Following recent cyberattacks against key operations in the U.S., the White House is pushing companies to take ransomware seriously and beef up their defenses against it. First spotted by CNN, a Wednesday memo sent to corporate executives and business leaders by Deputy National Security Advisor for Cyber and Emerging Technology, Anne Neuberger, highlights the government’s efforts to deal with ransomware. It also emphasizes the role that businesses and organizations must play to protect themselves.
Pointing out that ransomware campaigns have increased in number and size against the private and public sectors, Neuberger said that the Biden administration is taking certain measures to thwart these types of attacks. These include disrupting ransomware attacks, working with international partners to hold countries that harbor ransomware attackers accountable, developing policies around ransom payments and trying to trace and block the transmission of virtual currency payments.
The memo comes at a time when the U.S. is grappling with some high-profile ransomware cases. The attack by ransomware-as-a-service entity DarkSide against Colonial Pipeline showed how critical infrastructure is vulnerable and how a single incident was able to impact pipeline operations across the East Coast. In a more recent ransomware attack, JBS Foods temporarily shut down some of its meat production facilities, a move that affected part of its supply chain. Both attacks illustrate how a single case of ransomware can affect a vast number of people.
SEE: Security incident response policy (TechRepublic Premium)
Underlining the responsibilities of the private sector, Neuberger said that companies need to take the crime of ransomware seriously and make sure that their defenses match the threat. To understand their risks, the leadership teams at organizations should immediately meet to discuss the threat, review their security defenses and analyze their continuity plans to make sure they could recover from an attack, she advised.
More specifically, the memo outlined six steps that organizations should take to cut down on the risks.
- Implement the key best practices from President Biden’s executive order. These include: 1) multi-factor authentication as passwords alone can be compromised; 2) endpoint detection and response to look for and block malicious activity on a network; 3) encryption to make stolen data unusable; and 4) a skilled security team in place to rapidly patch vulnerabilities and share threat information.
- Back up your data. Ensure that you’ve backed up your data, system images and configurations. Keep those backups offline as many types of ransomware will look for accessible backups. Regularly test them for reliability.
- Regularly update your systems. Promptly apply critical patches to maintain the security of your operating systems, applications and firmware. Consider a centralized patch management system supplemented by a risk-based assessment strategy.
- Implement and test an incident response plan. Such a plan will reveal any gaps in your security posture. As you build the plan, consider a few core questions. Can you sustain business operations without access to certain systems? If so, for how long? Would you need to bring down your manufacturing operations if certain business systems such as billing were taken offline?
- Check the work of your security team. Use a third-party penetration testing service to double-check your internal security and your ability to ward off a sophisticated attack.
- Segment your networks. Your corporate business functions and your manufacturing or production operations should be on separate network segments. Limit internet access to operational networks and look for any links between the different segments. Set up workarounds so that industrial control systems can be isolated and continue to run if your business network is compromised. Test your contingency plans to ensure that critical functions can continue to operate during a cyberattack.
“It’s good to see the White House underscore the urgency of the ransomware threat, even if escalation is long overdue,” said Vectra President and CEO Hitesh Sheth.
“Organized ransomware attacks have been haunting cyberspace for 15 years.” Sheth added. “The difference in 2021 is the more ambitious choice of targets: critical food and fuel supply lines and transport systems. The Biden administration can be assured much of the private sector already takes ransomware very seriously indeed. I believe private innovators, working with governments, will devise effective and essential defenses.”
Beyond following the White House’s recommendations, there are other steps organizations should take to address the ransomware challenge.
“First, don’t use ransomware as a ‘fear, uncertainty and doubt’ strategy to bend your business to your will,” said Digital Shadows Chief Information Security Officer, Rick Holland. “Instead, take a measured, non-hyperbolic approach in explaining the threat and risks to your executive leadership. We have to address the root causes of the illness, not just the symptoms. The White House’s suggestions aren’t cheap and will take time to implement.”
However, Holland said that organizations can still look for quick wins in the battle against ransomware. Testing your incident response plan with extortion tabletop exercises is something you can do right now. This type of exercise can identify any needed security investments in people, processes and technology. Further, organizations must focus not just on their security technologies but on their security teams. And one way is to ensure that you have dedicated training and development programs.
Companies should also adopt a post-attack mindset, realizing that, even with the best defenses, an attacker may still be able to breach their network. This mindset means establishing a strong cybersecurity culture that asks the tough questions, anticipates worst case scenarios and implements a recovery and containment strategy, according to Nozomi Networks technology evangelist Chris Grove.
Further, organizations need to determine how best to respond to an attack, finding the right balance between underreacting and overreacting.
“In many ransomware cases, it’s the abundance of caution on the victim’s side that causes them to initiate their own shutdowns of operations, not the attack itself causing the shutdown,” Grove said.
“The ransomware may have never hit the parts of the network that were isolated, but a decision was made by the facility operators to limit the blast radius of the attack, or segment off sections of infrastructure to protect it,” Grove added. “Those networks may have been able to resist the attack, or may have been super-secure. But in the end, it doesn’t matter. The attackers were able to shut down and impact infrastructure outside of the scope of their attack.”