Ransomware: Survive By Outrunning The Guy Next To You
There are two people in a wood, and they run into a bear. The first person gets down on his knees to pray; the second person starts lacing up his boots. The first person asks the second person, “My dear friend, what are you doing? You can’t outrun a bear.” To which the second person responds, “I don’t have to. I only have to outrun you.” — “The Imitation Game”
ICYMI, a ransomware attack hit a major US pipeline this weekend, leading to a shutdown in operations for the past three days. Colonial Pipeline will remain shut down for an unknown amount of time, as the organization is “developing a ‘system restart’ plan” in real time. Critical infrastructure and pieces of the supply chain (which were already fragile due to the pandemic) continue to be taken down by ransomware attacks, either advertently or inadvertently. This has a number of downstream effects on the supply chain, causing recovery times to grow even bigger as the many companies that these suppliers rely on also attempt to recover.
Ransomware Is Ultimately About Business Disruption
This attack comes on the heels of a crippling year of ransomware attacks across the globe, especially those targeting healthcare organizations. The name of the game: business disruption. Critical infrastructure providers are being targeted by ransomware actors because, when hit with ransomware, they need to choose between indefinite suspension of critical business processes or paying the ransom. Shutting down a crucial resource for an indeterminate amount of time is simply not a sustainable option for a business, and it backs affected providers into a corner, where their only option is to pay up.
Federal Policy Is Finally On The Table
The pipeline operated by Colonial Pipeline delivers around 45% of the fuel consumed on the East Coast, making it a massive supplier for the United States. This has elevated the attack to a potential national security threat, with the US government issuing a state of emergency for the length of the shutdown. This demonstrates the continued blurred lines between the public and private sector when it comes to the impact of a cyberattack on nation states.
The Biden administration has made securing federal cybersecurity defenses a top priority and planned on passing legislation even before this attack occurred. As these attacks become more frequent, there’s some level of expectation that eventually this legislation could bleed into the private sector, especially critical sectors such as finance, pharmaceutical, energy, and more that could be required to have a certain level of information security maturity (such as the United States Department of Defense’s Cybersecurity Maturity Model Certification, CMMC, which is required for any contractors it currently utilizes).
What Can You Do About It Right Now?
As the quote above and the title of this blog suggests, cybercriminals follow Occam’s razor; they are looking for the easiest way to make money. Even the attackers in this specific incident stated publicly, “Our goal is to make money.”
So what do security pros need to do right now to lower their risk in the face of future ransomware attacks? Outrun the guy next to you.
Speaking to Chris Krebs’ valuable advice from this morning, security pros at every organization should implement these quick wins right now to limit the impact of a ransomware attack:
- Enforce strong passwords. No password12345 has any business in your organization. Build a password policy that enforces strong passwords by default.
- Check your backups. Make sure you have working backups of data that your organization could not live without. Test whether your backups include what you care about, and test whether they restore successfully. Backups are your last line of defense and are critical.
- Implement multifactor authentication (MFA) that’s easy to use and is ubiquitous. This should front the entry points into your infrastructure, whether that’s a combination of your identity provider (Azure AD, ADFS, Okta, Ping, etc.) and your VPN (Pulse Secure, Cisco AnyConnect, etc.) or otherwise. This avoids the issue of stolen log-ins/credentials being easily used to siphon data and infect your organization.
- Secure privileged accounts immediately. In most of these attacks, we continue to see that domain administrator accounts or other types of privileged accounts are on almost every endpoint or have permission to access critical applications, giving the attackers an easy way to move laterally. Take inventory of those types of accounts, and remove them where possible. Only give employees local administrative rights when necessary — it should never be by default.
- Update and test your incident response plan. Your response plan needs to include what happens when you inevitably get infected with ransomware and what that subsequent planning is — that should include both your technology and business departments. It also needs to include who you will contact for help when you’re inevitably hit, which could be your MSSP or another incident response organization that you have on retainer.
- Ensure that your endpoint protection and security policies on your endpoints are up to date and enforced and that the protection is turned on and working. We can’t tell you how many times we’ve seen organizations that have things like real-time protection disabled, or the last time they updated their antivirus definitions was weeks ago, or they have cloud protection turned on but it doesn’t work because it can’t get out to the internet. Talk to your endpoint protection vendor and ask them about the appropriate health checks to make sure these products are installed, turned on, and working as expected.
- Make sure that your devices are being patched regularly. Prioritize critical assets like externally facing devices such as VPN concentrators or servers sitting on a DMZ. Ultimately, your organization should be reducing the time that it takes to patch software and operating systems, as monthly patch cycles don’t address how quickly attackers are moving and the remote nature of work.
- Block uncommon attachment types at your email gateways. Your employees shouldn’t be receiving attachments ending in .exe, .scr, .ps1, .vbs, etc. Microsoft actually blocks a number of these by default in Outlook, but you should take a look at your email security solution and ensure that they’re only allowed by exception.
Longer term, we know that the way we’ve been doing things isn’t working. Focus on moving from a perimeter-based security architecture to one based on Zero Trust to effectively limit lateral movement and contain the blast radius of a multitude of types of attacks (phishing, malware, supply chain, etc.). See our report, “Mitigating Ransomware With Zero Trust,” for an in-depth view of how a Zero Trust architecture guards against ransomware attacks.
Do you have more questions about ransomware? Do you have opinions on ransomware? We are working on research on this very topic to bring prescriptive advice to security pros. Get in touch with us and share your point of view.