How the Fight With Ransomware Will Likely End
What will it take to defeat ransomware?
The ransomware problem is pretty bad (https://blog.knowbe4.com/everyone-has-it-wrong.-it-is-not-double-extortion-it-is-quintuple-extortion) and likely is going to get worse over the mid-term time horizon. As I covered in my recent Future of Ransomware article (https://blog.knowbe4.com/the-future-of-ransomware), ransomware is quickly morphing into a corporate-like, full-service hacking service spectrum, where bad actors break into our organizations and then take their time deciding on all the types of maliciousness they will implement over their timeline to maximize the most money possible. For example, they may start out installing cryptomining trojans, install some DDoS-bots, exfiltrate some data and credentials and send some spear phishing emails to trusting business partners, all before pulling the trigger on their server-encrypting routines and asking for a ransom.
So, what will it take to make ransomware go away or at least be significantly less malicious?
Essentially, it is going to take the world figuring out how to end, or significantly defeat, all malicious hacking and malware. You cannot do one without the other.
Can that be done?
This may be surprising to many, but the answer is yes.
But it is going to take an all-hands-on-deck approach that looks at the bigger systematic problems of why it is allowed to happen and instead of all these half-hearted, whack-a-mole approaches where we expect every participant to have the perfect defense all the time. It will take political solutions, organizational controls and a significantly more secure Internet.
Malicious hackers and their malware creations thrive because the criminal perpetrators cannot be identified and even if identified, almost never successfully prosecuted. It is all gain and nearly zero risk. What criminals would not take advantage of those conditions? Cyber criminals use the default anonymity of the Internet, lack of strong identity and assurance, international jurisdictional boundary issues and the safety of cyber criminal safe havens to commit online crime. Imagine how much more bank robbing we would have in our real world if bank robbers could just stroll into any bank, rob it and walk out, without ever having to worry about getting caught or stopped. That is the problem we are facing now.
How To Fix
No single defense is a perfect defense which defeats all threats. All threats and risks are defeated by creating a right-sized, risk-aligned set of layered defenses, which utilize policies, technical defenses and education to prevent those threats and risks from becoming realized. These controls should be used to prevent things from happening, quickly detect things that happened despite your best preventative control attempts and then utilize good incident response to quickly put down the threat and most quickly recover from the attack. If you are more interested in this, see my related articles: https://www.dhirubhai.net/pulse/3-x-security-control-pillars-roger-grimes and https://www.dhirubhai.net/pulse/3-x-security-control-pillars-roger-grimes.
To defeat ransomware and all malicious hackers, we need to attack the problem locally and globally. I will start with the local part first, which is almost all we have been concentrating on for three decades.
To fix the problem, it will take improving the default security of all organizations. We have a ton of very good computer security recommendations and guides out there. We do not need more. It is not like we do not know what we need to do in order to make malicious hacking less successful. We need good education. We need better patching. We need better passwords and multifactor authentication (MFA). We need least privilege permissions. We need secure configurations. We need more things encrypted by default. We need zero trust security. We need better monitoring and alerting. We do know what we need to do to have better computer security. We just need all organizations to actually follow the advice and follow it better, consistently. Whatever can be done to force more organizations to follow good computer security practices better and more consistently is a good thing.
But we will not win the war on malicious hackers and malware by only using and enforcing local controls alone. That is because it turns out implementing hundreds of separate controls all the time, perfectly and consistently is not easy. How do we know? Because for three decades, creating, recommending and implementing good security controls has been the primary defense we have all been recommended…and hackers and malware are as bad as ever, and each year they get worse. This go at it alone, local-only defense is not working. We need something else to help in our war against malicious hackers and malware.
Political
It is going to require politicians agreeing to work on a global cybersecurity framework and countries agreeing to accept those new rules. It is hard to get any group of people to agree on anything. Your close family likely does not agree on everything, much less the entire world and stakeholders on all sides of an issue. But some people are trying.
For example, the United Nations (UN) has been working on a global, agreed upon set of cybersecurity and cyberwarfare standards for at least six years, and there were other global agreement attempts made for decades before that. But the UN got something passed. On March 10, 2021, they issued their first report on global cybersecurity recommendations (https://front.un-arm.org/wp-content/uploads/2021/03/Final-report-A-AC.290-2021-CRP.2.pdf), a sort of digital Geneva Conventions. It elevates and affirms the authority of international law in cyberspace and the set of norms for responsible behavior, sets expectations for responsible nation-state cyber behavior and discusses the need for all nations to become more cyber-resilient. Of course, major nations are pushing back on it, but the French are proposing a way forward (https://front.un-arm.org/wp-content/uploads/2020/10/joint-contribution-poa-future-of-cyber-discussions-at-un-10-08-2020.pdf). All-in-all, we are closer to global agreement on what should and should not be tolerated cyber wise.
It is also going to take global agreement on digital crime rules of evidence, on how different countries will accept and enforce subpoenas and calls for arrests of suspects made by other countries. It will likely also take widespread, global condemnation against the major nations who are safe havens for cyber criminals. We have got to make it more painful than not for nations to avoid doing what is needed to make our cyber activities safer.
Fixing the Internet
It will also take evolving the Internet to be a significantly safer place for all people to compute. That is a tough order, but technologically, there are ways to do it. The harder part is getting all of the stakeholders to agree to do it and how to do it. You have many stakeholders, like privacy advocates, who do not want any improved identity management (which is a crucial component of a more secure Internet). You have stakeholders on the opposite end…governments, law enforcement, etc., that want the absolute ability to see into any traffic and to identify anyone they want to. These are two very opposite, conflicting viewpoints. Can this gap be crossed? Is there a solution that will make both sides happy? Perhaps not, but there are solutions that both can accept at the same time while not being 100% satisfied.
I believe the pain of what is going on in the ransomware world and other attacks have become so extreme, that we have our digital “tipping point” event. We have enough pain, problems and financial loss, that I think we can get the majority of the Internet and Internet players to come together to finally make the Internet significantly more secure than it is today.
So, that is how you get rid of all ransomware…and all malicious hackers and malware…or at least mitigate them significantly better than they are today. It will take an all-hands-on-deck approach, where local organizations do a better job at consistently implementing more security controls, global agreements are reached to get rid of cyber criminal safe havens and the Internet is evolved to a significantly safer place to compute.
Is That All?
Well, no, but it is the big pieces. More importantly, it can technologically be done. We just have to agree to do it and how to do it. And dare to dream, for the first time in my over three decade history of hoping that we get better computer security that really significantly mitigates malicious hackers and malware, I think there is a real possibility that it may happen.
Until Then, What?
Of course, even if we get everyone to agree to fix everything, we are talking years to a decade or more before that better, built-in safety starts to take effect. You cannot upgrade everything overnight. Until a better, safer cyber world comes around, we need to be doing our best, local computer security possible. That means best fighting social engineering, best patching, password hygiene, using MFA, implementing least-privilege permissions everywhere in everything, better monitoring and alerting and more comprehensive anomaly detection and analysis.
Just better fighting social engineering and better patching will reduce your cybersecurity risk by 90% -99%. Almost all successful malicious data breaches are caused by just two things: social engineering and unpatched software. And it has been that way for decades. Depending on the survey and timing, social engineering is blamed for 40% to 95% of all successful, malicious data breaches. Unpatched software is involved in 20% to 40% of them. Combined together, they are easily the two biggest threats most organizations face. If you throw in password issues, like password guessing, you are probably describing 99% of all successful data breaches. Fighting these two or three things means more than fighting anything else.
So, until a better global solution comes along, fight social engineering, patch better and use good password policies, along with MFA where it can be used. For the foreseeable future, until the world comes together in a global Kumbaya moment, and the Internet gets fixed, it is what we have to do. Go fight the good fight.
CISO, Keynote Speaker, Panelist, Advisory Board Member, CISSP
3 年The fact is, ransomware is just too lucrative. I saw 20 Billion this year as a number and I thought jokingly that if only this was invested in security! So, if it’s not going away, can I add that you should backup your critical data offline away from these bad actors? EDR for a business is the biggest bang for your buck. Add in KnowBe4 ability to educated the human element and you just spent a lot less than your share of the 20 billion because if you don’t then you will be one of those funding these bad guys.
Info Systems Coordinator, Technologist and Futurist, Thinkers360 Thought Leader and CSI Group Founder. Manage The Intelligence Community and The Dept of Homeland Security LinkedIn Groups. Advisor
3 年I would say it is going to take a combination of factors, or just one depending on who builds it fastest...#quantumcomputing, otherwise it will take Redundancy, Intelligence, End-User Education, Patch Management out the Wazoo, and Companies proactively debugging their applications as well as Bug-Bounty's catching what they miss...And that is just to start...It is gonna be a long battle one that we are playing catch up in, kind of like Omaha Beach without Eisenhower or the British...