Years ago, someone came up with a name for a new cyber attack that saw a threat actor demand money from a victim to get their encrypted data back. They called it ‘ransomware.’
But an industry analyst argues reducing the attack to one word has caused infosec pros to search for a single solution.
Instead, says Fernando Montenegro, a senior principal analyst at international consulting firm Omedia, says we should call it what it is — a ‘multi-stage extortion campaign.’
He made that argument this month at the annual SecTor conference in Toronto.
Ransomware “is a bad word,” he told infosec pros. “We shouldn’t be using it anymore… If we call it a ‘multi-stage extortion campaign’ it changes the scale of how we handle it.”
Reducing the attack to one word makes infosec pros think of installing a technical tool to fight it. “That is absolutely no longer the case,” Montenegro said.
A ransomware attack today has a number of steps, he pointed out: Initial foothold, reconnaissance of the victim’s network, lateral movement, delivery of a weapon(s) for copying and exfiltrating data, delivery of the encryption malware, detonation of malware. Each step has to be dealt with, he argued.
Similarly, awareness training alone isn’t the solution, he said. “If your organization suffers a significant breach because a user was phished … and you didn’t see what was happening, it’s not your user’s fault. That’s a security architecture that needs re-visiting.”
“Ransomware resolves what we call ‘the externality of poor security practices,'” he said at another point. “For the past 30, 40 years in cybersecurity, we’ve been able to get by with OK security.” Ransomware groups are “now bringing that cost to us.”
There is a wide range of actions to confront ransomware, Montenegro said — none of which should come as a surprise. In no particular order they include:
–leverage security capabilities in the CPUs of desktop computers and servers;
–harden Windows;
–rein in user behaviour through the use of multifactor authentication, strong web browsing controls, and controls over the opening of email attachments;
–make the most of anti-ransomware components in the applications you use;
–update your incident response communications plan;
–do a full hardware/software inventory and a vulnerability risk assessment;
–update your incident response internal and external communications plans;
–run ransomware response tabletop exercises with the IT and infosec teams, as well as with the board and senior management.
In an interview, Montenegro was asked if this comes down to just doing the basics. He winced.
“I don’t like to frame it like that, using the word ‘just.’ That implies it’s easy. The controls may be simple, but deploying them at scale without hurting the organization can be anything but basic.”
Going further, he said CISOs should look at ransomware as a threat vector just like any other. The goal should be to make the organization secure enough to protect against all attacks. “If you have a healthy, secure organization,” he explained, you have a higher chance of protecting against things such as ransomware.
“We have a fundamental problem in this industry with technical debt,” he added in the interview. “The idea is, ‘We will do something now because it’s a quick fix. We’ll fix it [better] later.'” But, he said, time goes by and the better fix isn’t done.
He admitted he’s pessimistic about the current state of cybersecurity. “Technology is expanding across all fronts, and security teams struggle to find the right mix of how to insert security controls into that explosion in a way that preserves the benefits you get — the agility to responding to business needs — without putting expansive blocks on the organization.
“As it relates to ransomware, we find what criminals are doing is finding where that gap is, where we left something misconfigured, finding where we left something unpatched.”