Another week, another shortage, it seems. COVID-19 taught us to expect this. However, the latest shortages of gasoline, beef and chicken (as well as pork, beef, chicken and pork) are due to cyber-attacks involving ransomware. The UK’s National Crime Agency (NCA), details that the overall threat of cybercrime has significantly increased in the past year [1].
Several factors are likely driving the increase in ransomware attacks, includinggrowth inRansomware-as-a-Service (RaaS), employee’s working from home – which led to unprotected access to company networks, and an increase in ransom payouts. Ransomware’s rise may also be due to secondary factors such as the global economic impact of pandemic. Ransomware’s impact on organizations, which included significant downtime, is a sign of the lack of cyber readiness in nearly all sectors. Many organizations continue not to implement basic cybersecurity controls and Business Continuity – Disaster Recovery (BC – DR) preparations.
Despite the fact thatransomwarethreats are on the rise, it is likely that we are more aware of them because they have become more impactful to our everyday lives. The Colonial Pipeline attack caused a brief gasoline shortage as well as a price spike.The JBS attack has caused a price spike and shortage of beef and pork.Earlier in the year,in what was perhaps the scariest attack,a Florida municipal water plant wasattacked,andthe attackerswerepresumed to have beentryingto poison the water supply! These are all very important for everyday people and increase the likelihood that acyberattack will make the nightly news.
What can you do to prepare for or prevent a ransomeware infection? The short answer is that organizations can do a lot to prepare and potentially prevent an attack.As with all things incybersecurity, it begins with better understanding your risk and threats.Understanding your organizations cyber risk exposure, the business impact of an event, and the likely threats should guide your decisions toward data protection, risk mitigation, and breach preparedness.You gain this understanding of your risks and threats through a risk assessment.
Once you have a better understanding of your cyber risk, it’s time for planning. Remember the old saying, “Failing to plan is planning for failure.” To survive an aransomwareattack, you need a plan for Incident Response, Disaster Recovery, Business Continuity, and Business Continuity. It is not a waste of time to create these plans. Many Cyber Insurance providers will offer discounts to you for investing in these plans.
Once you know what is important to “keep the lights on” and you have your assessed risk or gap assessment, it’s time to fill those gaps.I like to focus on Prevention, Detection, and Recovery when it comes to security controls forransomwareand keeping it simple is critical.Two of the most impactful preventive security controls areSecurity Awareness TrainingandVulnerability Management.
Security Awareness Training
Nearly all ransomwareevents begin with one successful phish. Nearly all ransomwareevents begin with a successful phish.
Vulnerability Management
Vulnerability Management is also critical for prevention.Nearly all malware, includingransomwarerelies on an exploitable vulnerability in software or the operating system.If that vulnerability is patched or removed, then the likelihood of a successful attack (attack surface) is reduced.Vulnerability management is a two-part process involving vulnerability detection (vulnerability scanning) and vulnerability mitigation (patching).Vulnerability management also has many secondary benefits, which can include configuration management, asset management, and strategic risk reduction.
Response to Threats
Threat detection is a bit more discretionary since there are many options.
It is important to detect threats at both the network and domain levels. There are many solutions available, including Extended Detection & Response (XDR), IDS/IPS and logs from segmentation borders (such as layer 3) that will aid in detection. However, we recommend using a SOAR/SIEM to allow incident responders and threat hunters be more efficient and competent. (CiscoSecureX). It is important that threat hunters and incident responders are properly trained and can participatein Red Team/Blue Team exercises to sharpen their skills.
Business Continuity&Disaster Recovery
The recovery process should be aligned directly with theBusiness ContinuityandDisaster Recoveryplan
