
Respond/React: Resilience And Recovery Dominate RANT’s Ransomware Roundtable
“I don’t want to dismiss prevention,” one CISO said early during a RANT roundtable hosted by Halcyon in London in early June, convened to discuss responses to the deepening ransomware epidemic. “But the biggest thing to focus on is recovery.”
The sentiment proved to be something of a lodestar for the evening, as a group of senior cybersecurity leaders and practitioners dug deep into the topic of ransomware response – with resilience clearly front of mind for businesses of all shapes, sizes and sectors. A high-level delegation from Halcyon – including director of solution architecture Ross Asquith, regional director of enterprise sales Chris Lewis, and the director of the firm’s Ransomware Research Centre, the former FBI cyber division deputy assistant director Cynthia Kaiser – contributed occasionally, but for the most part sat back and listened as those on the front line of these digital battles traded war stories and drilled down into the detail of how best to configure companies to tackle the ever-changing and existential threat of a complete loss of access to data and networks.
Step Into The Realm
An early topic for discussion turned out – perhaps surprisingly – to be hardware. There were two reasons for this. Many large enterprises – and probably quite a few smaller ones – will have built around and on top of predecessor systems, as the business has evolved over time, needing to retain existing capacity and capability while acquiring new tools and technologies. This means that the business will have some degree of reliance on old and partially obsolete systems – and staff who mainly work with newer tools may lack awareness of them, never mind the skills to solve problems that may crop up inside them. Second, ransomware by its very nature poses questions about hardware inside the enterprise: if an attacker can move laterally and paralyse all systems, then not only do backups need to be offline or airgapped from the network: but any attempt at restoring services after a successful attack could make greater demands on IT capacity. Then there’s the investigative element.
“If we suffered a ransomware incident, and we needed to keep all the encrypted servers for forensic analysis, do we have the hardware to keep the encrypted stuff and restore somewhere else?” the CISO who’d rated recovery as the prime concern said. The business, he suggested, might even require a separate, mirrored, hardware laydown, ready to spin up a new network using backups, allowing the contaminated systems to be pored over. This question had preoccupied their enterprise, they said – and that had been helpful. “For us, that spurred more investment, and a lot of changes in how we did things,” they said. “Would we have capacity to restore all the servers again, while keeping what was there?”
“In terms of ransomware, I’ve prioritised identifying the really old legacy stuff, that we have no ability to redo,” another CISO said. “I read the reports on the British Library hack, and the biggest thing was the legacy systems. They had bespoke code that was old and out of date. They could recover a lot of the modern systems, but it was those old code bases they couldn’t fix. So we have a lot of backup procedures. Ransomware is not our main problem – but the responses to those main problems will fit ransomware.”
You Got Me
These questions, of course, presuppose that the enterprise has correctly identified what constitutes its key critical systems.
“Technical recovery is pretty straightforward, but identifying the three pieces of tech that would hurt you the most…? That may not be,” one senior security leader suggested. “DNS isn’t going to make your top three – but if it isn’t there, everything dies.”
“We looked at what was the minimum viable product that keeps us trading,” another CISO said. “What are those products? What are the interdependencies? And which ones have to come back up first?”
An important point, all agreed, given that certain services will rely on other, underlying, capabilities, and so will not operate correctly if restarted in the wrong sequence.
And then there’s the nature of such analyses. It’s all well and good knowing what’s important to the business, understanding the sequence for re-establishing the service, and having these processes and procedures mapped out and promulgated around the workforce: but if people aren’t well practiced in carrying out these often complicated tasks, and are practiced at doing so under the kind of pressure that would attend a real incident, true resiliency will be impossible to achieve.
“There’s no point just having it on paper,” one veteran security staffer said. “How many times a year do you test? And do you always test the same people? You shouldn’t.” Their business, they said, runs tests several times per year, using different staff, to see if they can recover the business from the documentation that exists. If they can’t do it, the exercise is marked as a fail, and would need to be re-run.
“That scares me,” another leader admitted. “I’m down to one person on a lot of key systems. I know that the person who knows how to get it all back up is Mike – but if Mike’s not there, how do we do it?”
Double Trouble
As had been previously touched on, sometimes, resiliency will mean having a completely separate alternative ready to go if the worst comes to pass. This need not be as prohibitively expensive as permanently maintaining a complete replica of the existing systems.
“We have a waterproof case with a phone in it and a flash key. We’ve worked out, on our business-continuity plan, that that’s what we need,” one pragmatic CISO said. “We’re having to put in whole systems on standby – full email, and other systems, that we can switch to – because with the cloud, the extraction cost of data is massive; that won’t work for us as we can’t afford it.”
That CISO’s enterprise had reached this conclusion after realising that, due to specific concerns with the nature of the threat they were exposed to, and how their business was organised and its data stored, a strategy built around even the most frequent and diligently executed of backups simply would not work. There are dangers in relying on backups, particularly as ransomware groups evolve their tactics and procedures. One recent example Halcyon had dealt with proved instructive, where a patient adversary used a company’s well-implemented backup strategy against it.
“This blew my mind – and it takes a lot to shock me,” Kaiser said. “We’ve seen an actor recently who sat on a network for 31 days. They gained access to the systems, and saw that the backups were done on a 31-day cycle – cancelled the backup services, waited, then attacked. And the organisation didn’t know.”
“We had to develop an out-of-band – out of current systems – means of comms and co-ordination to bring every office up to a standard where they can operate,” another security manager said. “It’s meant putting in almost a full shadow IT, because there’s no other way we’ve currently found, within our budget. We’ve contracted for shadow IT services we can put data into.”
While this option, as they explained, was adopted for budgetary reasons, it is still by no means a low-cost solution. It will only work if all the necessary staff are trained and ready; and achieving and maintaining that level of readiness places significant demands on internal resources.
Dynamite!
An interesting side-discussion blew up around insurance – with some leaders arguing it was a pointless waste of money, impossible to be sure that coverage would work until after an attack, and that being the worst time to find out that some loophole or other had been found in the coverage; while others strongly advocated for the forensic capability and expertise that cyberinsurance providers are able to deploy, at no cost to the business, in the aftermath of an attack. But another topic that provoked lively exchanges was on when, and to what extent, ransomware attacks could stray from being a threat to businesses, and into territory where states may start to think about designating them as terrorism.
“All ransomware is a crime, and some of it is terrorism,” Kaiser said. “In U.S. law, and the definitions there, we believe it would meet the threshold for terrorism if ransomware was targeting a hospital.”
But designating ransomware as terrorism – even if it was something that cybersecurity leaders were in a position to do; which, of course, they are not – is by no means a straightforwardly beneficial proposition. As Kaiser noted, doing so might well provoke attack groups to “change their calculus.”
If a ransomware attack on a particular industry or sector were to be considered terrorism, and the individuals who carried it out were to be charged with that crime, perhaps the efforts put in to identifying and apprehending suspects would be intensified, cross-border law-enforcement collaboration might be given a higher priority, and the penalties for those caught and tried would be significantly increased. But it is unlikely that a threat actor would respond to that by ceasing operations completely: more likely, they would redirect their efforts onto sectors where an attack would not be considered terrorism. So while there would be clear social benefits, there would also be considerable costs – which would fall on businesses operating outside critical services and infrastructure.
Additionally, as other attendees argued, the detail of any such designation would be key – both for any deterrent effect to prove meaningful, and to ensure that increased risk outside critical sectors wouldn’t end up having knock-on effects that were just as disruptive.
“We’ve designated more and more operators as being ‘essential services’,” one security leader said, referring to consideration given to what constitutes critical national infrastructure in the UK.
“There used to be a line that was clear – ‘We are CNI, you aren’t,’,” another leader said. “Smaller organisations would wonder, ‘Why would anybody attack us?'”
The answer, a third leader suggested, was pretty obvious:
“If you’re very well hardened, the attackers go a level down.”
Then risk there may well be greater, even if the initial reward in cash terms for the ransomware gangs is going to be smaller. But one of the big changes Kaiser says Halcyon are seeing is that threat actors are targeting small and medium-sized firms more often than they once were – four times as many SMEs are getting hit now compared to large businesses, she said. And if a sub-supplier to a CNI entity gets taken down, the ripple effects on their CNI customer could be just as damaging as if the critical industry had been targeted in the first place.
Livin’ In A New World
If the considerations that need to be assessed before a nation decides to designate ransomware attacks as terrorism are complicated, so too are the decisions each of us make in how we talk about the topic. One CISO spoke about how their enterprise has benefitted hugely from having internal presentations made by a few brave souls whose companies were hit by ransomware, and who have chosen to share their experiences with others as a means to – hopefully – helping ensure what happened to them is not repeated elsewhere. That kind of behaviour should be considered heroic: yet, as the CISO noted, so often the response towards victims of ransomware is very different. “When people get mugged, everyone is sympathetic,” they pointed out. “But when you get hit by ransomware, they’re not.”
“It’s important to treat victims as victims,” Kaiser agreed, her years in law-enforcement adding considerable weight to the observation. “It’s a really hard conversation, though,” she continued. “Some boards and C-suites ignore security advice – so perhaps it’s a reasonable feeling in those cases. We know adversaries are relentless, so if they want to get in, they will do eventually. But it’s up to us to hold people responsible if they haven’t done the easy things.”
Other leaders recognised that the tone of these conversations is very important, and can make a big difference – not just to managing relationships in the supply chain, but to achieving the best possible security for the business itself.
“We’ve spoken to our vendors on resilience quite a lot, and we keep saying we don’t want to blame anyone, but that we want to know what happened so we can fix it and prevent it happening again,” another security leader said. “With suppliers, this usually is OK: but if their business culture is different, it may not roll down the rest of the supply chain the way you would want it to.”
Use of language is important, too. Returning to the conundrum of whether or not to designate ransomware as a form of terrorism, one CISO noted that, particularly in sectors such as healthcare or social services, terrorism may be received as “an angry, noisy word” which would perhaps end up closing conversations rather than causing people outside the SOC to think more about their physical and digital security.
“It’s very similar in the U.S.,” Kaiser acknowledged. “If I start talking about threat actors as terrorists, some people think it absolves them from doing better. We should dissuade ransomware groups from targeting life-critical entities, but it’s impossible to separate physical risk from cyber risk. To me, you have to make sure that if you’re using these words, it’s not going to allow anyone to think it lets them off from doing the basics.”