While hackers are constantly developing new methods to compromise confidential data and systems, one method remains tried and true; ransomware. In this session we define how ransomware operates, the impacts on business, and how to make sure you stay resilient.
[00:00:00.620] - Speaker 3
This is CyberSound, your simplified and fundamentals-focused source for all things in cybersecurity, with your hosts, Jason Pufahl and Steven Maresca.
[00:00:11.930] - Jason Pufahl
Welcome to the CyberSound podcast. I'm Jason Pufahl, the Vice President of Security Services for Vancord.
[00:00:17.890] - Steve Maresca
And I'm Steve Maresca, Senior Security Engineer.
[00:00:20.180] - Jason Pufahl
Today, we're going to spend time on what I would consider to be an epidemic in the cybersecurity space of ransomware. Probably something people have heard about, Colonial Pipeline brings ransomware to the forefront, certainly we see in the news all of the time. But I think the reality is a lot of folks listening probably don't know really how it starts, really what the potential impact of their business could be, and in some cases, maybe not even exactly what ransomware is. So that's probably the best place to start. Steve, give us a second on what that is.
[00:00:55.380] - Steve Maresca
So at the end of the day, ransomware is not especially complicated. It's essentially how an attacker keeps your data from you in a way that doesn't allow you to use it. And that's typically achieved using something like cryptography. It's no more complicated than that.
[00:01:11.600] - Jason Pufahl
So cryptography, meaning just encrypting data into a format that's unreadable?
[00:01:17.210] - Steve Maresca
[00:01:19.300] - Jason Pufahl
So what makes it so effective then? Because it seems like that would be something that organizations could protect themselves against. How does it start?
[00:01:28.120] - Steve Maresca
Generally speaking, attackers will try to send a phishing email, or they'll get the person to open up an attachment that they shouldn't. Certainly, in the last year, during a pandemic, many companies have opened up their network so that people can work from home. And if a password has been leaked or stolen, they'll get in that way because their networks are a bit more permissive than they used to be. The examples would be a VPN or remote desktop or anything that resembles them.
[00:01:58.160] - Jason Pufahl
So none of those techniques sound too sophisticated. But maybe we want to spend a minute on what phishing is for folks who might not be familiar with that. In the old days, when people talked about phishing, it was an email that somebody received that was full of all kinds of grammatical errors and misspellings, probably asking you to wire, or you may be the recipient of multiple millions of dollars from some individual in Africa. I think that's changed. So now we're seeing phishing emails that are written much more professionally, and very often, just trying to deceive or trick somebody into providing their credentials.
[00:02:40.480] - Jason Pufahl
It really does what it wanted to do.
[00:02:42.750] - Steve Maresca
Phishing emails today are really trying to convey a sense of urgency, a sense of fear. They're trying to get you to act in a way that supports the business. The message might purport to be from a supervisor or from a boss or a coworker, and you have a relationship that's established with that entity. And you, meaning to do well, try to respond or follow the direction that's requested of that email. And really, the attacker tries to get you to supply a username or a password or click a link that could be malicious.
[00:03:13.530] - Steve Maresca
It's as simple as that.
[00:03:14.920] - Jason Pufahl
Alright. So let's frame this a little bit then. So if you're a business, you have data and will be as generic as that. It might be classified data depending on the type of business you're in, or it really might be nothing more complicated than invoices or ordering information. And an attacker identifies you as an opportunity. What makes a company attractive to an attacker, potentially?
[00:03:41.950] - Steve Maresca
Well, so they don't start out in a way that is targeted, ultimately. Ransomware and like many other attacks, they're from an opportunity perspective. Attackers will initially cast a wide net, and they will try to enter a network. Once they have a foothold, they'll try to determine exactly what type of organization it is. At the end of the day, every company has HR records. At the bare minimum, that data is useful to an attacker for identity theft. But even if you don't, pretend you're in an organization that has ADP as a third party processing for all that information, for example, you may not have that data stored, but you have file shares, you have data.
[00:04:25.360] - Steve Maresca
In some systems, you have workstations that deal with documents.
[00:04:28.540] - Steve Maresca
The odds are extraordinarily good that if that data is encrypted and no longer accessible to staff or processes, for example, for label printing or shipping, business stops. And that's all that's needed to really make extortion effective because it impacts revenue, it impacts the reputation of an organization, and it stops the business from functioning.
[00:04:54.640] - Jason Pufahl
So in a lot of ways then, this is nothing more than opportunistic. So they'll send, potentially, what appears to be a reasonably targeted email, because it may be, but they'll just handcraft those for a handful of companies. Whoever happens to fall for it will be their victim or their target. They're not really looking for data, particularly in many cases. It's all about encrypting the data, rendering an unusable, stopping business from happening, and incentivizing you to basically pay them to get your data back or your access back.
[00:05:29.750] - Steve Maresca
Exactly. And ransomware gangs operate in phases and in teams. There's the group that tries to get access to an organization first., They'll send out the messages to thousands of organizations. They'll get a 5 percent success rate. And of them, they have a few that seem like worthwhile to target. They hand that over to another group and they perform the actual encryption activity. That's the way they flow.
[00:05:56.430] - Jason Pufahl
One thing that I think is worth pointing out, because a lot of people that I talk with always come from the position of, it won't happen to me, either my data isn't important, my company is too small, I'm not an attractive target, for whatever reason. Our experience has shown that in all of the incident response work that we've done, 95 percent of them are as a result of ransomware, either successfully deployed or maybe caught in the active deploying. But the reality is, only a handful of the incident response work that we've done has been, what I would describe is, a very targeted attack for the purpose of getting some specific data.
[00:06:38.350] - Jason Pufahl
Generally, we're responding to ransomware events. And the ransomware events for ten-person companies, hundred-person companies, maybe up to a thousand, it's really that ballpark we work in, but they don't discriminate. It really doesn't matter the size. It's all about getting that foothold and locking them up, making some money quickly.
[00:06:58.710] - Steve Maresca
And it's worth also remembering that individuals at home, you're not immune. Ransomware, CryptoLocker — those are examples of things that affected people, and it's not uncommon to hear that personal photos are encrypted. It's less common today because the profit motive is strong. There's an incentive to target companies and extort them. But the truth is that, because the target is broad and they may encrypt anyone that's susceptible or willing to click a link, and it could be anyone that's affected.
[00:07:33.680] - Jason Pufahl
So let's go back in time a bit. In a previous episode, we discussed the idea of fundamentals. I think those are largely applicable to the defense capability and organization has against ransomware. So you started by saying companies transition to a largely remote work environment. In some cases, that meant simply opening firewall ports or enabling access from the outside to the inside more permissive than they normally would. That's an obvious attack vector for these cyber actors. Right?
[00:08:09.330] - Steve Maresca
Right. And we've certainly had multiple incidents where the causal factor was explicitly remote work and enablement of remote work. It's to further the business, to permit organizations to function. It's innocent. It's a reasonable business decision.
[00:08:26.400] - Jason Pufahl
Right. They have to work. And in that case, people had no choice but to transition quickly, to make decisions that might not be perfect.
[00:08:32.490] - Steve Maresca
Right. Exactly. In that vain, protecting, entering mechanisms into networks is really your chief goal in order to avoid this type of attack. There are lots of tools to do that. Proper firewalls, well-configured firewall rules, making sure that folks, if they have access into your network, have robust passwords and secondary defenses, like multi-factor, two-factor, whatever you might refer to it, the ability to enter a code when you're actually logging in. That type of technique will really defend a network against attack.
[00:09:08.240] - Jason Pufahl
Yeah. We've seen two-factor become much more of a standard practice in the last three or four years probably, to the point now, where I'd say, if you're not doing it, at least for those remote access capabilities, you're really putting yourself at risk unnecessarily because they're not really expensive to implement. They're not newly as owners to use as they were when they first came out. And they really offer legitimate protection against these types of attacks.
[00:09:35.380] - Steve Maresca
So it is worth pivoting a bit to say. If an organization does not permit remote access into the network, that doesn't mean they're immune to ransomware attacks. And a more fundamental defense against this type of incident would be, frankly, the deployment of robust backups because these are attacks-targeted, they interrupt access to data. And if you have a backup of the data that's been encrypted, you don't need to worry. You can restore it. You can move on.
[00:10:04.160] - Steve Maresca
If an organization doesn't have a robust backup infrastructure or backups at all. Because, let's be honest, the backup to a portable USB key or a portable hard drive is an adequate strategy for some companies. If you don't have that, then you're forced to recover the data or to fight back against attackers in a way that it's very expensive and may not receive the benefit of restoring all of that information.
[00:10:28.300] - Jason Pufahl
Right. So again, we're really talking about risk mitigation. Because even with the backup, if an attacker does successfully encrypt your data, you're still forced with some downtime. You've still got your recovery period that you have to go through, but it dramatically changes the feel of an incident. In the sense that if you're having a conversation with somebody who's gone through one of these, the idea that you've got your data in an accessible format reduces a lot of stress, reduces a lot of anxiety, gives you confidence that you don't have to negotiate with these attackers.
[00:11:04.200] - Jason Pufahl
It still may take a couple of days, it may take a week, but at least you know that you can recover. And that's the huge difference between having backups and not.
[00:11:12.780] - Steve Maresca
Right. The availability of some backup data is the dividing line between a very extensive, drawn-out incident that's expensive or something you can, frankly, put past you in a few days. At the same time, it's important to prepare organizationally for the possibility of such an event. We strongly encourage anyone listening to pursue cyber liability policies because they are very helpful in a variety of it. They will pay claims if you need to engage in incident response firm in order to defend against attackers that are in your network or to help restore from such an attack.
[00:11:51.880] - Steve Maresca
But they have other benefits as well. Without a doubt, incidence affecting data means that you may need to notify for disclosure of data that's sensitive or otherwise regulated. If that's the case, cyber liability insurance and the legal teams that are associated with it, as part of your policy, will innately help with responding to the tail end of an incident, even if your backups are extraordinarily robust, and enable you to get back to business quickly.
[00:12:21.140] - Jason Pufahl
So I'm a huge fan of cyber liability insurance. And in fact, we'll discuss that in more detail in an upcoming podcast. The one thing that I always like to tell people, though, is cyber liability insurance is not a substitute for a security program. And unfortunately, we see that all of the time where there's a limited budget, a decision might be made to purchase insurance policy rather than doing some of those more protective tools or deploying some of those protective capabilities. It's a combination of all of those.
[00:12:58.880] - Jason Pufahl
One thing is never a total substitute for another. Everything's a decision. Everybody's got limited budgets. You have to figure out where to spend that. Cyber liability Insurance, though, is never a total substitute for other more reasonable measures.
[00:13:12.510] - Steve Maresca
And as we'll cover that in a future episode, I'm confident we'll discuss some of the requirements that insurers are placing upon policyholders, such as defensive tools, defensive actions in order to facilitate claims and keep premiums low.
[00:13:26.440] - Jason Pufahl
Taking proactive steps is in everybody's best interest. We certainly know that incident response is much more expensive. The reactive capabilities are much more expensive than being proactive. Putting some thought into building a reasonable security program, doing those basics upfront really can reduce the likelihood of a successful ransomware attack. They are cheaper than doing it reactively. No question about that. It reduces the impact potentially to your business. We strongly advocate some forward-looking or forward-thinking security program development in lieu of just waiting for the bad thing to happen and then trying to recover.
[00:14:08.400] - Jason Pufahl
It's really stressful, really expensive. There's always some downtime, and nobody wants to go through that.
[00:14:15.220] - Steve Maresca
Our guess is that these incidents are here to stay in some form or another, and you might as well be prepared for them.
[00:14:20.860] - Jason Pufahl
So with that, I think we're roughly up against our time. We could certainly spend a lot more time regaling the audience with tails from the transition around incident response. Maybe we'll do that in an upcoming podcast. If anybody's interested in something like that, we're happy to talk about real events or real attacks that we've seen in a real recovery work that we've done. They make for interesting stories. I think they really drive home the risk to organizations around this. But with that, I think we'll look forward to talking again in the future, probably about cyber liability insurance.
[00:14:56.140] - Jason Pufahl
[00:15:00.610] - Speaker 3
Stay vigilant. Stay resilient. This has been CyberSound.