Ransomware attacks show little sign of falling off in frequency or severity. In fact, they’re maturing – they’re coming of age. For example, we’re now seeing how ransomware purveyors are using re-worked versions of Emotet to deliver ransomware automagically, via Wi-Fi. In other words, once it gets going, it’ll keep on going virally, and not through typical phishing attacks.
We’re seeing a growing number of attacks on governments and cities around the world, as well as corporations. Within the past few months, ransomware attacks have caused the City of New Orleans to declare a state of emergency, a U.S. gas pipeline to shut down for two days and the Australian logistics company Toll to halt services.
From the conversations I’ve had with CISOs this year in Washington, D.C., Japan and India, ransomware remains a serious problem. Why? Because it is continuing to morph and mature.
The question is, how well are defensive efforts maturing? It’s tempting to say that ransomware continues to mature as much as our efforts to combat it. Maybe even more quickly. But I’m not so sure. Let’s talk about the word, maturity when it comes to ransomware.
Cybersecurity and Maturity
I’ve noticed lately that there is a lot of talk about maturity when it comes to cybersecurity. A lot of folks will use the term to describe how ready an organization is for a particular approach or security control.
The conversation usually goes something like, “Well, I’d like to install a [security information and event management (SIEM)] or do more end-user training, but I’m not sure the organization is mature enough for that expense.”
A lot of this talk about maturity is fairly problematic, though. It becomes defeatist, mainly because smaller companies just never feel that mature in their cybersecurity abilities.
Cybersecurity Maturity and Ransomware: A Four-Step Process?
Well, I beg to differ. I think it’s possible – and essential – for even the smaller companies and governmental entities to take a solid, mature approach to ransomware. I say it’s essential, because hackers love to do quite a lot of things to generate revenue.
Chief among them is moving from the small fry to the big phish, as it were. Nice pun, eh? I always endeavor to be clever. But I’m quite serious, here, because when it comes to ransomware, more mature attacks are going after the smaller organizations and spreading to the bigger organizations by taking advantage of human and machine-based trust relationships.
At any rate, I find that four main thrusts, or initiatives, can very much help combat ransomware. I’m sure you know about three of them. But, I’m adding a fourth to form an anti-ransomware quad:
- End-user training
- Updating systems
- Security analytics, especially threat intelligence
Explaining the Anti-Ransomware Quad
Backups are the most vital defense. You can never assume that your security controls will always work because ransomware continues to morph and mature. I’m also a big believer in end-user training, as it helps folks avoid phishing-based attacks. Updates, of course, are essential, because even the most nimble, AI-driven ransomware attacks have a hard time against updated software.
I’m sure folks will want to throw in the concept of proper incident response. But I’m talking about effective ways to recover. For right now, I want to emphasize the importance of data analytics to security.
Data Analytics and Threat Intelligence: The Next Frontier, or Just a Fad?
If data is the new oil, then IT and cybersecurity workers better get to drilling down on what it means to do data analytics. At CompTIA, we pioneered the discussion of security analytics with the CompTIA Cybersecurity Analyst (CySA+) certification, which will have its second iteration this year.
I’ll never forget when I first heard conversations about combining big data with cybersecurity. The conversations I had with folks had to do with using the following:
- Threat intelligence feeds: Yes, I’m talking about information sharing. It’s vital to have real-time information taken not just from MITRE and its Common Vulnerabilities and Exposures (CVE) database. It was all about obtaining real-time threat data from partner companies, as well as ISACs and (later) ISAOs.
- Customized Information: It’s not enough to rely on static data, or even anecdotal information about attacks from the media. It’s vital to get past the Googling for cybersecurity approach. You need to obtain real-time data about attacks and then contextualize it.
- Data and threat models: Once you have obtained real-time data, it’s then possible to do analytics and identify specific threats to your organization. I’m not talking about generalized threats, here or layering security to stop the bad guys. Using analytics, it just may be possible to make better decisions about where to spend your time and money to protect your organization against ransomware and other attacks.
Coordinated Information: The Best Hope for Practical Cybersecurity Maturity
Using data analytics, it’s possible for folks to get past merely stating the obvious, repeating useless media stories, and banal security generalities. Some of you may be thinking that this is what cybersecurity blogs are for in the first place. But that’s not the case.
I’m convinced that if the cybersecurity industry focuses on a data-driven approach in addition to the tried and tested approaches of backup, end-user training, and patching, we’ll have a shot at out-morphing our (would-be) ransomware overlords.
I’m not talking about how we need to create a cybersecurity “unicorn” here. Many open-source platforms, such as Yeti and Alienvault OTX, make it possible for low-funded organizations to add real-time data analytics and cyber threat intelligence to their anti-ransomware approach. Doing so promises to add tremendous clarity and give you more contextualized information so that you can place your limited resources in the right place, at the right time. And, isn’t that what mature folks do with their lives, when they’re operating at their peak?
Want to learn more about the new CySA+ exam? Download the exam objectives for CS0-002 now.