Defeating Ransomware: The Heroic Role of a CISO

CISO FORUM SUMMARY:  Is there a Silver Bullet to Thwart Ransomware?

Every month, Fortify Experts holds CISO Round Tables discussing the latest trends and topics.  Recently, we discussed how these successful security leaders have been able to create higher-performing security programs.  Here is a summary of their top tips or suggestions on how to thwart ransomware.

CISO Executive Forums

15 years ago ransomware was not on at the organizational level that it is today, but now ransomware is more than just advanced malware, it is now threat actors going in and gaining command and control inside networks for the sake of a big payday.

One CISO recently had 22 of its partners hit by ransomware in a single year.

That raised these questions:

    • Do they have accounts in our system?
    • Do they have connections into our systems?
    • What data do they have?
    • Can they get information out of us as a result?
    • Did we find out on the news or did they inform us? etc.

Their focus is now to bring consistency to their visibility, tooling, and entering the response process.  His concern is that outside entities will be targeted to specifically reach into other targets like us.

Being a large company leaves them vulnerable to attacks. He said, “You may have intelligence analysts who track and keep a record of internal events, but outside of the corporate infrastructure, the gates are not being watched as closely. Relying on subsidiaries to do that may need to be addressed.”

Lessons Learned:

One CISO was hired after a ransomware attack. The company that hired him had the tools for ransomware, but no strategy for dealing with the problem.  The effects of the attacks were a lot of downtime and production slowed down, but there was not any data extortion for either one of the attacks he experienced. However, he gained a lot of knowledge through the process:

Lessons Learned:

  • If you do not practice response and restore, you don’t know how long it may take to get things back up and running, even with backups and a robust response process.
  • Develop a ransomware risk assessor tool that looks at the critical items (about 20-25 things) to rank and prioritize risks
  • Plan for the worst, then develop a mitigation strategy.
  • Verify backups can securely restore
  • Implement phishing training by educating users
  • Optimize incident response by containing the issue before it gets out of hand.
  • Incident response efficiency is of the most important things to practice.
  • Every year they do a technical exercise for ransomware involving the executives to provide awareness and exposure.

What is the legality of paying the ransomware?

One CISO said they struggled to decide on whether they should pay off ransomware and possibly go into the territory of money laundering.  One consulting firm CISO said they have tried tackling this fear with their customers, plus, have had to coach them after they paid it.

To pay or not to pay…

  • Paying the ransomware is a business decision, and now there are negotiators that do this for a living. If you find the right people, they would be the best to handle the legality of this issue.
  • While paying for the ransomware may not be recommended or even legal in some cases, who is going to cover the cost or losses during the drop in production? So the decision becomes, which is more prudent?
  • One CISO offered up that these threat actors are extracting data, deleting your backup data, and leaving you with no choice other than to pay.
  • People need to realize that ransomware operations are running well-resourced, for-profit businesses.
  • We need to think holistically about how to handle ransomware and not myopically because it should not always be seen that paying the ransom is a bad idea, even with all the risk that comes along with it.

What has been the most effective thing you have done to reduce ransomware exposure?

All agreed that email phishing is the biggest vector by far.

  • One CISO said, “Train and make it painful to fail a phishing test.”
    • 1st offense – Require additional training and a test,
    • 2nd offense – Cut off access, and then go to their boss for them to address.
    • if an employee has failed phishing training twice, it is a training issue on the supervisor’s side and not the employee
    • They are strict at his company with the 3 strikes rule, but they also provide positive reinforcement to celebrate those who have been following the right steps in preventing attacks.
    • Highlight different parts of the company that is progressing and those that may be failing.
  • Another CISO said, that’s effective, but the downside is the staff becomes too paranoid with emailing and sending things to IT to be assessed maybe too often. Therefore, they use more of the ‘carrot’ instead of the stick by providing recognition to employees for reporting and by not falling victim to phishing tests.
  • A third CISO felt the right solution was a combination of both positive and negative reinforcement.

What about Cyber Insurance?

  • The requirement in getting cyber insurance has been “ratcheting up” a lot and is changing in real-time.
  • A lot of insurance providers are saying businesses need to team up with an authorized coach/incident manager before they can get insurance. The coach/incident manager will coordinate different monetary/cryptocurrency exchanges on your behalf.
  • The cost of insurance has gone up, the coverage has gone down, and the exclusions have also gone up as well.  Therefore, you need to read the details and have it reviewed by an attorney.

What are ways technology has helped recover from ransomware attacks?

It’s less about technology and more about your process in the visibility of your security operations. Technology only supports the process.  The important thing is comprehensiveness in management.  This CISO was very big on optimizing the technical controls.  His suggestions include: 

  • Verify what you have in technical controls in place (e.g. Umbrella/Cisco, Zscaler, Mimecast, etc.) and make sure they are optimized.
  • Develop a quick incident response. It should be minutes instead of days or weeks to identify and contain.
  • Secure your backups.
  • Explore Next-gen user behavior analytics software such as Forcepoint. It is an agent-based software, which sits on the server and looks at file activity to flag or disrupt malicious activity.  It causes a hit on the CPU side, but there has been a success in the use of that software.

CAUTION: New Threat Vector:

  • Cybercriminals are getting smarter. They don’t start with a malicious attachment or link because they know they likely won’t get past the email gateway. Instead, they look for any way to get a person engaged, then send a link or an attachment to escalate it.

Other Resources: 

In Summary:

Thanks to the input of the security leaders who joined our CISO Forum which provided such insightful advice to on how to better prepare against the threat of ransomware.

If you are a security leader and would like to participate in our monthly CISO Forums where we discuss valuable and actionable information as well as best practices and challenges, please register here.

About Tim Howard

Tim Howard is the founder of 4 technology firms including Fortify Experts which helps companies hire the Best Cyber Talent on the Planet as well as provides expert consulting and NIST based security assessments

In addition, he has a passion for helping CISO’s develop Higher Performing Teams through coaching, by creating interactive CISO Forums and by helping them create highly-effective team cultures.

With each new hire, his firm produces an Employee Operating Manual to help clients understand how to motivate and maximize productivity while meeting the needs of each employee.

He also teamed up with Lyndrel Downs to launch Cybersecurity DIVAS to help promote the most influential women in cybersecurity and provide a mentoring program to help encourage and support more diversity within the industry.

Tim is married with 3 kids. He is an avid runner and has completed two IRONMAN Texas events. He is also a graduate of Texas A&M University. 

Invite Tim to connect:  www.linkedin.com/in/timhoward