theDocumentId => 1341254 Know Thy Enemy: Fighting Half-Blind Against ...

Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

6/14/2021
10:00 AM
Michael Daniel
Michael Daniel
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Know Thy Enemy: Fighting Half-Blind Against Ransomware Won't Work

We lack reliable, representative, actionable data about ransomware's actual scope, scale, and impact. The Ransom Incident Response Network could change that.

Ransomware has grown up. Once just a cybercrime nuisance that affected individual computers with payment demands of a few hundred dollars, ransomware attacks now impact whole corporate networks, generate payment demands in the millions, and even disrupt our daily lives. 

Related Content:

The True Cost of a Ransomware Attack

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How Can I Test the Security of My Home-Office Employees' Routers?

The perpetrators behind this type of crime have become highly organized and diversified, employing a complex ecosystem of support infrastructure to manage payments, targeting, software, and other aspects of the "business."

Ransomware is now a threat to our national security, public health and safety, and economic prosperity.

Because the threat posed by ransomware has changed, our response must change as well. We need to elevate our ransomware response to the national security level, and to do that, we must close the information-sharing gap on this growing threat.

A national security-level response is focused, aggressive, prioritized, broad, collaborative, and sustained. However, the events of the last few months — from the attacks on Colonial Pipeline to the Irish Health Service to the JBS meat processing company — clearly demonstrate that what governments and the cybersecurity industry have been doing to combat ransomware isn't yet at the level of a national security response. 

The recent report by the Ransomware Task Force, which is composed of a team of more than 60 industry and government experts, lays out nearly 50 recommendations that would generate a national security-level response that matches the ransomware threat. If fully implemented, the resulting actions would change the trajectory of ransomware and blunt its effects on our society.

Credit: santiago silver via Adobe Stock
Credit: santiago silver via Adobe Stock

While the report's recommendations are interlocking and meant to be implemented as a package, one element worth drawing attention to is the creation of the Ransom Incident Response Network (RIRN).  

Despite the volume of blog posts from security companies about ransomware, we lack reliable, representative, actionable data about ransomware's actual scope, scale, and impact. How many organizations pay ransoms? What are the key nodes in the criminal ecosystem? Are paying organizations more likely to be targeted again? Are there trends in which types of companies are targeted? No one knows the answers to these questions from a systemic point of view. 

Further, information about ransomware threats does not reach all the organizations that it should, whether private sector companies or government agencies. Without high-quality, timely threat information, we cannot effectively deter, disrupt, prepare for, or respond to ransomware attacks.   

We also know from bitter experience that simply identifying an information-sharing need will not fill the gap. The cybersecurity industry has talked about information sharing for years, but doing it usually proves challenging.

That failure is typically due to flawed assumptions about how information sharing works. Instead of assuming the only relevant information is technical cyber data, we need to broaden our thinking to go beyond indicators of compromise to include different types of cyber-threat information, such as warnings about possible attacks or defensive mitigation techniques that will thwart intruders.  

Rather than asking every organization to produce and consume technical cyber data, we should take each organization's comparative advantage into account and recognize that business relevance will drive sharing.

We shouldn't assume that this project will be easy. Information sharing requires commitment, time, and resources to be effective.  

To tackle the ransomware information-sharing gap, the cybersecurity industry should establish the RIRN, as called for in the Ransomware Task Force report. The RIRN would serve several functions, including the receipt and sharing of incident reports, directing organizations to incident response services, aggregating data, and sharing alerts about ongoing threats. 

The RIRN should develop standard reporting formats based on existing standards to make automated sharing possible, and it should adopt business processes that avoid double-counting data, protect privacy, and focus on the value proposition to participants. This network should include nonprofits, cybersecurity vendors, insurance providers, incident responders, and government agencies. 

A functioning RIRN would help close the information gap that inhibits our response to ransomware. We should build such a network based on the lessons learned from past information sharing initiatives, thereby avoiding the usual flaws that undermine such efforts. The cybersecurity industry shouldn't wait for the government to take the lead. We can create the network now and invite governments to join something that already exists. 

While governments need to lead the overall national security response to ransomware, the private and nonprofit sectors should take a leadership role in several areas, particularly in creating an information-sharing network.

The Cyber Threat Alliance, the nonprofit I run, is committed to making a Ransomware Incident Response Network a reality. We will build on our experience in cyber-threat intelligence sharing to help make the RIRN viable from the start.

Michael Daniel serves as the President & CEO of the Cyber Threat Alliance (CTA), a not-for-profit that enables high-quality cyber-threat information sharing among cybersecurity organizations.  Prior to CTA, Michael served for four years as US Cybersecurity Coordinator, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32794
PUBLISHED: 2021-07-26
ArchiSteamFarm is a C# application with primary purpose of idling Steam cards from multiple accounts simultaneously. Due to a bug in ASF code `POST /Api/ASF` ASF API endpoint responsible for updating global ASF config incorrectly removed `IPCPassword` from the resulting config when the caller did no...
CVE-2021-36563
PUBLISHED: 2021-07-26
The CheckMK management web console (versions 1.5.0 to 2.0.0) does not sanitise user input in various parameters of the WATO module. This allows an attacker to open a backdoor on the device with HTML content and interpreted by the browser (such as JavaScript or other client-side scripts), the XSS pay...
CVE-2021-37392
PUBLISHED: 2021-07-26
In RPCMS v1.8 and below, the "nickname" variable is not properly sanitized before being displayed on page. When the API functions are enabled, the attacker can use API to update user nickname with XSS payload and achieve stored XSS. Users who view the articles published by the injected use...
CVE-2021-37393
PUBLISHED: 2021-07-26
In RPCMS v1.8 and below, the "nickname" variable is not properly sanitized before being displayed on page. Attacker can use "update password" function to inject XSS payloads into nickname variable, and achieve stored XSS. Users who view the articles published by the injected user...
CVE-2021-37394
PUBLISHED: 2021-07-26
In RPCMS v1.8 and below, attackers can interact with API and change variable "role" to "admin" to achieve admin user registration.