk - so be careful if you are 100% Windows across the board. Even your supply chain team can provide useful assistance by demanding things like non-mutable BIOS in the computers you purchase and use. This reduces destructive attack risk.
Finally, response planning is the fourth initiative required to reduce the risk of ransomware and destructive malware. It involves a comprehensive understanding and set of procedures to detect, respond, and recover from a destructive attack. For response planning to be effective, it must involve high-quality documentation, training, and testing - in contrast to boring response plans in PowerPoint decks that sit collecting dust on executive shelves.
The litmus test for response planning effectiveness involves checking whether employees would know what to do if they experience that threatening "morning-screen-of-death-message" found so often in ransomware attacks. If the entire place goes into a frenzy of confusion, then you've not planned properly. On the other hand, if employees calmly recognize a condition they've been trained to expect, then you've done your job.
Recovery is often performed by storing copies of the information architecture in a public cloud, and allowing employee access from their personal devices. This is a cheap, simple way to keep the business moving forward while the attack is being investigated. Tools exist to properly protect the cloud-based archive, and to keep your compliance team from jumping off a bridge, so do your homework and you'll find lots of options. If you select this method, then pick one day each quarter and test the cutover. You'll be glad you did.
As for whether to pay a ransom, I suspect that you might disagree with my advice. First, I believe you should follow the steps outlined above to deal with subsequent ransomware attacks. No one should ever have to pay a ransom - and there is no evidence that anyone was successful in dealing with the recent WannaCry incident by paying a ransom. So, you must use your common sense. But if you are a serious victim and have absolutely no other options - then you might consider paying the damn fee. Yes, you should call law enforcement first and they might help, but I would advise getting your stuff back if you think you can, and then taking steps to never let it happen again. (I know many of you will disagree with this advice. Sorry. It's just been my observation.)
Now, here is what you must do immediately to reduce the risk of ransomware and other destructive attacks - and this is the same whether you have four people or four-hundred people on your security team: Forward copies of this article to your team and have them read it. Then, schedule a meeting and assign one person to each of the four initiatives described above. Have them sketch a plan outline for their assigned initiative. These outline sketches will be your starting point.
Expect the overall implementation process to take months or years, depending on the size of your company, but this is how it must be done. Buying some tool, or pledging to patch faster, or asking your sysadmins to check for this file extension or that, and on and on - will not work. This is a challenge that must be managed methodically and professionally. So, go and do as I recommend right now. Do not delay even fifteen minutes on this. Go and do it now.
The good news, by the way, is that you don't owe me any ounces of gold for this advice. It's yours for free. Perhaps you can use any consulting fees saved here to jump start your new program. Consider it my donation to the cause.
Now go get on it.
- by Edward Amoroso, Founder & CEO, TAG Cyber LLC