Setting realistic expectations for preventing ransomware attacks
By Edwin Bentley | Date published: 25 May 2021
In the aftermath of the recent high-profile ransomware attack on Colonial Pipeline – the company responsible for transporting 45 per cent of oil consumed on the United States east coast, there are clear and tangible consequences that have been experienced by the general public in a way that was not from the SolarWinds hack last year. As drivers scrambled to fill up their cars, gas stations up and down the US East Coast ran out of fuel, including in Washington, DC. The most recent update from Colonial Pipeline confirms that they paid a $4.4m ransom to the responsible party, adding to the expected financial ramifications of the attack.
With many in the cyber security industry warning that this is just the start of potentially worse attacks on critical infrastructure, in both number and scale, especially given the clear financial gain for attackers, we must start making sure that we have a strong response to the question: What should we do if we are victims of ransomware or malware, or if an attacker gets inside our networks? Whilst we would ideally like to count on the numerous technologies available to stop these threats and adversaries in their tracks, the reality is that they will not work 100% of the time.
It is important to note that we don’t currently know all the details of what happened in the Colonial Pipeline attack, but if we were to assume that robust anti-virus/malware/ransomware technologies were in place to detect and prevent this kind of attack, then how did it happen? It is absolutely critical that those types of technologies are in use as part of a robust approach to cyber security, but we also need to have an answer when these threats have managed to find a foothold. As Dr Ron Ross recently stated, “Defending the system from the outside in, at the boundary, no longer works in every case.”
The first question to have an answer for, as part of that response, is: For any given part of the network that has been compromised, what else is now accessible? Good network segmentation is a crucial part of general cyber hygiene and is something that is often overlooked. Whilst it was almost four years ago, the Equifax data breach is a prime example of where the outcome could have looked much different if Equifax had implemented good segmentation.
Dr Ross suggests that our mindset should be as if the adversary is already within our networks. So, the focus should be on increasing their work factor, limiting their ability to move laterally, and reducing their time on target. That way, once a threat is inside our network, we limit the damage that can be done.
Zero Trust Architecture, if implemented well, does go a long way to addressing threats to network security. The key part there being if implemented well, and there should not be an assumption that if it has been, or was at some point, that it still is. Regularly auditing systems and devices, with accurate security and vulnerability assessment tools like Titania Nipper, is crucial to consistently maintaining a strong and resilient network.
In summary, a healthy approach to cyber security defence is to hope that your ransomware and malware detection/prevention systems work, but plan that they will fail. And this starts with ensuring and maintaining basic cyber hygiene.