Going on the Offensive
In the US government and in the private sector the last few weeks have been truly fascinating from a ransomware perspective. We have reached a tipping point where both sectors see Ransomware as a high-risk threat. In the case of the US government, they have taken a more proactive and offensive approach in going after ransomware criminals, their infrastructure, and even their stolen funds. In this blog, we will discuss this as well as some guidance for the private sector on how they can get more offensive and handling ransomware.
US Government Initiatives and Action
In May of this year, the White House enacted the Executive Order to Improve the Nation’s Cybersecurity and Protect Federal Government Networks in the wake of recent supply chain and ransomware attacks. While this executive order was a great start, we have seen a true tipping point late last week. With the infamous Colonial Pipeline attack disrupting energy distribution to over 1/3 of the United States population both the White House and the US Department of Justice have now taken important additional steps.
For starters, the US Department of Justice has given ransomware attacks a similar law enforcement priority to terrorism. By doing this, there will be a major increase in US government offensive capabilities in the fight against ransomware. The US Department of Justice has put special processes into place to increase law enforcement awareness and more importantly increasing law enforcement’s offensive capabilities. These processes include centralized tracking of cases across the country, coordination with a centralized task force in Washington, and coordinated law enforcement effort and investigations. It also means we can expect better US offensive capabilities disruptive activity against ransomware attackers, counter anti-virus services, online forums, criminal marketplaces, cryptocurrency exchanges, bulletproof hosting services, bot Nets, and online laundering services. Bottom line the US Government is taking measures directly against ransomware attackers, their infrastructure, and most important by going after their money.
If this change in tactics was interesting, the realization of these tactics less than 48 hours later was even more impressive. The “Ransomware and Digital Extortion (RADE) Task Force” as the Department of Justice is calling it announced June 7th that they had successfully recovered 63.7 bitcoins, about $2.3 million of the ransom paid by Colonial Pipeline to the ransomware group DarkSide by seizing one of the groups bitcoin wallets. While all of this additional support is valuable and genuinely appreciated most enterprises are looking at how they can also take effective steps at preventing ransomware within their environments. For starters, the White House also released a memorandum directed at the private sector titled: What We Urge You to Do to Protect Against the Threat of Ransomware. It recommends five fundamental things enterprises must do to prevent the threat of ransomware. It is not a complete list – but it is a helpful one with some interesting new insights.
Guidance to the Private Sector – Executive Understanding of Ransomware’s Risk Profile and Starting with a Good Defense
For an enterprise to adopt a successful strategy to better defend against, minimize damage, and recovery gracefully we must start at the executive level. Cybersecurity, business executives, and even board members must have a fundamental understanding of ransomware’s true risk profile. With the continued rise in ransomware crime, damage, and disruptions They must accept that ransomware is no longer a rare occurrence but rather a high frequency/high impact risk to their enterprise. As part of this effort of conveying true risk, as organizations implement security controls, incident response plans, and increase awareness security practitioners must let them know how this changes the risk profile.
As per White House recommendations, starting with the fundamentals, we must really work to improve the backup procedures for our data, systems, configuration, and images. We must also have better patch management, IT-hygiene, and network segmentation. There were a few things the White House missed. In the Colonial Pipeline, attackers take advantage of broken, non-MFA paired passwords. In the Colonial Pipeline case, they used a known password leaked on a darknet site to connect via VPN to Colonial Pipeline’s networks. Therefore, we need to add the need for strong passwords used in combination with multi-factor authentication, in addition to least privileges account control.
Guidance to the Private Sector – Go on the Offensive
By far the most interesting and important advice mentioned in the White House memo one which I view as crucial is to begin to use offensive techniques within your enterprises. While this sounds startling, we are not talking adopting a Department of Justice RADE Taskforce to go after Ransomware attackers. Rather it means we need to test, practice and drill our incident response plans and test our security controls to better prepare our people, processes and plans for attack. With constant changes to our configurations, image rollouts, new third party vendors, new exploits in the wild you want the ability to get a rolling trend on how you are doing. Past traditional methods using vulnerability management tools and periodical pen testing fell short because they were only a snapshot in time and outdated by the time the customer received the report. To keep up requires a different approach. The way that this is done is by adopting Continuous Security Validation that makes use of Breach & Attack Simulation, Attack Surface Management and Automated Purple Teaming. By combining these three methodologies in one integrated platform, organizations can streamlines the process of identifying security gaps, vulnerabilities and exposures based on attacks that are safe, automated and easy to run, yet comprehensive and up to date.
This approach is also achievable for enterprises on the less mature end of the cyber security model, as the solutions educate the practitioner as they use it, providing clear-cut explanations and prescriptive mitigation guidance. For the more mature end of the cyber security model practitioners appreciate the automation of assurance procedures, testing and updates which allow them to easily run in a continuous fashion with less overhead. By adopting one does not only reduce risk on a rolling basis but also at an executive level allows you to convey your current risk level more effectively and accurately, provides value for cybersecurity spend and reduces risk through the optimization of security controls people and processes.
Start simulating cyber attacks today with a 14-day free trial of Cymulate's Continuous Security Validation Platform.