1 January 2021
This morning I read the transcript of the Threatpost webinar ” What’s Next for Ransomware”.[1] Becky Bracken hosted the webinar some weeks ago, panelists were Limor Kessem (IBM Security), Allie Mellen (Cyberreason) and Austin Merritt (Digital Shadows). The discussion focused on incident response:
“While IT departments will undoubtedly lead efforts to shore up defenses against attacks, including backups, patching, updating and employee-awareness training, our panel of experts agree that preparing a critical-response plan which includes the entire organization — from the executives on down the org chart — is the best way to minimize cost, damage and downtime.”
Having a well-crafted and trained incident response plan in place is, from my point of view, an indispensable means to recover from all kind of cyber-attacks. But is it “the best way to minimize cost, damage and downtime” in the case of Ransomware?
Response plans come into play when a ransomware attack is detected. But during the time until detection, the ransomware may cause damage to the network and the data. Once detected, incident response kicks in by taking appropriate actions to
- containing the attack,
- investigating the network for yet undetected instances of the ransomware,
- repairing the already done damage, etc.
This is close to Gartner’s[2] approach to defend ransomware, so industry standard. But is this reactive approach the best way to minimize the economic impact of an attack?
The Cyber Security and Infrastructure Security Agency (CISA) describes in its Ransomware Guide[3] a more preventive approach. Backup, patching, cyber-hygiene, awareness training and cyber incident response plan are the building blocks. In addition, CISA recommends to “Use application directory allowlisting on all assets to ensure that only authorized software can run, and all unauthorized software is blocked from executing”.[3] This is a clear step towards prevention of attacks. Since ransomware comes from external sources e.g., through internet, e-mail, usb-devices, it commonly is not part of the allow-list, thus blocked.
The Department of Homeland Security (DHS) goes one step further in its 2016 published paper “Seven Strategies to Defende ICS”.[4] The first strategy is “Implement Application Whitelisting” because it “can detect and prevent attempted execution of malware uploaded by adversaries”.
Finally, the Australian Cyber Security Centre (ACSC) recommends Application Whitelisting as Number One of Essential Eight[5][6] strategies to prevent malware delivery and execution.
Neither Gartner nor the experts in the Threatpost webinar mentioned preventive controls to deal with ransomware. DHS and ACSC recommend them as central part of a cyber-security strategy.
From my point of view, application whitelisting is a must have to minimize the economic impact of an attack. If execution of malware is prevented, the costs to cleanup and recover from a ransomware attack are minimized.
The baseline security costs are for certain increased because application whitelisting solutions must be managed like any other application. This holds even if the Windows built-in tools AppLocker or Software Restriction Policies are used. But this will be balanced by the fact that application whitelisting will prevent also zero-day malware or PUA from execution.
CISA and ACSC provide useful hints on dealing with ransomware without big invest in new tools. It makes sense to take them into account when revising your security roadmap for 2021.
Happy New Year!
And have a great weekend.
[1] Bracken B. What’s Next for Ransomware in 2021? [Internet]. threatpost. 2020 [zitiert 1. Januar 2021]. Verfügbar unter: https://threatpost.com/ransomware-getting-ahead-inevitable-attack/162655/
[2] Sakpal M, Webber P. 6 Ways to Defend Against a Ransomware Attack [Internet]. Smarter with Gartner. 2020 [zitiert 1. Januar 2021]. Verfügbar unter: https://www.gartner.com/smarterwithgartner/6-ways-to-defend-against-a-ransomware-attack/
[3] Cyber Security and Infrastructure Security Agency. Ransomware Guide [Internet]. CISA Publications Library. 2020 [zitiert 8. Oktober 2020]. Verfügbar unter: https://www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware%20Guide_S508C.pdf
[4] U.S. Department of Homeland Security. Seven Strategies to Defend ICSs [Internet]. DoD’s Environmental Research Programs. 2016 [zitiert 13. Oktober 2020]. Verfügbar unter: https://www.serdp-estcp.org/serdp-estcp/Tools-and-Training/Installation-Energy-and-Water/Cybersecurity/Resources-Tools-and-Publications/Resources-and-Tools-Files/DHS-ICS-CERT-FBI-and-NSA-Seven-Steps-to-Effectively-Defend-Industrial-Control-Systems
[5] Australian Cyber Security Center. Strategies to Mitigate Cyber Security Incidents [Internet]. 2017 [zitiert 1. Dezember 2020]. Verfügbar unter: https://www.cyber.gov.au/acsc/view-all-content/publications/strategies-mitigate-cyber-security-incidents
[6] Australian Cyber Security Center. Essential Eight Explained [Internet]. [zitiert 1. Dezember 2020]. Verfügbar unter: https://www.cyber.gov.au/acsc/view-all-content/publications/essential-eight-explained
IT Security Matters 