Editor's note: The following is a guest article from Patricia Muoio, one of the general partners at SineWave Ventures.
Much of the ransomware rhetoric these days comes from the action movie school of cybersecurity thinking. Let's fight back against attackers, let's trace them through cyberspace and steal back the ransom, let's (gasp) levee political sanctions.
While these responses make good stories, they don't do much to stop any ransomware attack or even to greatly discourage attackers.
There are two flaws with these dramatic approaches: they are responses, not proactive protections; and they miss the forest for the trees, concerned with specific attack parameters rather than general indicators.
Successful approaches to prevent ransomware are sadly less dramatic and make for boring tales. They sidestep the spy-versus-spy approaches of identifying bad guys and isolating specific tactics and attack vectors. They are based on the essential features of malware attacks and basic system security practices.
They are about as exciting as brushing your teeth, and similarly effective.
There are two essential features to a successful ransomware attack:
- The bad guy gets in
- The bad guy encrypts your data
So, let's think about things that prevent any bad guy from getting in and from encrypting your data.
The break in
Most bad guys get in by stealing credentials, generally through phishing. Stolen credentials are largely useless if a system has implemented multifactor authentication. The credential is only one required factor, the attacker would need access to another (often the user's cell phone) to gain access using that credential.
This ups the difficulty of attack significantly, requiring close access to the compromised user, and relying on the theft of the phone going unnoticed for sufficient time to mount the attack. This is the stuff of a good spy movie but not the game of an attacker-for-profit.
Multifactor authentication products are easy to find and relatively cheap. Anyone concerned about ransomware can reduce the odds of being attacked by taking this step toward securing their systems.
To encrypt your data, bad guys need to execute an unauthorized command on your system, a command that is not generally expected to be called. Any end point protection system that is not signature-based would prevent any command of that type from executing, regardless of the attacker's particular tactics.
The second step to reduce the odds of being a victim of ransomware is to install a behavior-based end point protection system. There are several on the market, and though slightly more complicated to implement than multi-factor authentication, they are well within the reach of most consumers.
Data protection, in particular data backup and self-healing data distribution mechanisms, is the third thing to consider when defending against ransomware.
These protections enable an enterprise to continue operation even if part of the data is compromised by a data attack. However, they are more complex than the two protections discussed above and can impact daily operations. They certainly should be seriously considered by high-risk enterprises with critical requirements for uninterrupted operation but may not make sense for many enterprises.
Breaking it down
Some may think this approach is over-simplified. Surely companies already do these basic things. Sadly, that is not the case. Colonial Pipeline did not use multifactor authentication, which made way for the ransomware attack.
Companies often underestimate the likelihood that an attacker will bother with them. But ransomware is largely an opportunistic attack so any vulnerable entity with a reliance on computing is fair game.
One might even argue it is better to go after no-name companies out of the public eye since often they just pay up and there is no backlash in the press or in the cybersecurity community. Companies need to invest in technology that prevents them from being the easy target.
Companies are often crippled by their legacy systems and see no way to make the needed upgrades without disrupting operations. This makes access control systems like multifactor authentication an important first step since they are deployed on the users' devices which are often more modern than the operational systems to which they provide access.
Endpoint solutions may not be an easy choice in such enterprises, though, and system managers may need to investigate solutions that provide network segmentation or isolation to limit the scope of attacks. Data backup and self-healing storage also becomes important in such enterprises.
Companies sometimes consider security much less important than operations and neglect to consider the fact that a security breach can have severe, even catastrophic, operational impact.
Much of the way cybersecurity technology is marketed exacerbates this poor risk decision. Data theft, brand reputation, customer liability, threat intelligence, all seem to be discussed more frequently than denial of service. Companies that don't see themselves as data companies do not see those risks as compelling.
Finally, the cybersecurity marketplace is crowded and confusing. Companies invest billions of dollars in cyber technology that is not suited to their needs. There are a number of solutions that address a particular threat but don't provide broad-based protection. There are a number of solutions that do a good job of identifying and enumerating threats and vulnerabilities but do nothing to help you fix them. There are a number of solutions that work well if you have a well-staffed security operations center.
What to do
Cybersecurity consumers are overwhelmed. Unfortunately, government guidance does not help much.
Government entities can typically only recommend, not mandate, and their recommendations are often difficult for the layman to digest. Care is taken to make sure frameworks do not stifle innovation or pick market winners, and so they are phrased with a level of generality that leaves consumers confused.
So, what can be done? Let's start with taking the drama out of ransomware. No swashbuckling required to fight back these marauders.
Rather, companies need to understand that security is an aspect of normal operations and that proactive, broad-based measures can greatly mitigate the risk of whatever threat is currently present or yet to come.
Once we start thinking about protecting against ransomware as a system management problem and not as the plot of an action movie, it becomes clear that there are some simple protections to employ to greatly reduce your risk of being a victim of ransomware.
They are not guarantees, but they do make the attacker's job harder. And unless you are a very special target worth the attention of a very persistent adversary, the attacker will move on to easier prey.