Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

// // //
10:00 AM
Michael Daniel
Michael Daniel
Connect Directly
E-Mail vvv

Know Thy Enemy: Fighting Half-Blind Against Ransomware Won't Work

We lack reliable, representative, actionable data about ransomware's actual scope, scale, and impact. The Ransom Incident Response Network could change that.

Ransomware has grown up. Once just a cybercrime nuisance that affected individual computers with payment demands of a few hundred dollars, ransomware attacks now impact whole corporate networks, generate payment demands in the millions, and even disrupt our daily lives. 

Related Content:

The True Cost of a Ransomware Attack

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How Can I Test the Security of My Home-Office Employees' Routers?

The perpetrators behind this type of crime have become highly organized and diversified, employing a complex ecosystem of support infrastructure to manage payments, targeting, software, and other aspects of the "business."

Ransomware is now a threat to our national security, public health and safety, and economic prosperity.

Because the threat posed by ransomware has changed, our response must change as well. We need to elevate our ransomware response to the national security level, and to do that, we must close the information-sharing gap on this growing threat.

A national security-level response is focused, aggressive, prioritized, broad, collaborative, and sustained. However, the events of the last few months — from the attacks on Colonial Pipeline to the Irish Health Service to the JBS meat processing company — clearly demonstrate that what governments and the cybersecurity industry have been doing to combat ransomware isn't yet at the level of a national security response. 

The recent report by the Ransomware Task Force, which is composed of a team of more than 60 industry and government experts, lays out nearly 50 recommendations that would generate a national security-level response that matches the ransomware threat. If fully implemented, the resulting actions would change the trajectory of ransomware and blunt its effects on our society.

Credit: santiago silver via Adobe Stock
Credit: santiago silver via Adobe Stock

While the report's recommendations are interlocking and meant to be implemented as a package, one element worth drawing attention to is the creation of the Ransom Incident Response Network (RIRN).  

Despite the volume of blog posts from security companies about ransomware, we lack reliable, representative, actionable data about ransomware's actual scope, scale, and impact. How many organizations pay ransoms? What are the key nodes in the criminal ecosystem? Are paying organizations more likely to be targeted again? Are there trends in which types of companies are targeted? No one knows the answers to these questions from a systemic point of view. 

Further, information about ransomware threats does not reach all the organizations that it should, whether private sector companies or government agencies. Without high-quality, timely threat information, we cannot effectively deter, disrupt, prepare for, or respond to ransomware attacks.   

We also know from bitter experience that simply identifying an information-sharing need will not fill the gap. The cybersecurity industry has talked about information sharing for years, but doing it usually proves challenging.

That failure is typically due to flawed assumptions about how information sharing works. Instead of assuming the only relevant information is technical cyber data, we need to broaden our thinking to go beyond indicators of compromise to include different types of cyber-threat information, such as warnings about possible attacks or defensive mitigation techniques that will thwart intruders.  

Rather than asking every organization to produce and consume technical cyber data, we should take each organization's comparative advantage into account and recognize that business relevance will drive sharing.

We shouldn't assume that this project will be easy. Information sharing requires commitment, time, and resources to be effective.  

To tackle the ransomware information-sharing gap, the cybersecurity industry should establish the RIRN, as called for in the Ransomware Task Force report. The RIRN would serve several functions, including the receipt and sharing of incident reports, directing organizations to incident response services, aggregating data, and sharing alerts about ongoing threats. 

The RIRN should develop standard reporting formats based on existing standards to make automated sharing possible, and it should adopt business processes that avoid double-counting data, protect privacy, and focus on the value proposition to participants. This network should include nonprofits, cybersecurity vendors, insurance providers, incident responders, and government agencies. 

A functioning RIRN would help close the information gap that inhibits our response to ransomware. We should build such a network based on the lessons learned from past information sharing initiatives, thereby avoiding the usual flaws that undermine such efforts. The cybersecurity industry shouldn't wait for the government to take the lead. We can create the network now and invite governments to join something that already exists. 

While governments need to lead the overall national security response to ransomware, the private and nonprofit sectors should take a leadership role in several areas, particularly in creating an information-sharing network.

The Cyber Threat Alliance, the nonprofit I run, is committed to making a Ransomware Incident Response Network a reality. We will build on our experience in cyber-threat intelligence sharing to help make the RIRN viable from the start.

Michael Daniel serves as the President & CEO of the Cyber Threat Alliance (CTA), a not-for-profit that enables high-quality cyber-threat information sharing among cybersecurity organizations.  Prior to CTA, Michael served for four years as US Cybersecurity Coordinator, ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file