Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

// // //
10:00 AM
Michael Daniel
Michael Daniel
Connect Directly
E-Mail vvv

Know Thy Enemy: Fighting Half-Blind Against Ransomware Won't Work

We lack reliable, representative, actionable data about ransomware's actual scope, scale, and impact. The Ransom Incident Response Network could change that.

Ransomware has grown up. Once just a cybercrime nuisance that affected individual computers with payment demands of a few hundred dollars, ransomware attacks now impact whole corporate networks, generate payment demands in the millions, and even disrupt our daily lives. 

Related Content:

The True Cost of a Ransomware Attack

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How Can I Test the Security of My Home-Office Employees' Routers?

The perpetrators behind this type of crime have become highly organized and diversified, employing a complex ecosystem of support infrastructure to manage payments, targeting, software, and other aspects of the "business."

Ransomware is now a threat to our national security, public health and safety, and economic prosperity.

Because the threat posed by ransomware has changed, our response must change as well. We need to elevate our ransomware response to the national security level, and to do that, we must close the information-sharing gap on this growing threat.

A national security-level response is focused, aggressive, prioritized, broad, collaborative, and sustained. However, the events of the last few months — from the attacks on Colonial Pipeline to the Irish Health Service to the JBS meat processing company — clearly demonstrate that what governments and the cybersecurity industry have been doing to combat ransomware isn't yet at the level of a national security response. 

The recent report by the Ransomware Task Force, which is composed of a team of more than 60 industry and government experts, lays out nearly 50 recommendations that would generate a national security-level response that matches the ransomware threat. If fully implemented, the resulting actions would change the trajectory of ransomware and blunt its effects on our society.

Credit: santiago silver via Adobe Stock
Credit: santiago silver via Adobe Stock

While the report's recommendations are interlocking and meant to be implemented as a package, one element worth drawing attention to is the creation of the Ransom Incident Response Network (RIRN).  

Despite the volume of blog posts from security companies about ransomware, we lack reliable, representative, actionable data about ransomware's actual scope, scale, and impact. How many organizations pay ransoms? What are the key nodes in the criminal ecosystem? Are paying organizations more likely to be targeted again? Are there trends in which types of companies are targeted? No one knows the answers to these questions from a systemic point of view. 

Further, information about ransomware threats does not reach all the organizations that it should, whether private sector companies or government agencies. Without high-quality, timely threat information, we cannot effectively deter, disrupt, prepare for, or respond to ransomware attacks.   

We also know from bitter experience that simply identifying an information-sharing need will not fill the gap. The cybersecurity industry has talked about information sharing for years, but doing it usually proves challenging.

That failure is typically due to flawed assumptions about how information sharing works. Instead of assuming the only relevant information is technical cyber data, we need to broaden our thinking to go beyond indicators of compromise to include different types of cyber-threat information, such as warnings about possible attacks or defensive mitigation techniques that will thwart intruders.  

Rather than asking every organization to produce and consume technical cyber data, we should take each organization's comparative advantage into account and recognize that business relevance will drive sharing.

We shouldn't assume that this project will be easy. Information sharing requires commitment, time, and resources to be effective.  

To tackle the ransomware information-sharing gap, the cybersecurity industry should establish the RIRN, as called for in the Ransomware Task Force report. The RIRN would serve several functions, including the receipt and sharing of incident reports, directing organizations to incident response services, aggregating data, and sharing alerts about ongoing threats. 

The RIRN should develop standard reporting formats based on existing standards to make automated sharing possible, and it should adopt business processes that avoid double-counting data, protect privacy, and focus on the value proposition to participants. This network should include nonprofits, cybersecurity vendors, insurance providers, incident responders, and government agencies. 

A functioning RIRN would help close the information gap that inhibits our response to ransomware. We should build such a network based on the lessons learned from past information sharing initiatives, thereby avoiding the usual flaws that undermine such efforts. The cybersecurity industry shouldn't wait for the government to take the lead. We can create the network now and invite governments to join something that already exists. 

While governments need to lead the overall national security response to ransomware, the private and nonprofit sectors should take a leadership role in several areas, particularly in creating an information-sharing network.

The Cyber Threat Alliance, the nonprofit I run, is committed to making a Ransomware Incident Response Network a reality. We will build on our experience in cyber-threat intelligence sharing to help make the RIRN viable from the start.

Michael Daniel serves as the President & CEO of the Cyber Threat Alliance (CTA), a not-for-profit that enables high-quality cyber-threat information sharing among cybersecurity organizations.  Prior to CTA, Michael served for four years as US Cybersecurity Coordinator, ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The Promise and Reality of Cloud Security
Cloud security has been part of the cybersecurity conversation for years but has been on the sidelines for most enterprises. The shift to remote work during the COVID-19 pandemic and digital transformation projects have moved cloud infrastructure front-and-center as enterprises address the associated security risks. This report - a compilation of cutting-edge Black Hat research, in-depth Omdia analysis, and comprehensive Dark Reading reporting - explores how cloud security is rapidly evolving.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-02-03
OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be triggered by an unauthenticated attacker in the default configuration; however, the vulnerability discoverer reports that "exploiting thi...
PUBLISHED: 2023-02-03
sprintf in the GNU C Library (glibc) 2.37 has a buffer overflow (out-of-bounds write) in some situations with a correct buffer size. This is unrelated to CWE-676. It may write beyond the bounds of the destination buffer when attempting to write a padded, thousands-separated string representation of ...
PUBLISHED: 2023-02-03
An issue in NoMachine before v8.2.3 allows attackers to execute arbitrary commands via a crafted .nxs file.
PUBLISHED: 2023-02-03
vBulletin before 5.6.9 PL1 allows an unauthenticated remote attacker to execute arbitrary code via a crafted HTTP request that triggers deserialization. This occurs because verify_serialized checks that a value is serialized by calling unserialize and then checking for errors. The fixed versions are...
PUBLISHED: 2023-02-03
All versions prior to Delta Electronic’s CNCSoft version 1.01.34 (running ScreenEditor versions 1.01.5 and prior) are vulnerable to a stack-based buffer overflow, which could allow an attacker to remotely execute arbitrary code.