What the Marine Corps Taught Me About Ransomware Defense
Ransomware is a booming product in today’s cybercrime market. As a security technologist, I am increasingly awed by the success and volume of those attacks. Right now, it seems like the business world continues to observe this tactic instead of learning from it.
Why don’t companies implement ransomware protection?
Ransomware is relatively defensible, but few companies choose to implement sufficient protection. This problem could be blamed on the people and processes, a lack of good supervision, or a deficit in technical understanding. It’s also very possible organizations don’t know how to enable their new cloud technologies for multi-factor authentication or backup.
Another possible reason for successful malware attacks is that purchasing cyber insurance is far too easy. Transferring plausible risk responsibility to paid insurance shortcuts incentive to solve fixable problems. Every security technologist discourages organizations from paying ransoms, but markets in the insurance industry don’t come along every decade. Insurance companies need to validate the needs of the future by paying claims now. Malware hackers play straight to this incentive: payment amounts are increasing at an exponential rate over the past year.
A simpler solution: Detailed discipline
I believe the ransomware solution is something simpler that I learned in Marine boot camp. As a young officer candidate, I learned all the stupid traditions and habits associated with the U.S. military: don’t touch your face, align your uniform shirt seam, belt buckle, and pant fly-seam in a straight gig line, only talk while in the position of attention, and refer to yourself in the third person.
Later, I learned these requirements weren’t an end in themselves, but evidence of the discipline required to be safe in life-threatening situations. Discipline in the smallest things meant success in the largest things. The fight against ransomware needs the same solution. Companies do not need the next widget from an emerging product company. They cannot stop malware just by implementing expensive backup or storage solutions. Defense against ransomware is found in disciplined attention to the little things.
Discipline #1: Implement MFA without user exceptions
First, ensure all company users require multi-factor authentication. Statistically, most ransomware attacks leverage basic credential theft or phishing schemes to deploy the malware and payload. In my personal experience, there are few exceptions to this reality. Still, many organizations have rolled out MFA in a security-by-default approach, exempting executives or board members and neglecting to enforce MFA for all users in lower seniority. These exemptions should be the exception, not the rule. MFA is essential in modern cybersecurity.
I encourage every organization to ensure all users are MFA-enforced based on a threat-informed risk policy. Technically control this security measure by changing the policy to all users. In my experience, many organizations consider their MFA implementation project complete when they hit a certain threshold of compliance (90 percent is common). I suggest organizations consider their MFA implementation project incomplete until all users are technically enforced.
Discipline #2: Audit cloud data backups
Second, and even greater than MFA, cloud backups are the ultimate defense against ransomware. Nearly every organization I assist with ransomware incident response thought they had solid backups. It’s an unpleasant surprise when the backups also get locked. Often, the backup was directly connected to the network or automatically synced from the C:\ drive on most users’ devices.
In other cases, infrastructure engineers backed up every critical system to the one server that malware locked. Both scenarios are preventable. Every security technologist will preach a hot, warm, cold BCP/DR strategy. Take the time to ensure the warm and cold are running at the right temperature.
I have also seen too many organizations who thought they were protected from ransomware through their expensive backup solutions, only to find out the one or two servers malware-locked are the two without valid backups. Audit your backup policy, ensuring two-person integrity during the internal process. Do not leave this audit responsibility to the infrastructure administrator alone. Companies do not do this with our financial accounting, and we should not do it with the critical infrastructure of our organizations. The CIO should create a list of devices and frequencies, like backing up DCs every three months and the HRIS every month, to represent the proper level of organizational risk and turn over to Internal Audit. Internal Audit also needs to ensure the organization is testing the ability to restore these backups.
Discipline #3: Evaluate phishing defenses and educate users
The last critical discipline is to actively defend against phishing. Modification speed makes this discipline difficult: social engineering attacks adapt quicker than the technical control defense. Ideally, anti-phishing defenses should remove the threat from the user all together. On the ground, the user should be armed with skepticism and critical thinking. Regularly review the organization’s readiness against phishing with employees so users report phishing emails rather than opening them.
Evaluate user success through real tests and educate afterward through specific training to increase user awareness of modern and emerging techniques. Phishing tests should not focus on the individual, but instead give feedback for the whole of the organization. We want to see that users are trending in the right direction rather than providing punitive action against individuals. For users who failed the evaluation, provide targeted reinforcement rather than negative training.