A CSO's Perspective on Third-Party Focused Ransomware Strategy Report (Shared Assessments)

A CSO's Perspective on Third-Party Focused Ransomware Strategy Report

I. Introduction: Embracing the Unexpected

As a seasoned Chief Security Officer (CSO) who has weathered numerous cyber storms, I have learned to anticipate the unexpected. The cybersecurity landscape is perpetually evolving, and no organization, regardless of size or stature, is immune to the threats that lurk in the digital world. In this context, I reviewed the "Third Party Focused Ransomware Strategy: An Enterprise-wide Collaborative Strategy Guide for TPRM Professionals." by Shared Assessments.

Ransomware, malicious software that encrypts victims' data until a ransom is paid, is not a new phenomenon. But its growing sophistication and frequency are alarming. The threat is no longer just about getting your systems encrypted and experiencing downtime. It has transcended into a more sinister form where threat actors exfiltrate sensitive data and threaten to leak it, creating additional pressure to pay up. With third-party vendors becoming a popular entry point for such attacks, a guide focusing specifically on this area was a welcome sight.

My approach to cybersecurity is primarily based on being proactive rather than reactive. I believe that the key to an effective defense lies in the ability to stay a step ahead of potential threats – a concept often termed as 'left of Bang.' But we must also be prepared to handle situations when they go 'right of Bang effectively.' So, when I saw the term 'strategy' in the title, I was filled with a sense of anticipation. I hoped the guide would provide a comprehensive framework to respond to ransomware threats and prevent them. And so, I embarked on dissecting the guide, armed with the experience of years in the industry and the hope for a fresh, holistic perspective on tackling ransomware threats.

II. Looking Past the Title: Insights Gleaned and Gaps Identified

When I first came across the "Third Party Focused Ransomware Strategy: An Enterprise-wide Collaborative Strategy Guide for TPRM Professionals,” the title alone stirred hope in me. As a seasoned CSO, I always look for comprehensive guides to tackling threats head-on. With the promise of a 'strategy guide,’ I was enthusiastic that the document would be a game-changer in dealing with ransomware threats – both from a preventive and a responsive angle.

As I delved into it, the detail struck me and the sheer depth of information on managing the aftermath of a ransomware attack. The guide was a trove of knowledge on handling the chaos that often ensues after an attack. The structured approach, focusing on communication protocols, playbook guidelines, practical risk assessment, recovery plans, and more, was commendable. It made me reflect on my own incident response plans and identify areas of improvement.

However, as I progressed, it became increasingly clear that the guide did not dedicate as much ink to prevention as I had initially anticipated. While there were nuggets of advice embedded throughout on how to avoid attacks, they did not seem as fleshed out as the sections dedicated to post-incident response. For a guide with the word 'strategy' in the title, I would like a more balanced approach, incorporating prevention and response equally. The 'left of Bang' concept, focusing on actions taken to prevent an incident from occurring, seemed underemphasized.

While there was a bit of initial disappointment, I came to appreciate the value of the guide in helping organizations prepare for the unfortunate eventuality of a ransomware attack. The guide was genuinely comprehensive in terms of managing the crisis. However, I couldn't help but think about the immense value it would have added had it further explored preventative measures. Specifically, detailed discussions on measures like DMARC, DKIM, SPF, and multi-factor authentication, cost-effective yet robust tools for preventing ransomware, would have been a great addition. These measures, coupled with the OODA loop concept (Observe, Orient, Decide, Act), could help organizations stay ahead of threats and fortify their defense mechanisms.

Nevertheless, the guide is a testament to the importance of preparedness in the face of evolving cybersecurity threats. It reemphasizes the need for organizations to build resilient systems capable of withstanding and recovering from attacks. But remember, a strong defense should not only be robust in its response but also proactive in its prevention.

III. The Comprehensive, Yet Incomplete Strategy

I was impressed with its comprehensive overview of response strategies for dealing with ransomware attacks. The authors have carefully outlined goals and best practices on technical resources, cyber insurance, playbooks, and scenario testing. The guide offers detailed insights on communication and business engagement plans during ransomware incidents. Additionally, it guides the reader through the recovery process, emphasizing the importance of a comprehensive understanding of the applications and systems involved, and their criticality to the business. The guide truly shines in its approach to tackling ransomware threats from a third-party risk management (TPRM) perspective. It does an exceptional job of emphasizing the importance of ensuring third-party vendor security and advocating for robust TPRM practices to reduce ransomware risk. The guide is also commendable in its insistence on leadership participation in ransomware scenario testing and the importance of vendor contract controls.

However, despite the commendable depth in handling the 'right of Bang,' I found the guide lacking in its approach to the 'left of Bang.' It struck me that the emphasis was mainly on response and recovery from ransomware incidents, but it left me wanting more when it came to strategies to prevent such incidents in the first place. In other words, the guide did an excellent job of preparing the reader for when the proverbial 'Bang' happens but fell short in offering strategies to prevent the 'Bang' from occurring. Prevention should constitute a significant part of any cybersecurity strategy. The focus on prevention could have been more pronounced in the guide.

While the lack of a robust prevention strategy in the guide was disappointing, it certainly doesn't take away from the valuable incident response information it provides. Indeed, every cybersecurity professional knows that no preventive measures are foolproof. Therefore, having a solid incident response plan is crucial. In that respect, the guide is commendable and can be a valuable resource for TPRM professionals. It certainly adds to the collective wisdom of the cybersecurity community in dealing with the scourge of ransomware attacks.

IV. Addressing The 'Left of Bang'

As a cybersecurity veteran, I often rely on a mix of preventive and reactive measures to combat cyber threats. The guide's focus on response and recovery is exemplary, but my years in the field have taught me the significance of proactive prevention and the immense value it brings to any cybersecurity strategy. After all, the best fight against ransomware is the one you never have to wage. Focusing on techniques that allow us to anticipate, detect, and deter attacks can transform our cybersecurity posture. We must dedicate resources to preventive strategies that can help us avoid the 'Bang' altogether or at the very least, diminish its impact when it happens.

Techniques like implementing Domain-based Message Authentication, Reporting & Conformance (DMARC), DomainKeys Identified Mail (DKIM), and Sender Policy Framework (SPF) can go a long way in preventing phishing, one of the primary vectors of ransomware. These techniques verify the sender's email and prevent spoofed or phishing emails from reaching users' inboxes, thus reducing the chances of ransomware infection significantly.

Furthermore, multi-factor authentication (MFA) can be a potent tool in preventing credential-stuffing attacks. By introducing an additional layer of security, MFA makes it much harder for attackers to gain unauthorized access, thereby reducing the risk of ransomware attacks. (More on these techniques at the end)

V. The OODA Loop: A Powerful Tool in Cybersecurity Strategy

When discussing prevention, it would be remiss of me not to mention the OODA Loop - Observe, Orient, Decide, and Act. This concept, developed by military strategist John Boyd, has proved useful in various fields, including cybersecurity.

In cybersecurity, observing involves monitoring networks and systems for anomalies that could signify a threat. Orientation refers to understanding the context of these anomalies, and analyzing them based on past experiences and current intelligence. Decision-making involves selecting an appropriate response based on observations and orientation. Finally, acting involves executing the chosen response.

Implementing the OODA Loop in our cybersecurity strategy can significantly improve our chances of staying 'left of Bang.' Regularly going through this loop allows us to respond more rapidly and effectively to threats, often neutralizing them before they can cause harm.

While the guide does an exceptional job of detailing the 'right of Bang,' weaving in preventive measures and the OODA Loop concept would provide a holistic and well-rounded approach to tackling ransomware threats. Despite this minor oversight, the guide remains an excellent resource for TPRM professionals and the broader cybersecurity community. Let’s discuss OODO more next.

VI. Applying the OODA Loop to our Cybersecurity Frameworks

The OODA Loop (Observe, Orient, Decide, Act) isn't a cybersecurity concept per se. Yet, its essence resonates deeply with the cybersecurity paradigm, especially when considering the need for speed and adaptability in our responses to cyber threats. It's a dynamic cycle aimed at getting ahead of an adversary by making quicker, informed decisions, and in the context of cybersecurity, it can drastically improve our preparedness and responsiveness to threats such as ransomware.

Observe – This initial stage requires broad and vigilant surveillance of the organization's digital environment. It's all about gaining situational awareness—understanding normal network behaviors, observing anomalies, and detecting potential threats. By integrating threat intelligence, one can also observe trends in the broader threat landscape, including new ransomware tactics.

Orient – Here, the observations are analyzed and synthesized to understand their implications. Contextual information is used to identify whether detected anomalies are potential threats. In the case of ransomware, this could mean identifying suspicious email activity or network traffic that may indicate a breach.

Decide – At this stage, decisions are made based on orientation. The best course of action is determined—blocking a suspicious IP, isolating a potentially compromised system, or activating a ransomware response plan. Making informed, swift decisions is critical to prevent an attack from escalating.

Act – The decided course of action is implemented. This might be initiating incident response protocols, alerting the team, or communicating with stakeholders. Once the action is taken, the loop starts over, observing the results of the action and reorienting as necessary.

Implementing the OODA Loop in our cybersecurity strategy provides a framework for rapid decision-making and iterative learning. It can also help drive home the concept of "left of bang," enabling us to spot and react to potential threats before an incident occurs—thereby staying a step ahead of ransomware and other forms of cyber-attacks.

When coupled with the well-curated recommendations from the "Third Party Focused Ransomware Strategy" guide and the robust technical controls I highlighted earlier, the OODA Loop could very well be the missing link in formulating a more comprehensive strategy that covers all aspects of ransomware prevention and response.

(I have written an in-depth book about using OODA extensively in cyber.

VII. The Unassuming Protectors: Technical Controls

Before wrapping up, I'd like to emphasize some preventive measures that I personally hold in high regard: DMARC, DKIM, SPF, and MFA. These might seem simple, even unassuming, acronyms, but when leveraged correctly, they serve as solid barricades against ransomware attacks.

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is an email authentication protocol that uses SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) to detect email spoofing. It's a preventative measure against phishing emails - a common method attackers use to disseminate ransomware. With DMARC in place, the authenticity of incoming emails is verified, ensuring that phishing emails impersonating legitimate addresses are blocked or marked as spam.

Sender Policy Framework (SPF) is a simple email validation system designed to prevent spam by verifying the sender's IP address. SPF adds to DMARC's capabilities by providing additional protection against email spoofing.

DomainKeys Identified Mail (DKIM) is another email authentication method that enables the receiver to check if the domain actually sent the email it claims to represent and if the content was tampered with during transit. It's an added layer of security that, together with DMARC and SPF, creates a formidable shield against email-borne threats.

Lastly, there's Multi-factor Authentication (MFA), one of the most effective methods of preventing unauthorized access to systems and accounts - a common entry point for ransomware. By requiring multiple authentication methods, MFA ensures that the attacker still can't gain access even if one factor is compromised (like a password).

While the guide was an outstanding tool for understanding and dealing with ransomware attacks, integrating these preventive measures into the strategy could make it even more robust. When paired with the proactive orientation of the OODA loop and a robust incident response plan, these technical controls can help ensure that organizations are not just equipped to deal with ransomware attacks but also prevent them from occurring in the first place. These might seem like basic techniques, but as we know, in the world of cybersecurity, the basics can often make all the difference.

Remember, these things are not rocket science but basic blocking and tackling. Here is a blog I did that goes into more detail.