Know Thy Enemy: Fighting Half-Blind Against Ransomware Won’t Work
Ransomware has grown up. Once just a cybercrime nuisance that affected individual computers with payment demands of a few hundred dollars, ransomware attacks now impact whole corporate networks, generate payment demands in the millions, and even disrupt our daily lives.
The perpetrators behind this type of crime have become highly organized and diversified, employing a complex ecosystem of support infrastructure to manage payments, targeting, software, and other aspects of the “business.”
Ransomware is now a threat to our national security, public health and safety, and economic prosperity.
Because the threat posed by ransomware has changed, our response must change as well. We need to elevate our ransomware response to the national security level, and to do that, we must close the information-sharing gap on this growing threat.
A national security-level response is focused, aggressive, prioritized, broad, collaborative, and sustained. However, the events of the last few months — from the attacks on Colonial Pipeline to the Irish Health Service to the JBS meat processing company — clearly demonstrate that what governments and the cybersecurity industry have been doing to combat ransomware isn’t yet at the level of a national security response.
The recent report by the Ransomware Task Force, which is composed of a team of more than 60 industry and government experts, lays out nearly 50 recommendations that would generate a national security-level response that matches the ransomware threat. If fully implemented, the resulting actions would change the trajectory of ransomware and blunt its effects on our society.
While the report’s recommendations are interlocking and meant to be implemented as a package, one element worth drawing attention to is the creation of the Ransom Incident Response Network (RIRN).
Despite the volume of blog posts from security companies about ransomware, we lack reliable, representative, actionable data about ransomware’s actual scope, scale, and impact. How many organizations pay ransoms? What are the key nodes in the criminal ecosystem? Are paying organizations more likely to be targeted again? Are there trends in which types of companies are targeted? No one knows the answers to these questions from a systemic point of view.
Further, information about ransomware threats does not reach all the organizations that it should, whether private sector companies or government agencies. Without high-quality, timely threat information, we cannot effectively deter, disrupt, prepare for, or respond to ransomware attacks.
We also know from bitter experience that simply identifying an information-sharing need will not fill the gap. The cybersecurity industry has talked about information sharing for years, but doing it usually proves challenging.
That failure is typically due to flawed assumptions about how information sharing works. Instead of assuming the only relevant information is technical cyber data, we need to broaden our thinking to go beyond indicators of compromise to include different types of cyber-threat information, such as warnings about possible attacks or defensive mitigation techniques that will thwart intruders.
Rather than asking every organization to produce and consume technical cyber data, we should take each organization’s comparative advantage into account and recognize that business relevance will drive sharing.
We shouldn’t assume that this project will be easy. Information sharing requires commitment, time, and resources to be effective.
To tackle the ransomware information-sharing gap, the cybersecurity industry should establish the RIRN, as called for in the Ransomware Task Force report. The RIRN would serve several functions, including the receipt and sharing of incident reports, directing organizations to incident response services, aggregating data, and sharing alerts about ongoing threats.
The RIRN should develop standard reporting formats based on existing standards to make automated sharing possible, and it should adopt business processes that avoid double-counting data, protect privacy, and focus on the value proposition to participants. This network should include nonprofits, cybersecurity vendors, insurance providers, incident responders, and government agencies.
A functioning RIRN would help close the information gap that inhibits our response to ransomware. We should build such a network based on the lessons learned from past information sharing initiatives, thereby avoiding the usual flaws that undermine such efforts. The cybersecurity industry shouldn’t wait for the government to take the lead. We can create the network now and invite governments to join something that already exists.
While governments need to lead the overall national security response to ransomware, the private and nonprofit sectors should take a leadership role in several areas, particularly in creating an information-sharing network.
The Cyber Threat Alliance, the nonprofit I run, is committed to making a Ransomware Incident Response Network a reality. We will build on our experience in cyber-threat intelligence sharing to help make the RIRN viable from the start.