The world of Malware and Cyberthreats has grown significantly since the early 90’s, when PC Cyborg, the first known ransomware attack occurred. With a disgruntled biologist, and 20,000 floppy disks, Healthcare organizations across 90 countries had their computers impacted intermittently once powered on after the 90th time. The message demanded an initial payment of $189, with another $378 for software lease. Fast forward to present day…the years of floppy disks are behind us, and as the world’s technological prowess rises, so too does the desire for some, to meet and beat this evolution on its own turf. Cybercriminals, and their threats are increasing in maturity. From the 2017 Wannacry ransomware attack mentioned in the detail below, which impacted the National Health Service (NHS), to Atlanta’s SamSam ransomware event, the cost and impact has grown. Relative to the 2018 SamSam event, while the request was $51,000, the lost productivity, and subsequent clean-up continues to carry with it varying figures. Add Non-Petya and Cryptomining to cyber threats over the past few years, and how can Enterprise Security practices continue to keep up? Is this a losing game? I say no. Now is the time to: 1) leverage practices from other industry mitigations, and 2) fight fire, with fire.
Leverage Practices- Business Continuity
A significant practice that can be used as a complement to Cybersecurity is Business Continuity (BC). When looking at BC, two aspects should be noted: Business Recovery/BR (focused on Business Process) and Disaster Recovery/DR—focused on Technology. An example of related DR includes the planning required to support protective measures such as a firewall which would prevent unauthorized access, and reduce the potential for intentional disruptive acts. Direct DR efforts include securing a backup of critical data to be stored offsite should restoration be required. What then is the recourse should that access be compromised, and the backup corrupted, based on a cyber threat impacting both production and backup? Case in point… Wannacry ransomware attacks. In these instances, having a well-rounded business continuity strategy, bringing to bear both the BR, and DR aspects, could be helpful. Conducting a Business Impact Analysis (BIA) to understand what services, if impacted by a business interruption, would cause significant reputational, operational, legal and financial risks to the organization. The message here is prioritization. Not everything has to be or can be recovered at once. Addressing those most critical services first; understanding the dependencies, and requirements to recover in “x” time can be a step towards reducing the effect of the overall event. Ensuring that any viable single points of failure are realized (including single backup strategies), and that steps are taken to proactively document alternate options, offering a different path to successful recovery is necessary. Being able to test and exercise these paths, as per the documented BC plan, is an action not to be left undone. Having the benefit to identify controls, gaps, and/or challenges, in alignment to the organizations most vulnerable threats, in a safe environment, will add to the plan and strengthen organizational resiliency.
"Whether the cybercrime is holding data at ransom prior to release of encryption keys, or laying in wait for a time to execute a worm or virus, one certainty is that these events will continue"
Fight Fire with Fire- Artificial Intelligence (AI)
With the growing reliance on the Internet of Things (IOT), while the seamless ease of use with these devices can be considered a convenience, this Artificial Intelligence (AI), carries with it more risk. Realizing the widespread use, it is the responsibility of the organization to not only develop, but provide awareness and training on policies, standards and procedures to be adhered to in support of protective measures. Whether the threat actors be individuals, or nation state, whether financially or politically motivated, whether intentional or not, controls should incorporate automated AI, in addition to manual. Relative to the Emotet cyber threat as an example, threat actors stole email from existing threads, to allow for stronger credibility of message during their phishing attacks. To continue to counter these iterative cybercriminal enhancements, the implementation of monitoring systems to detect anomalies in employee actions, permissions, access attempts, etc… is needed. In addition, ensuring that human interaction is still present to determine the most appropriate response to those anomalies, and to incorporate learnings and decision making, will be needed to keep up with this evolution.
Whether the cybercrime is holding data at ransom prior to release of encryption keys, or laying in wait for a time to execute a worm or virus, one certainty is that these events will continue. The other certainty is that our responses must be faster, and just as targeted as the attack. Enhancing the crispness of standard operating procedures, consistently applying patches and system upgrades in a timely fashion, and being future forward by applying AI growth to our mitigation tactics, as well as our infrastructure growth is no longer an option, but a necessity. The marriage of planning and implementation—BC and Cybersecurity. As stated by Allan Lakein, “Planning is bringing the future into the present so that you can do something about it now.”