The White House has issued an open letter to companies, urging them to take immediate steps to prepare for ransomware attacks, following a string of cyberattacks that have halted the operations of many companies.
In the memo, Anne Neuberger, Deputy Assistant to the President and Deputy National Security Advisor for Cyber and Emerging Technology, says, "The private sector also has a critical responsibility to protect against these threats. All organizations must recognize that no company is safe from being targeted by ransomware, regardless of size or location. But there are immediate steps you can take to protect yourself, as well as your customers and the broader economy. Much as our homes have locks and alarm systems and our office buildings have guards and security to meet the threat of theft, we urge you to take ransomware crime seriously and ensure your corporate cyber defenses match the threat."
The most important takeaway from the recent string of ransomware attacks is that they pose a significant threat to the core business operations of organizations around the world, says Neuberger. Colonial Pipeline, which supplies around 45 percent of the East Coast's fuel, temporarily shut down its operations last month after a ransomware attack carried out by a Russian-based criminal group targeted some of its data. JBS USA, the nation’s largest beef supplier, was hit by a similar ransomware attack this week that is believed to have also originated from Russia.
"To understand your risk, business executives should immediately convene their leadership teams to discuss the ransomware threat and review corporate security posture and business continuity plans to ensure you have the ability to continue or quickly restore operations," Neuberger says.
Neuberger also lists five best practices from the President's Executive Order, aimed at reducing the risk of a successful cyberattack:
- Backup your date, system images, and configurations, regularly test them, and keep the backups offline
- Update and patch systems promptly
- Test your incident response plan
- Check your security team's work
- Segment your networks
"We urge you to take these critical steps to protect your organizations and the American public," Neuberger says. "The U.S. Government is working with countries around the world to hold ransomware actors and the countries who harbor them accountable, but we cannot fight the threat posed by ransomware alone. The private sector has a distinct and key responsibility. The federal government stand ready to help you implement these best practices."
Curious about what other cybersecurity leaders have to say about the open letter? Keep reading to find out!
Bill O’Neill, Vice President, Public Sector at ThycoticCentrify, a Washington D.C. based provider of cloud identity security solutions:
Over the past year, our schools, law enforcement agencies, unemployment offices, healthcare systems, and our nation’s critical infrastructure have been ravaged by cyberattacks, and its victims have paid millions of dollars in ransom that they simply do not have. Furthermore, many of these cyber victims may never again gain access to the critical data they have lost.
More than ever, our digital global economy has become interdependent on the internet, which has directly led to a significant increase in cyber attacks to consumers, businesses and governments alike. This trend was evidenced recently in the Colonial Pipeline Company and JBS USA ransomware attacks. These incidents are not only a disruption to the companies attack but a clear message that attackers want to disrupt the critical industries that keep our country running.
Attacks like these make it abundantly clear that we’re entering a new era of digital warfare. New research revealed that more than half of organizations have been grappling with the theft of legitimate, privileged credentials (53%) and insider threat attacks (52%) in the last 12 months, signaling more signs of concern.
To avoid experiencing losses attributed to the next ransomware attack, organizations can take these steps to minimize exposure to ransomware attacks:
- Invest in security awareness programs that educate employees on how to avoid spear-phishing attacks and detect potential ransomware.
- Keep anti-virus and anti-malware software updated with the latest signatures and perform regular scans.
- Frequently back up data to a non-connected environment and verify the integrity of those backups regularly.
- Implement Privileged Access Management (PAM) to control administrative user (i.e., sysadmins, DB admins, or user admins) access to critical and sensitive IT systems, applications, and workloads.
- Vault shared privileged accounts for emergency access only and enforce least privilege – just enough privilege, granted just-in-time, for a limited time.
John Bambenek, Threat Intelligence Advisor at Netenrich, a San Jose, Calif.-based Resolution Intelligence provider:
If this was an easy problem to solve, business leaders would have already solved it. More than any other threat, non-technical executives are familiar with ransomware by name and are already looking for solutions…a letter from a White House official isn’t going to change the game in the slightest. What the government can do, and is starting to already look at, is pressuring governments that harbor and turn a blind eye to ransomware, and to find ways to extract consequences from those who engage in such activity. Government needs to focus on their pieces of the solution and the things only they can do.
Jim Dolce, CEO at Lookout, a San Francisco, Calif.-based provider of mobile security solutions:
Advanced cyberattacks have evolved such that any organization in every industry can be targeted. The recent back-to-back ransomware attacks demonstrate that threat actors are no longer just state-sponsored organizations carrying out cyberespionage. There has been a trickle-down effect where advanced malware campaigns are available off-the-shelf to even relatively inexperienced attackers. This has primarily taken form in Malware-as-a-Service, which provides pre-built and easily customizable malware at relatively low cost. This includes advanced phishing kits that can be purchased for as little as $50.
Cyberattackers are rarely lone-wolf operations. Advanced persistent threat (APT) and ransomware groups exemplify how threat actors have become more organized. These groups operate like small businesses. They are methodical, and develop scalable and repeatable business models that they can hone until they find the model with the greatest success rate and profitability. With greater success, attackers use their profits to increase their war chest and deploy more advanced tools and techniques.
Traditional security measures cannot keep up with the advanced modern tactics used in these attacks. Threat actors are always trying to think a step ahead, and their tactics are constantly evolving. Security teams need to modernize their security posture by proactively implementing practices and tools across all corporate endpoints to mitigate the risk of these attacks before they can even get started.
The core issue that most organizations face in modern attacks is unauthorized access. With remote work being the reality for most organizations in the foreseeable future, having appropriate visibility into users and devices accessing corporate resources will continue to be a complex challenge. Very often, attackers use a phishing campaign to steal an employee’s login credentials to gain access without setting off any alarms. Another approach is to compromise the user’s device to install malware like a remote access trojan to enable access that goes undetected. Once the attacker gains access through one of these approaches, they move laterally throughout the infrastructure until they find valuable data to exfiltrate or encrypt as part of their ransomware attack.
Security teams need to implement a Zero Trust framework across their entire organization. Doing so will ensure that only users and devices with acceptable risk levels are permitted access. Access needs to be limited to only the apps and data needed to perform their work. To do this, organizations need a way to create granular access policies to both the network and any cloud-based SaaS apps or infrastructure. This prevents incidents caused by over-entitlement. In addition, security teams need a way to continuously monitor the risk profile of each user and device in order to dynamically adjust access based on risk.
Setu Kulkarni, Vice President, Strategy at WhiteHat Security, a San Jose, Calif.-based provider of application security:
The two important pieces of advice that stand out are Testing Incident Response and Pen Testing. Often organizations treat their Incident Response plan like they treat their Business Continuity Plan – it is there and documented for compliance. We need to make a change here to treat the Incident Response plan much like a Fire Drill or an Earthquake Drill so that when the inevitable breach happens, the entire organization is clear on the first few steps and that will give them the time they need to counter the threat effectively rather than scrambling at the nth minute. As far as Penetration Testing is concerned, the memo should be updated to further emphasize penetration testing of production systems in a continuous manner – this is important because while the production systems may not change that often, the adversary and the threat landscape are fast evolving in an attempt to breach these production systems. Focusing on continuous production security testing of web, mobile and API applications should be non-negotiable.
The memo also re-iterates basic security fundamentals – MFA, Backups, Network Segmentation, EDR & Encryption. Where the memo falls short, much like the Executive Order, is to create an environment of incentives and disincentives for organizations to double down on these security fundamentals.
Finally, the memo hits upon the need for a skilled security team – this is one area where the gap is the largest between aspiration and reality. There are just not enough security personnel in the world to staff security teams in organizations today. What is needed is a combinatorial approach: accelerated and scaled-up security training in the country for security professionals plus training the general population about avoiding risky online behavior.
Rick Holland, Chief Information Security Officer, Vice President Strategy at Digital Shadows, a San Francisco-based provider of digital risk protection solutions:
Anne Neuberger's memo to "corporate executives and business leaders" presents an opportunity for security leaders to move their security agenda forward. The extortion threat is a clear and present danger, and despite internal efforts, often, it takes external guidance to help justify budget and resources.
Security leaders should do the following. First, don't use ransomware as a "fear, uncertainty, and doubt" strategy to bend your business to your will. The FUD approach is destined to fail. Instead, take a measured, non-hyperbolic approach in explaining the threat and risks to your executive leadership. The current state of enterprise networks is analogous to patients with chronic illnesses like heart disease; it has taken years to get to this state. There isn't a magical intervention that will mitigate the risk overnight. We have to address the root causes of the illness, not just the symptoms. The Whitehouse's suggestions aren't cheap and will take time to implement; there is a very long tail to addressing the extortion threat.
Despite the prognosis and timeline, you can look for quick wins. Testing your incident response plan with an extortion tabletop exercise is something that organizations can immediately do. As many organizations will soon begin their 2022 budgeting process, now is the time to build the business case for any of the mitigations that aren't already in place. A tabletop exercise can help identify needed investments in people, processes, and technology. One comment that stands out to me from Neuberger's memo is the need for a "skilled, empowered security team." We so often focus on technology to solve our problems. Focus on your teams first; have dedicated training and development programs.
The memo ends with "the federal government stands ready to help you implement these best practices; "this is an interesting statement as many of the recommendations require significant investments in time and money. I don't see how the Federal government will help with the costs of implementing the recommended best practices.
Kunal Anand, Chief Technology Officer, Imperva:
It's highly unlikely that the majority of enterprises and small businesses in the U.S. will be able to do anything with the guidance from today’s White House memo. It assumes that every business has the technical acumen to understand these concepts and the resources to implement these guidelines.
The Federal government needs to step up – more than ever – to help businesses that are vulnerable and unaware of how to protect themselves from the growing volume of ransomware attacks and other cyber-attack risks.
Instead of focusing on defensive and reactive measures, the Biden administration needs to take a more effective position – aimed at providing tactical support and resources. The U.S. government should be looking at setting up departments that can help the private sector, or an Emergency Cybersecurity Center for broadcasting threats and attacks to everyone.
At a time when the nation is under siege by ransomware attacks that are disrupting daily life, the U.S. Government needs to ask industry leaders to donate their time – whether it’s helping provide recommendations, setting up resource groups, etc. This should be seen as a patriotic duty.
Eric Greenwald, General Counsel at Finite State, and former cybersecurity official with the Obama administration:
This executive order signals to private industry that the tide has turned. The U.S. government is ready to lean forward in imposing cybersecurity requirements.
While the requirements will only be enforceable with respect to companies that sell software to the U.S. government, we expect these requirements to become generally accepted best practices broadly across the software industry.
In the same way that California's auto emission standards are applied to car sales everywhere in the United States, we expect to see some "trickle down" effect. We hope that an environment in which some software vendors are complying with the Executive Order requirements will result in a "race to the top," where other vendors will see their lack of compliance as a competitive disadvantage in the broader marketplace.
For decades, software vendors have been able to engage in "security theater" - responding to security questionnaires and offering general representations about security practices without genuine transparency. That is, they will fail to provide machine-readable information about their products or present independently verifiable security testing results. It's likely that these vendors are going to have to prove what they've been saying about their security for all these years.
The EO is designed to prevent attacks by first imposing specific security testing requirements that should help reveal the extent to which software products are vulnerable. (These standards have yet to be issued, so we will need to wait to assess exactly how, and how well, they will perform this function.)
Second, the EO will require software vendors to be transparent about their software development practices and the results of the required security testing. The testing requirements and transparency should motivate software vendors to institute secure software development practices, which should reduce the incidence/severity of cyber attacks.
Further, because this information will be available in the procurement process, the U.S. government will be empowered to make better risk-management decisions in purchasing software. Where the software is to perform a critical function, competing products can be assessed based on their relative security merits.