By Dr. Wesley McGrew, Senior Cyber Fellow; w.mcgrew@martinfed.com
Recent ransomware attacks have resulted in the disruption of fuel distribution, banking, and other businesses that comprise the infrastructure that our society relies upon. While the U.S. Government has the interest and capability in pursuing ransomware campaign operators, attempting to disrupt, identify, and prosecute those who commit ransomware-related crimes, it is very difficult for government action alone to prevent ransomware attacks from initially compromising and disrupting networks of non-governmental organizations and businesses. The cost of a ransomware attack—in terms of resources and time put towards response, recovery, and investigation—will typically far exceed the ransom amount that gets so much attention in the media. To encourage organizations to take pre-emptive action to avoid this cost and disruption, the White House has issued a memo of guidance, “What We Urge You To Do To Protect Against The Threat of Ransomware.” (https://thehill.com/policy/cybersecurity/556625-white-house-sends-out-recommendations-to-private-sector-on-protections)
The White House’s guidance includes good basic cybersecurity hygiene advice:
- Multi-factor authentication to thwart attacks based on stolen passwords.
- Endpoint detection and the response of malicious software threats.
- Encryption, to reduce the value of stolen data.
- Employment of a security team that is empowered to take pre-emptive action and respond to incidents.
- Prompt updating and patching of systems on your network, which will require a good IT asset inventory and patch management regimen.
- Routine testing of an incident response plan, which for many organizations means that they need to dedicate time and resources to develop an incident response plan.
- Third-party penetration testing to test security and response.
- Network segmentation to prevent the spread of malicious software from one portion of a network to others.
Notably, the U.S. Government has recommended specifically that a third-party firm should conduct a penetration test on your network. While routine vulnerability scanning can and should be conducted by internal IT security staff, this is no substitute for an in-depth penetration test conducted by a team of offensive security experts that have focused their careers on studying and conducting operations that uncover the same vulnerabilities that would otherwise be used by cybercriminals and state-sponsored actors to compromise your network. In most cases, the kinds of vulnerabilities and scenarios that result in the success of a ransomware attack and subsequent disruption would have been discovered and documented in a penetration test conducted by a capable third-party firm.
Preventing ransomware attacks and reducing the impact of successful attacks can only be done with good basic security hygiene, supplemented with offensive testing by skilled third-party specialists. Prepare for a successful attack but do your due diligence in preventing the initial compromise. By using third-party penetration testing to identify the vulnerabilities that will be used by ransomware operators to attack your network, you will be able to effectively direct your limited budget, resources, and time to successfully defend and respond.
