Transparency, disclosure key to fighting ransomware
Current and former CISA members say the best methods for curbing ransomware attacks are organizations reporting attacks and assisting in investigations.
The profitability of cybercrime and the ease with which it can be executed means both public and private organizations need to not only remain vigilant in their security strategies but also be transparent about the types of attacks they're fighting against.
Ransomware is rampant, and organizations need to become comfortable discussing failures and successes with security technology peers and the government to help anticipate and prevent future attacks, according to cybersecurity experts speaking at Wednesday's online Data Security Summit hosted by Rubrik, a data backup vendor.
Current and former officials from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), CIA and Interpol all agreed that cybercrime remains underreported by organizations, resulting in a lack of data for security agencies to draw from.
Criminal organizations and nation states engaging in cyberattacks are gaining new information and capabilities daily, said Chris Krebs, a partner at the Krebs Stamos Group consulting firm in Washington D.C. and a former CISA director.
"We have to continue developing our approach as the old tricks of the trade are not going to necessarily work tomorrow," he said. "We are facing intelligent adversaries that are getting an incredible amount of [exercises in] every day."
International Plunder Machines
Krebs outlined three reasons ransomware attacks occur.
First, networks are misconfigured and extremely vulnerable, resulting in exposed and simple-to-hack targets. Second, data acquired from ransomware or other cyberattacks has become easily monetized through cryptocurrency such as Bitcoin. Third, more safe havens for cybercriminals have been established along geopolitical lines in nations such as Russia, Iran and North Korea.
"You're seeing this spread throughout the world because it pays," Krebs said. "There's a profit motive here, and until we disrupt at least two -- if not all three -- legs, we're going to continue seeing it happen."
The U.S. government and other nations have had some success in splintering cybercriminal gangs by infiltrating the groups and breaking the fragile alliance among thieves and their partner organizations, Krebs said. Ironically, those same nation state safe havens have also fractured along national and ethnic lines, most notably with the Russian invasion of Ukraine earlier this year.
But the hyper fixation by government cybercrime teams on so-called big picture attacks from other nations misses some of the smaller attacks on local school systems or mom-and-pop businesses, Krebs said.
"You really have to meet partners where they are," he said. "Not everybody has a super, high-speed security team and a full blown CISO shop and all that. … You have to speak in terms that they can understand, where they can take action in a meaningful and easy-to-do way."
Neighborhood data watch
Protecting smaller, less-savvy organizations and businesses from cyberattacks will require transparency and disclosure among public and private organizations, according to Eric Goldstein, executive assistant director for cybersecurity at CISA.
Many organizations ensnared by ransomware have opted to quietly pay the demanded price, leaving investigators in the dark about potential clues, patterns or other data they could use to track down the culprits.
"We know that the rate of recording ransomware intrusions or cyber incidents generally is far below the actual prevalence of these events," Goldstein said.
More recently, the federal government has begun to and step up, he said.
In March, President Joe Biden signed into law a new federal cyber attack reporting requirement for critical infrastructure organizations: the Strengthening American Cybersecurity Act of 2022.
The law requires any "entity in the critical infrastructure sector" to report attacks no later than 72 hours after they've been discovered as well as to disclose any ransomware payments made within 24 hours. The law also gives additional powers to CISA in cyber investigations.
Critical infrastructure, as per the U.S. Department of Homeland Security, encompasses a number of industries or systems that, if disrupted, would likely result in economic disaster or massive casualties. These include hydroelectric dams, banking networks, transportation systems and other heavy industries.
Even without a legal requirement, more organizations should be willing to come forward and report attacks so that government investigators can become better informed and proactively disseminate protective measures IT teams may otherwise overlook, Goldstein said.
"Our guidance is currently based upon incomplete data," he said. "One of our real calls to action is for every victim to report [network intrusions] to the government every time."
Chris KrebsPartner, Krebs Stamos Group
Organizations outside the critical infrastructure designation should still review the Known Exploited Vulnerabilities Catalog created by CISA and consider multi-factor authentication to prevent phishing scams as starting points, he added.
Both Krebs and Goldstein said organizations must also understand the shared responsibility model as well as the limitations of MSPs for security. The cloud hyperscalers, such as AWS and Microsoft Azure, can offload workloads for businesses. But protecting enterprise data in the cloud ultimately falls to the customers.
Organizations should also take a long, hard look at their own infrastructure stacks before implementing new technologies, especially those drawn from the open source community, Goldstein said. Keeping abreast of every component can avoid potential misconfigurations or unknown security vulnerabilities.
Krebs agreed. "This is where policy, governance, leadership and culture become part of managing these risks."
Tim McCarthy is a journalist living in the North Shore of Massachusetts. He covers cloud and data storage news.