Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

// // //
10:00 AM
Michael Daniel
Michael Daniel
Connect Directly
E-Mail vvv

Know Thy Enemy: Fighting Half-Blind Against Ransomware Won't Work

We lack reliable, representative, actionable data about ransomware's actual scope, scale, and impact. The Ransom Incident Response Network could change that.

Ransomware has grown up. Once just a cybercrime nuisance that affected individual computers with payment demands of a few hundred dollars, ransomware attacks now impact whole corporate networks, generate payment demands in the millions, and even disrupt our daily lives. 

Related Content:

The True Cost of a Ransomware Attack

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How Can I Test the Security of My Home-Office Employees' Routers?

The perpetrators behind this type of crime have become highly organized and diversified, employing a complex ecosystem of support infrastructure to manage payments, targeting, software, and other aspects of the "business."

Ransomware is now a threat to our national security, public health and safety, and economic prosperity.

Because the threat posed by ransomware has changed, our response must change as well. We need to elevate our ransomware response to the national security level, and to do that, we must close the information-sharing gap on this growing threat.

A national security-level response is focused, aggressive, prioritized, broad, collaborative, and sustained. However, the events of the last few months — from the attacks on Colonial Pipeline to the Irish Health Service to the JBS meat processing company — clearly demonstrate that what governments and the cybersecurity industry have been doing to combat ransomware isn't yet at the level of a national security response. 

The recent report by the Ransomware Task Force, which is composed of a team of more than 60 industry and government experts, lays out nearly 50 recommendations that would generate a national security-level response that matches the ransomware threat. If fully implemented, the resulting actions would change the trajectory of ransomware and blunt its effects on our society.

Credit: santiago silver via Adobe Stock
Credit: santiago silver via Adobe Stock

While the report's recommendations are interlocking and meant to be implemented as a package, one element worth drawing attention to is the creation of the Ransom Incident Response Network (RIRN).  

Despite the volume of blog posts from security companies about ransomware, we lack reliable, representative, actionable data about ransomware's actual scope, scale, and impact. How many organizations pay ransoms? What are the key nodes in the criminal ecosystem? Are paying organizations more likely to be targeted again? Are there trends in which types of companies are targeted? No one knows the answers to these questions from a systemic point of view. 

Further, information about ransomware threats does not reach all the organizations that it should, whether private sector companies or government agencies. Without high-quality, timely threat information, we cannot effectively deter, disrupt, prepare for, or respond to ransomware attacks.   

We also know from bitter experience that simply identifying an information-sharing need will not fill the gap. The cybersecurity industry has talked about information sharing for years, but doing it usually proves challenging.

That failure is typically due to flawed assumptions about how information sharing works. Instead of assuming the only relevant information is technical cyber data, we need to broaden our thinking to go beyond indicators of compromise to include different types of cyber-threat information, such as warnings about possible attacks or defensive mitigation techniques that will thwart intruders.  

Rather than asking every organization to produce and consume technical cyber data, we should take each organization's comparative advantage into account and recognize that business relevance will drive sharing.

We shouldn't assume that this project will be easy. Information sharing requires commitment, time, and resources to be effective.  

To tackle the ransomware information-sharing gap, the cybersecurity industry should establish the RIRN, as called for in the Ransomware Task Force report. The RIRN would serve several functions, including the receipt and sharing of incident reports, directing organizations to incident response services, aggregating data, and sharing alerts about ongoing threats. 

The RIRN should develop standard reporting formats based on existing standards to make automated sharing possible, and it should adopt business processes that avoid double-counting data, protect privacy, and focus on the value proposition to participants. This network should include nonprofits, cybersecurity vendors, insurance providers, incident responders, and government agencies. 

A functioning RIRN would help close the information gap that inhibits our response to ransomware. We should build such a network based on the lessons learned from past information sharing initiatives, thereby avoiding the usual flaws that undermine such efforts. The cybersecurity industry shouldn't wait for the government to take the lead. We can create the network now and invite governments to join something that already exists. 

While governments need to lead the overall national security response to ransomware, the private and nonprofit sectors should take a leadership role in several areas, particularly in creating an information-sharing network.

The Cyber Threat Alliance, the nonprofit I run, is committed to making a Ransomware Incident Response Network a reality. We will build on our experience in cyber-threat intelligence sharing to help make the RIRN viable from the start.

Michael Daniel serves as the President & CEO of the Cyber Threat Alliance (CTA), a not-for-profit that enables high-quality cyber-threat information sharing among cybersecurity organizations.  Prior to CTA, Michael served for four years as US Cybersecurity Coordinator, ... View Full Bio
Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-03-17
The Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the full name value in versions up to, and including, 21.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that w...
PUBLISHED: 2023-03-17
The WP Express Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘pec_coupon[code]’ parameter in versions up to, and including, 2.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenti...
PUBLISHED: 2023-03-17
A vulnerability was found in SourceCodester Student Study Center Desk Management System 1.0. It has been rated as critical. This issue affects the function view_student of the file admin/?page=students/view_student. The manipulation of the argument id with the input 3' AND (SELECT 2100 FROM (SELECT(...
PUBLISHED: 2023-03-17
A vulnerability classified as critical has been found in SourceCodester Student Study Center Desk Management System 1.0. Affected is an unknown function of the file Master.php?f=delete_img of the component POST Parameter Handler. The manipulation of the argument path with the input C%3A%2Ffoo.txt le...
PUBLISHED: 2023-03-17
A vulnerability classified as critical was found in SourceCodester Student Study Center Desk Management System 1.0. Affected by this vulnerability is an unknown functionality of the file admin/?page=reports&date_from=2023-02-17&date_to=2023-03-17 of the component Report Handler. The manipula...