In this episode, Greg Wilson, CISO of Docupace, discussed the rise of ransomware during uncertain times (i.e. COVID pandemic), whether it’s here to stay, and how to prevent damage with security hygiene.
Tim Erlin: Welcome, Greg. Thanks for joining us. Today, the topic that we're going to talk about is ransomware, and I'm excited to get a CISOs perspective on this topic. We've obviously seen ransomware in the headlines a lot lately, in fact, a lot more lately than in the past. So, I think a good starting point for us, Greg, is to just ask the question. Has something really changed in the market, or an industry that's made ransomware a bigger deal today than it has been in the past?
Greg Wilson: Yes, I would say so. Things like this really increase during times of uncertainty, and with COVID recently, there has been a lot of uncertainty. The other thing is that there has been an increase in the number of people who are working remotely. Normally, in a corporate enterprise, there are more security controls in place. Now with people working from home, oftentimes they won't necessarily log into their network where all of those security controls are. This creates a confluence of events that create an ideal opportunity for ransomware attacks.
TE: I hadn't really thought about how the rise of ransomware might be tied to the COVID-19 pandemic and the changes that came with that. That's an interesting connection. Does that mean that, that, assuming that people start heading back to the office at some point in the relatively near future, do you think that's going to precipitate a decrease in ransomware? Or do you think that this is a change that's here to stay?
GW: As long as ransomware is effective, it will continue until it becomes less effective. Then, you'll see it tend to drop off, but I don't think ultimately of it ever going away, because it's simply too lucrative. The attackers will just change their methods, and they'll become more mature. They'll create more dangerous strains of ransomware.
TE: Your point about ransomware remaining as a threat as long as it's effective is an important one.
GW: Ransomware is largely preventable. You can significantly reduce the instances and effectiveness of ransomware by practicing good cyber hygiene, and having great backups. The attackers will only continue as long as it’s profitable to them. Good security that prevents the ransomware, effectively reduces the payout to the attackers, and that will just about eliminate the problem.
TE: You mentioned that it's largely preventable through cyber hygiene. Does that mean that you don't think a legislative option, like making it illegal to pay ransom is the right path forward; that it's really up to organizations to implement effective security controls? I'm curious if you have an opinion on this.
GW: Yes. Attempting to legislate against paying a ransom may be misguided because it doesn’t correct the underlying issue, which is that people are not implementing some of the security controls. They're not making investments in security that they should be making. Ultimately, what I tell organizations is that either they can pay up front or they can pay it back, but if it is paid on the back side, it's going to come with interest, as it can happen again.
TE: So that perspective on a legislative solution, I think what you're saying, and correct me if I'm wrong, is that it might solve the problem of ransomware in particular, because it would no longer be a lucrative approach, but it wouldn't resolve the underlying issues with information security that allow ransomware to be effective. So we'd still be vulnerable. We just might not realize it as much because we don't have ransomware criminals asking for ransom all the time. Is that kind of the interpretation? Did I get that right?
GW: Yes. The other challenge is, what about the repercussions to that? For example, one of the places targeted by ransomware perpetrators is a hospital system. If you have a person that's going in for surgery, and this hospital is infected with malware, and their files are encrypted, now they can't perform this life saving surgery. Does the hospital allow people to die, or do they pay the ransom?
What it really points to is that people have to stop looking at information security as an IT problem, but as a business issue. When we take a very narrow view of information security, we overlook that holistic view that is really needed for the entire organization. When viewed as a business issue, then it starts to encompass some of those other areas.
TE: When we look at how ransomware is treated in the industry press for folks who are practitioners, it's very often focused on the specific type of malware or the technical details of the ransomware itself. How important do you think it is for information security practitioners to really understand those details in order to defend themselves against ransomware attacks?
GW: If an organization is infected with ransomware, the specific strain must be identified in order to remediate it and remove it, and truly be able to return back to business as usual. Probably the best analogy I would give is if a person is diagnosed with a disease, knowing which illness is going to make proper treatment possible. The same is true with ransomware. Depending on the original manufacturer of it, it will leave different indicators of compromise. Once the specific strain is identified, the indicators of compromise can be examined in order to locate the payload to be able to remove it. Other characteristics, such as backdoors to further compromise a system can also be revealed. All people, including, those who create ransomware, are creatures of habit. They have a modus operandi, and once you understand who they are, then you know what to look for, and it helps expedite your return to business as usual.
TE: That's an excellent perspective on detection and response, which is really important. If we go back to the cyber hygiene question, I want to break that down a little bit and understand what that means. When talking about preventing ransomware, what are the security controls that you consider most effective in defending against ransomware prior to the infection?
GW: Generally, ransomware largely comes from two or three different vectors. Email is probably the most prevalent way that ransomware is delivered. The other way is through compromised credentials. Those are the primary ways that the attackers gain access. Do, you have a virus protection when emails are sent, so every email that comes in is scanned, especially if there's an attachment on that message?
Web content filtering is also a good defense. If the attackers attach a malicious link, web filtering can examine that destination website, making sure that it has not been compromised. Also, it is important to have anti-malware on all of the hosts, to eradicate malware. Something to block communication, such as firewalls and other devices that will block access to compromised sites is also a good defensive mechanism. Of course, multi-factor authentication is a must. So, if someone does compromise a person’s username and password, the second factor can further prevent the login.
Patching is another solid defense tactic, because many of these ransomware strains target previously identified security vulnerabilities that, for one reason or another, the organization has not applied the patch to correct the problem. It's doing simple things like that, which will go a long way to preventing attacks. The final step is to have good backups, because even if you are compromised, if you can restore a backup and place the systems in a last known good state, there's not a need to pay that ransom.
TE: You're pointing out something that isn't always obvious to people when they talk about ransomware. Ransomware can have multiple steps, for example, starting with phishing. How can we get from that initial compromise, to accessing critical data that prevents a hospital from delivering care or a pipeline from delivering oil?
GW: Yeah. That's a very good question. One of the first things that happens is that once the criminals gain access, they want to do is maintain that access, so they'll create what's known as a backdoor. A backdoor is just malware that enables remote access and control. Then, they want to achieve privileged escalation. The way this happens is by compromising a user ID that has privileged access, which will allow them to create a back door, or another account, or way to get in to that machine. If they're discovered and eradicated, they've already created a back door where they can get back in.
Once they gain access, and they've escalated privileges, the next thing they want to do is to try to come in and destroy or encrypt files, and even potentially the backups. One thing that a lot of people don't understand is that this process doesn't all happen on the same day. Oftentimes this is happening over a period of weeks. By the time the intruders are discovered there are tentacles all over the place.
Another approach that the attackers have recently started doing is exfiltrating that data; copying files to another server. Most people wouldn't report that they got hit with ransomware, but if the attackers saved copies of the files, they will threaten to publicly disclose the information. So, even if you can restore and return to business as usual, they have your data. From that point, it comes down to negotiation, and arranging for payment. If that's a path your organization chooses to take.
TE: Are there any examples of, of security controls that you think are least effective in defending against ransomware?
GW: I've seen organizations that completely locked down their systems, where employees can't go out to the internet, they can't access personal emails. That creates a “big brother” environment. I have found that, in organizations where that was the case, where the systems were reasonably secured, the instances of ransomware were the same. I've seen people go so heavy on the control standpoint to where the productivity drops off, the culture is impacted, and it ultimately ends up in high turnover, because it just, it's not a fun environment to work in. Everything you do really needs to be risk-based. Many of the controls that you need to implement to stop or minimize the impact of ransomware should not be overly burdensome or intrusive on your user base.
TE: I can't help to think about how, what you're describing indicates a strong mismatch in the overall mission, the perceived risk for that organization versus the depth of those controls. There are situations, for instance, if a person is working in a nuclear power plant, or a similar environment where it is appropriate to have very strict controls, the people working in that environment understand why it makes sense to them. You run into a problem as you were describing when it doesn't make sense when there is a mismatch for the level of risk for each environment. Then you end up with those problems of turnover, or damaged organizational culture. Also, people find ways around the controls.
TE: I really appreciate your time today. We gained a few different perspectives on ransomware that maybe haven't been covered elsewhere. I certainly appreciate having a CISOs perspective on this. Thank you again, Greg, for joining us today.
GW: Much appreciated. Thank you for having me.