Welcome to Cyber Security Today. This is the Week in Review editor for the week ending Friday, July 7, 2023.
(The following transcript has been edited for clarity)
Howard: Usually this podcast starts with a roundup of the week’s headlines, but because today we’re exclusively talking about ransomware we’re going to go right into the discussion.
My guest is Aaron Macintosh head of Parachute GTM, which advises small and medium-sized businesses on their go-to-market and product marketing efforts. I’ve invited him to be on this show because he’s also the primary author of the Ransomware Task Force Blueprint for Ransomware Defense, which was released last August. How did you get involved in that project?
Aaron McIntosh: It all started in the fall of 2021. At the time I was working for a managed detection and response provider, ActZero, Fortunately, our leadership used to be in the White House. Sameer Bhalotra and Chris Finan both worked under the Biden administration and they were very tied into what was going on in Washington, D.C. When the Ransomware Task Force came out one of the recommendations was to create a guide for small medium-sized enterprises on ransomware defense. So X Zero was asked if it would be willing to help develop a guide. Chris and a couple other people, including Rob Kanaki, who is now with the Office of Cyber Defense at the White House, started working on a list of safeguards. I was brought in a month or so later.
The Blueprint is not an implementation guide or another compliance framework.What we were looking to do is create a bit of a guide or a blueprint that would walk people through the things that you can do on ransomware. A lot of big existing frameworks like CCMC [Cybersecurity Maturity Model Certification] or the PCI DSS [Payment Card Industry Data Security Standard] are lengthy lists of controls. They have technology terms that go over the head of most small and medium-sized enterprises. We wrote the Blueprint in plain terms. It’s a set of well-regarded and widely used best practices, and comes directly out of NIST (the U.S. National Institute of Standards and Technology]Â and the Center for Internet Security.
Under CIS 8.0 there are approximately 70 controls, and we narrowed them down to 40. They were tested against the community defense model. We determined that if organizations implement these 40 safeguards they’ll protect against 70 per cent of known ransomware attacks and techniques. We wrote it using plain language. It’s not techspeak, so a small business can look at it and understand it, or take it to their IT provider or their MMSP who whomever they’re working with on cybersecurity and say, ‘I want to move ahead with this.’ It comes with a whole host of tools, some free paid some value-add.
Howard: Do you feel since the release in 2021 of the Ransomware Task Force report and the Blueprint that progress is being made by organizations to make them more secure against cyber attacks in general and ransomware in particular?
Aaron:Â Absolutely. We’ve seen the number of attacks have gone down. Part of that could be what’s going on with the Ukraine-Russia conflict. I think the industry was expecting a lot more attacks … We’ve seen a lot more prioritization of [defending against ]ransomware by businesses. The message is getting out there. In the U.S. the Center for Internet Security has done a fantastic job of bringing ransomware to the forefront. The media has been talking about it a lot more. People are coming to the Ransomware Task Force and others for feedback. We’re seeing a lot more international co-operation to disrupt [threat actor] activity. There’s an increased focus on reporting and information sharing, and there’s a lot of effort to reduce some of the risks posed at the cryptocurrency level.
But there are some areas of development that we really need to focus on, and that’s building a sustainable focus on collecting and sharing baseline information across the cybersecurity ecosystem — from the users to the hardware, the software, application developers, as well as examining the existing incentive structures out there to implementing ransomware defences.
Howard: Still, in the first six months of this year there have seen a lot of big ransomware attacks reported around the world. While there was a drop early last year, there was a rapid increase in the last quarter of 2022 and that appears to be continuing. What is it about ransomware that IT and security leaders can’t seem to make progress on?
Aaron: It’s twofold: One, ransomware actors are re-grouping but they’re able to pivot a lot faster than those who protect networks. They’re changing their tactics and methods at a very quick pace, being enabled by artificial intelligence and machine learning. You’re absolutely going to struggle to keep up. That’s especially true with dated solutions, older kinds of approaches to cybersecurity and older tools. SIEM (system information and event management] and other solutions are very good at telling you certain things but they’re not necessarily good at protecting you against them. Some changes need to be made in the approach to cybersecurity [by organizations]. I go a step further to say too many businesses aren’t investing in ransomware resilience. It’s not a board priority, it’s an afterthought across a lot of companies. Your listeners are probably doing all the right things, so I don’t want to don’t want anyone to believe that I’m down on the industry as a whole. You’re all doing what you can within the budgets you have available. It’s the role of people like me in the Ransomware Task Force to find ways to simplify that, to provide some tools or make resources available to you that you didn’t have before.
Howard: We’re seeing a trend this year where some ransomware groups — notably the Clop group — sometimes abandon ransomware in favour of just stealing data. Are you seeing that?
Aaron: Absolutely. In fact, I’ve written on this a couple times over the last year. It started with double ransomware, and then triple ransomware, and then I like to call it infinite ransomware jeopardy. But what we’re seeing in some cases is that the ransomware element wasn’t present. They [attackers] were simply going in and stealing the data and making it available [on the dark web]. We don’t know exactly. I think sometimes it’s just easier [for gangs] to monetize it [stolen data] on the backend than dealing with the client on the front end and encouraging law enforcement [to start investigating]. We’re also seeing in some cases people were relying too heavily on data backups, and the ransomware providers see that as an opportunity. Even though it’s in the controls of the Blueprint that data backup is one of the 40 things that you should do, it’s one of the things that you put in place for the recovery stage of an attack. [But some feel] ‘We don’t need to do that because we can just back up our data.’ But if your data is already gone, you’re in as much jeopardy because that’s the value of your company. It’s like, ‘So what you have a backup version. That data is now out there being monetized and used against you or matched up with other data of your clients to build a profile in the market. You need to be really really protective of that [and implement other data controls]. I was very frustrated recently. I had watched a report on [CBC-TV] Marketplace talking about the Gatineau hacker [a member of the Netwalker ransomware gang]… One of the final lines was from a gentleman out of Windsor, Ont., who said, ‘One of the best things you can do is data backups,’ and I literally shook my head at that point and I started typing and I wrote a blog on why backups simply aren’t enough. That goes to this whole point of [ransomware gangs] skipping the ransomware stage. They don’t want to deal with you. They don’t want to deal with the police. They just want the data. You need to find ways to protect data. This is all part of ransomware resilience. Ninety per cent of your focus needs to be on making sure they don’t get in the front door to begin, with because once they’re in they can do whatever they want — and chances are they’re going to operate a speed that you can’t catch.
Howard: It makes me think that the things IT and security leaders should be doing to stop ransomware are the things that they should be doing to lower the odds of being hit by any cyber attack. There’s not much difference between protecting against ransomware and protecting against any cyber attack.
Aaron: You’re not wrong. I think in general many of the controls for basic cybersecurity hygiene are the same [ransomware] safeguards. However, I do think that there are some [tactics] that are explicitly being used to deliver ransomware more so than general malware — in particular, phishing. Phishing can be used for many things like malware delivery but we’re seeing it used more often for ransomware. At the end of the day organizations can’t do everything. So if your key risk is ransomware … you have to weigh that out. And I think ransonware is not covered on a control-by-control basis with every compliance framework. So I think you need to focus on where’s the biggest risk in your organization. Is it the bleed of the data you have, or the ability to procure a certain contract or go into a certain line of business where you hadn’t before …
Howard: What are the top five — or three or eight — things that IT and security leaders should be doing to lower the odds that their organizations will be victimized by ransomware?
Aaron: I think one starts at the top: Make cybersecurity a board priority. If you’re building products and solutions, use security by design in the product or application development. The entire organization is not bought in on cybersecurity you [as an IT or infosec leader] are never going to get the dollars you need. [The company will ask] ‘Are we going to spend $500,000 on enabling more salespeople or are we going to spend $500,000 on locking down certain components of it?’ A lot of growing organizations are going to go for the sales. So you need to get that priority out of the way at the beginning of the year.
Have network visibility as well as understand your security posture, understand your starting point, have a desired goal with measurable outcomes on where you want to go [in your security program. And then I’d say practice good practice IT hygiene. It’s not a set-and-forget-it exercise. It’s constantly monitoring fixing and improving. You may need some form of detection response to be able to do that, or at least some type of tool that is constantly monitoring for that.
Train, retrain and train your users again and again and again. All too often we see it, and I’ve experienced it myself: You go through the annual security awareness training at your company …You fill out a survey, spend five to 10 minutes through a security policy, click that you accept and see again in 12 months. Unfortunately, threats are constantly evolving so we’ve talked to a lot of organizations in the past about having regular conversations with their users. Not just your employees, but also your partners.
(For more of Aaron’s thoughts on fighting ransomware play the podcast)