The Proliferation of Ransomware Attacks: Protecting Critical Infrastructure
I watched the Senate Judiciary Committee’s hearing about ransomware called “America Under Cyber Siege: Preventing and Responding to Ransomware Attacks” with mixed emotions. I am glad to see there are impressive, dedicated professionals like those who testified before the committee on the case, focusing on the areas where additional legislation could help prevent future attacks. I’m glad to see there is awareness, but if we're going to see real change we need to achieve a better collective understanding of the underlying problems behind the eye-catching ransomware headlines.
So what is ransomware? According to Bryan Vorndran, Assistant Director of the FBI’s Cyber Division, “At its most basic, ransomware is a computer program created by malicious actors to 1) infect a computer or server; 2) encrypt its contents so they cannot be accessed or used; and 3) allow the malicious actors to demand that a ransom be paid in exchange for the decryption key."
On the one hand, the fact that ransomware attacks have entered the public consciousness enough to demand a senate hearing is encouraging. Ransomware has become the boogie man in the closet. In reality, ransomware alone isn’t an attack. It is an effective way of monetizing an intrusion. The intrusion is the attack - or the robbery. The ransomware is what enables emptying cash from the money drawer into a pillowcase. In the real world, we focus on shoring up access points to prevent bank robberies. In the digital world, we need to do the same - focus on the intrusion that enabled the use of ransomware.
During his testimony, Eric Goldstein, Executive Assistant Director for Cybersecurity at The Cybersecurity and Infrastructure Security Agency, made it clear: “Most ransomware attacks generally do not use zero-day vulnerabilities or exquisite tradecraft, but rather exploit known security weaknesses or a failure to adopt generally accepted best practices.”
Our recent 2021 Consumer Identity Breach Report found that the majority of breaches (43%) are caused by unauthorized access. Through this unauthorized access, criminals can insert the tools that enable a ransomware attack. So if we want to prevent the use of ransomware, we need to focus on preventing unauthorized access.
So, where should we focus on reducing the threat of unauthorized access and ransomware by proxy? Let’s start with access itself. Over time, members of a workforce at organizations accumulate access to systems and services they may need to do their job, execute a project or interact with their co-workers. As people change roles, finish projects, or move out of organizations, their access is often left behind, creating unnecessary risk and attack surfaces for bad actors to exploit. We also can’t forget standing administrative privileges and service accounts used by systems, services, and things. There is simply too much unnecessary access out there for attackers to take advantage of and bring entire supply chains and industries to a screeching halt.
The problems of overprovisioned, orphaned, and unnecessary access no longer need to be a risk hanging over our head. They are addressable now that we have tools like AI-driven discovery systems that can analyze users’ access and identify patterns of appropriate access and, more importantly, instances of unnecessary, risky, or anomalous access. Once we spotlight these accounts, we can decide whether the risk they create is worth the value they provide.
Next, we need to do a better job of securing the accounts we do need. I have talked about this so much I probably seem like a broken record, but we must eradicate passwords from the enterprise. Implementing passwordless authentication will require significant changes to the user’s authentication workflow and require a massive exercise in change management. Still, the result eliminates the most prevalent attack vector leveraged by attackers while simultaneously improving the end-users’ experience.
As we’ve seen recently, ransomware is a serious problem globally as criminal syndicates, state actors, and individual hackers are all getting in on the game. It continues to affect virtually every industry, from Critical Infrastructure, Retail, Healthcare, to Financial Services. But we must treat it as a symptom, not the disease. You don’t ignore the symptoms, but if you don’t focus on the underlying disease there will always be new symptoms over time. As Jeremy Sheridan, Assistant Director Office of Investigations United States Secret Service detailed during his testimony, ransomware emerged as a key way to monetize cybercrime when selling Personally Identifiable Information (PII) and credit card numbers was no longer profitable enough. If we tackle the issues of unnecessary, anomalous, and risky access, paired with the elimination of passwords, the downstream effect will be a threat environment that becomes significantly more difficult for ransomware and the next monetization scheme to take hold in.
Get started today. Learn more about ForgeRock Autonomous Identity by reading Maximize the Value of Your Government Identity Solution with AI-Driven Identity Analytics