In my previous post, I made the argument that Human Centric Cybersecurity (HCCS) and conventional technical elements of cybersecurity need to work together as a unified front when combating ransomware.
So, how does that work in practice when applied to combating ransomware?
Each should play to their strengths and support one another in the process
People do not regularly backup their systems and, when they do, they will often inadvertently transport malware into the backup, rendering the system a massive liability at best. Desperate decision-makers are left thinking that they only have one option available to them: Pay the ransom.
Backup management and implementing suitable compartmentalisation of data is the clear purview of technological (which I will now call conventional) cybersecurity.
Designing a policy for enacting those technological adaptations and ensuring they are followed, understood and that they work in practice is a matter of culture, power dynamics, cognition and behaviour – something best managed by HCCS.
Picking up the pieces after an attack is a team effort
Depending on the size of the organisation, reverting to a backup to resume business as usual is not exactly comparable to changing the batteries on your remote. It is a time-consuming, expensive and convoluted process; businesses will be haemorrhaging money, food will be rotting in warehouses, suburbs or cities are left without power or gas and hospitals lose their ability to treat patients.
Simply put, in the best case scenario (i.e., where you do have an uncorrupted and up-to-date backup), you are still going to face a long and painful journey to resume operations. And things will never be the same.
This one is fairly straight forward: everything concerning people and their needs around adaptation is best tackled by HCCS and the work to rebuild or restore that which was lost is best left to conventional cybersecurity. Importantly, if HCCS principles are applied properly, then the restoration efforts relegated to conventional cybersecurity benefit from insights derived from HCCS processes into where and how the system can be made stronger. Similarly, conventional cybersecurity work involved in recovery will also yield clues into what kinds of behavioural adaptations are required (i.e., opportunities to leverage HCCS principles to advance conventional cybersecurity objectives). Both approaches should work in unison to their mutual benefit.
Another example: We have all lost documents and spreadsheets and so on because we forgot to hit that save button and, while we’re very grateful for the auto recovery function of Office 365, we all know that the work recovered is often a much older version of what we were working on. Indeed, sometimes nothing is recovered at all.
In that second best case scenario, where you restore a dated backup of your systems, you will then have to update it to the best of your ability. Also, you’ll have to go looking for how the attacker(s) got into your system in the first place – if they got in once, then they can do it again.
Again, people, processes and policy goes to HCCS, construction and fortification goes to conventional cybersecurity.
It can be tempting to cave and pay up
People panic when everything they know and hold dear is stolen by a faceless, nameless and hostile entity. Regardless of what options are laid out in front of them, it is very tempting to just pay the ransom in the hope the attacker will give you the decryption key as promised (which has a 50/50 chance at best).
Cybercriminals are running a business and, like anyone with a modicum of business acumen, they will know how much their target can realistically pay in ransom. So, you have the choice of trying to rebuild a bunch of systems that will, for the duration, not be able to perform some really important jobs – such as supplying most of the east coast of the United States with fuel – or you can pay a relatively “reasonable” cost to get those systems back.
A no-brainer, right?
Colonial Pipeline: a case study
In the recent attack on Colonial Pipelines, the United States was immediately plunged into a fuel shortage.
Fuel would be one of those things that we depend on for our survival, hence the designation of critical infrastructure. If you can’t fuel cars, planes, trucks, generators (and who knows what else), your national security capabilities (among many other things) plummet.
Colonial was in one of those best case scenarios; they did have backups. But restoring from backups alone would have taken so long to complete that the risk to the US’s national security would have been catastrophic.
So, they paid up, received their decryption key and it worked – albeit so slowly that they had to restore from their own backups at the same time anyway.
Colonial Pipelines is an excellent example of what, how and why HCCS and Conventional cybersecurity need to be implemented as a unified whole to effectively combat ransomware.
The preventative capabilities of HCCS alone would likely have reduced Colonial’s attack surface dramatically and increased the cost/effort required of the attacker – a major deterrent when we consider the business models of cybercriminals.
A stronger backup system and disaster recovery mechanisms delivered by conventional cybersecurity may have had a considerable impact on the variables involved in the decision-making processes that determined whether or not to pay cybercriminals millions of dollars.
Business attack simulations performed by combining insights drawn from HCCS and conventional cybersecurity might have resulted in a security posture so robust that Colonial would have been a target too costly to warrant attacking in the first place.
Of course, hindsight is 20/20 and I will admit that there are limits to what we can and should do with speculation, but the point stands: Conventional and HCCS go hand in hand, and that’s how we develop solutions to the challenges presented to us by our clients at 460degrees.
The ransomware crisis is bigger than any one business.
We must immediately pursue radical changes in our human centric and techno-centric cybersecurity strategies to make sure that ransomware is no longer a practical and/or financially viable way for cyber threat actors to make money.
How we should proceed from here will be the focus of the next and final instalment of this series.
This is the third in a series of four articles tackling ransomware. You can view the other articles in this series here:
Article One: Australia’s Ransomware Crisis
Article Two: Ransomware: what technologists don’t want to hear
Article Four: The Ransomware crisis: It’s Time to Retake Control