The White House released an open letter on June 2, 2021, urging U.S. businesses to take "immediate steps" to protect themselves, their customers, and the broader economy against ransomware attacks. The letter comes amid numerous high-profile ransomware attacks affecting critical infrastructure and supply chains.
Addressed to "Corporate Executives and Business Leaders" from Deputy National Security Advisory Anne Neuberger, the letter recommends the following "highly impactful" steps. We list each of the recommendations and provide corresponding commentary.
|Implement multifactor authentication (because passwords alone are routinely compromised) and encryption (so if data is stolen, it is unusable).
||These measures featured prominently in the White House's recent Executive Order on Improving the Nation's Cybersecurity,which DWT covered in a recent blog post.
|Use endpoint detection and response (EDR) tools to hunt for malicious activity on a network and block it.
||Advanced EDR tools allow security teams to remotely monitor for, detect, and block malicious activities on computers and workstations. These remote capabilities are especially useful for companies with many employees who work from home or somewhere else outside a traditional office.
|Back up data, system images, and configurations, regularly test them, and keep the backups offline. Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
Backups are a key mitigation against ransomware attacks. The letter folds together several recommendations for maintaining backups:
• Store backups offline: As the letter notes, ransomware frequently attempts to find and delete network-attached backup files. However, companies often need to be selective about the types and amounts of data they are backing up offline, as maintaining huge offline data troves can be burdensome.
• Regularly test backups: This is a critical step that is too often overlooked by companies. Companies must ensure that backup solutions are working properly and that backup files are complete and not corrupted.
• Back up system images and configurations, in addition to data: It is easy to overlook the importance of backing up critical images and configurations. Ransomware attacks do not simply deny companies the ability to access their files—they also can be incredibly destructive to network architecture and require a company to rebuild many of its essential computers and services. This rebuilding work is made much easier with backups of critical configurations and default images.
|Update and patch systems promptly. This includes maintaining the security of operating systems, applications, and firmware, in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.
||Unpatched systems remain one of the leading causes of successful cyberattacks, including ransomware. The letter recommends using a central patch management system and taking a risk-based approach to prioritizing patch management.
|Test your incident response plan. There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
||Maintaining and regularly testing an incident response plan (IRP) is fundamental to a good information security program. Perhaps in response to recent attacks against Colonial Pipelineand global meatpacking firm JBS, both of which resulted in significant disruption of supply chains, the letter recommends testing the IRP through a business continuity lens—for example, by asking whether the company could sustain business operations if certain systems were taken offline.
|Check your security team's work. Use a third party penetration tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
||Penetration testers simulate real cyberattacks by trying to find ways to compromise a company's network and systems. To mitigate the risk of ransomware, companies should conduct both external penetration tests—attempts to gain access to the network from the internet—and internal penetration tests—attempts to move laterally between systems once inside a network. Even if its network is compromised, a company can mitigate the effects of a ransomware attack by making it very difficult for attackers to find and access business-critical systems and data.
|Segment networks. There has been a recent shift in ransomware attacks—from stealing data to disrupting operations. It is critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety critical functions can be maintained during a cyber incident.
||Again drawing from recent events, the letter recommends that companies carefully segregate corporate IT networks from operational networks, such as those used to run machines on factory floors. The interrelationship between IT and operational networks recently has received a lot of attention. Colonial Pipeline shut down its pipeline operations for several days following its ransomware attack, apparently out of concern that the attackers could move from its corporate IT network to the network that controls the flow of fuel through the pipeline system.
|Maintain a skilled, empowered security team to patch rapidly, and share and incorporate threat information in your defenses.
||There is no doubt that the letter's other recommendations mean little without a good security team to implement them. Unfortunately, there continues to be a significant shortage of personnel with strong cybersecurity skills.
None of the recommendations in the White House letter will come as a surprise to seasoned cybersecurity practitioners. There are also a number of good practices that the letter does not address, such as providing phishing and cyber awareness training to employees and regularly conducting vulnerability scans.
Nevertheless, the letter is significant. It is yet another signal that the federal government is looking for a significant response to the ongoing ransomware epidemic. To that end, the Department of Justice created a task force in April 2021 to combat ransomware and other digital extortion attacks.1
The Department marked a big victory for the task force yesterday when it announced the seizure and recovery of nearly half of the bitcoin paid by Colonial Pipeline to its ransomware attackers. Moreover, recent internal guidance stated that the Department would handle ransomware attack investigations through a special central coordination process previously used for terrorism investigations.2
The letter also could serve as a sort of baseline set of expectations for companies to defend against ransomware attacks. Companies that are hit by ransomware and do not maintain any offline backups, for example, should expect increased scrutiny of their cybersecurity practices by regulators. Accordingly, corporate leadership should conduct gap assessments of their cybersecurity programs using the letter's recommendations.
To the extent a company does not implement some of the recommendations, it should either take immediate steps to do so or be able to explain why, taking a risk-based approach, it determined that some of the recommended actions were not necessary. For example, a company might decide not to use multifactor authentication on a particular system due to technical limitations, knowing that the system does not contain sensitive data and is logically segregated from other parts of the corporate network.
DWT will continue to monitor the regulatory landscape related to ransomware.