By: Mark Cummings, Ph.D., Bill Yeack CSE
Ransomware is a serious threat. Waiting to be attacked to prepare for it is a big mistake. Every organization needs to prepare for ransomware now.
Bace Cybersecurity Institute (BCI) is a non-profit organization that has assembled a group of experts to develop a plan that all organizations can follow to prepare for ransomware.
Ransomware attacks can target businesses, utilities, government agencies, political parties, schools, hospitals, etc. Attackers only care about the amount of money they can extort. So all kinds of organizations need to be prepared. Preparation through continuous preparation and management can be organized into four phases, as shown in Figure 1 and as shown below:
- RM: Ransomware management
- R-2: Pre-attack phase: ransomware detection, intelligence, communications and defense
- R-0: Attack phase: management and response
- R + 2: Loss minimization phase: negotiation and restoration of asset foreclosures
Fig. 1: The RASH process
We explore each of the phases of the ransomware readiness process, developed by BCI, in more detail below.
Managing ransomware is a complex and event-driven process. Unfortunately, you can’t protect everything all the time. It is neither economical nor practical. First, the most critical management task is deciding what level of protection should apply to each asset. This ranking should be a cooperative effort across the entire organization. Many different parts of the organization will have very different ideas about what needs to be protected. Senior management must influence decisions based on solid guidelines.
Management needs to develop plans for what-if scenarios. Document the alternatives before you decide. The key is to plan for and document increases in personnel and resources for an attack, including procurement.
Ransomware management is an ongoing process that requires input from the entire organization while ensuring the confidentiality of ransomware plans and alternatives. Management should oversee training and live fire testing throughout the organization. As a precaution, the actual asset list and prioritization should never be used in training.
R -2 is the pre-attack phase. The goal of R -2 is to detect, manage and block potential ransomware threats. The fundamental problem with this phase is the massive amount of data to be analyzed. Yet hidden in the data are indicators of an attack. These indicators or “smells” in the data are very difficult to detect and require sophisticated machine learning tools. When a scent is discovered, it is fed into an Attack Intelligence System (AIS) which measures the likelihood of an attack and determines alert levels.
The attack intelligence system has many uses, including providing data to preemptively block imminent threats and remediate known vulnerabilities; identify areas to thwart future attacks; detect successful attacks; and monitor the pace of the attack for defense resource planning
AIS also provides the basis for communicating the alert levels of the organization. Communications are the lifeblood of attack management and should include a wide range