Ransomware – how and when government should help
Author: Uilson Souza, Compliance and Security Governance at Mars
Ransomware – how and when government should help – An article I read a couple of weeks ago at CSO Online caught my attention due the claim from several great CISOs from the United States. After lots of ransomware attacks occurred in these last days, the US Government was mentioned, in order to provide help and a kind of “definitive solution” for the problem.
Reading the article, I saw that they really know about their responsibilities on providing the best cybersecurity protection inside their corporations, but, mainly due the foreign nature of the attacks, they felt that, in their opinion, special help from government would be appreciated. However, they couldn´t explain at what point government should help.
This article is not intended to criticize the views of these professionals. I´m particularly an admirer of all those interviewed, but if there´s no measure on the boundaries for what is my obligation and what´s expected from the government, how do I figure out a strategy strong enough to guarantee the business continuity? At what point will the government action be requested?
Another point to consider is the fact that the recent ransomware attacks were successful due to some points of vulnerability commonly used by the attackers:
- Security gaps in terms of vulnerability management and hardening – protocols and other important configuration parts.
- Phishing – a problem still in course.
Before evaluating the CISOs’ considerations, let´s remind ourselves of the latest attacks we have had and their details:
SolarWinds – IT Portfolio Management System
December 2020 – after evaluation from CISA (Cybersecurity and Infrastructure Security Agency) the root cause for the attack was an MFA deviation using Outlook Web Access (OWA) private key access. The impact was felt by several public and private companies.
Colonial Pipeline – the largest pipeline system for refined oil products in U.S.
May 2021 – Hackers entered the networks of Colonial Pipeline Co. on April 29 through a virtual private network account. All impact that came after was started by a compromised password.
Another concern is that the lack of visibility into the Security status of Colonial´s OT Systems is likely what caused Colonial to shut down operations. They even know how deep, how far and how wide the impact was at that time.
Which system came down? Natural gas or other operations? Due the lack of visibility, the most secure action was to shut down all systems. This action makes the lack of a properly implemented information security system management visible, with no monitoring systems.
A lack of system segmentation of functions and networks (part of the Information Security Management steps) would have avoided them stopping all operations, once they were aware of where the problem was.
Fujifilm – Information and Image Company
June 2021 – The ransomware REvil was found at Fujifilm’s environment. Fortunately, their backup systems were properly working, and it prevented the payment requested by attackers. However, which was the breach found in order for the ransomware to take place? Fujifilm did not share major details, which makes me suspect they had big gaps to be explored.
JBS – Meat Processing Company
June 2021 – Attacked by REvil Ransomware that stopped all operations in Australia (first point of action) extending to US and other countries. There´s no information on how REvil got into the JBS network, but the reported evaluation says it had been inside since February 2021, becoming active in June.
The report reveals the lack of monitoring and a proper business continuity plan, once the final decision was made to pay the rescue requested by the attackers. Even having paid almost US$ 11m and having operations restarted, some data from the company was shared around the internet.
After all the cases described above, let´s get back to the main point of this article – the claim from the CISOs for the US Government´s help.
Considering the US Government has defined a set of actions to be taken by its governmental agencies and service suppliers counting on help from the private sector achieve this purpose, it´s clear that we have no definitive solutions from the public sector. Despite the great actions from the FBI, CISA and DoD, including the US$ 2.3m recovered for JBS, attackers are still finding breaches to accomplish their mission.
Let´s get back to Colonial Pipeline case where they even knew the size of the impact – how to ask for government´s help when I even know what I have inside my own company? The lack of cybersecurity investment is still the problem that opens the doors for attackers. This investment will take place after a big attack and the cost to remediate is usually higher than the cost of prevention. In all listed cases here, you can see there´s not a proper risk management to define what´s critical for the business and define security controls to mitigate risks.
Awareness training is not having the proper effect given that compromised passwords and phishing are still an attack vector. Yes, a proper awareness campaign is a big risk mitigation if we assume most attacks are sourced by an internal actor.
Also reviewing the cases, none of the companies had a proper continuity plan (BCP). Once servers were affected, there was no other environment to guarantee the continuity of all processes, or at least the most critical ones. It could be measured by a simple Business Impact Analysis to understand the impacts, costs of stopped operations, time to recover and so on. In this case, how would the government help?
I fully understand a partnership between companies and government is necessary. Situations like Colonial Pipeline come to the national interest and cannot be ignored, but requesting government action without a proper cyber self-defense, in order to mitigate foreign attacks or even local ones, will only create a reactive process in an endless circle of attacks.
It´s also important to consider that government also needs to solve its own gaps. If we’ve had an order coming from the White House to implement security measures for preventing ransomware attacks on governmental agencies, it´s because something is not working up there.
I´m not affirming the ISMS (Information Management System) is the definitive solution and will prevent 100% of attacks. There´s nothing to guarantee it won’t happen.
However, a strong Security Management system will help in terms of monitoring, understanding the critical risks in terms of operations, costs, legal, image and will give enough information for decision-making, like moving operations to another building, the restoring of backups (if it´s the case), to informing stakeholders and understanding the level of the impact securely, or even to completely preventing the attack in some cases.
The ISMS properly implemented will give you the capacity to respond to an incident when it comes up. After solving all these gaps, you will have a proper base to request government action in a stronger way and /or establishing a strong partnership.
To finish this piece, I´d like to share a quote from Orange Cyber defense experts in this same CSO Online article:
“We are focusing a lot on concept of ransomware, but we also need to not forget that this is a challenge to our cybersecurity posture”.
I hope this article will help and you are free to send me your thoughts about what was described.
Stay safe and take care!
This article is dedicated to Divina de Souza, my grandmother who left us on July 4th. A bold and tough woman, great mother and beloved grandma whose remarkable legacy and footprints will be always inside us till the end.
Ransomware – How and when government should help