Ransomware NIST CRMP FailureJul 13, 2020
Ransomware: Today’s Example of the Failure of an Organization’s Enterprise-wide Cybersecurity Risk Management Program.
HTCT Senior Executive Cybersecurity Leadership Perspective Series #2
Ransomware Threat Today
Today’s global ransomware threat is significant and is impacting many organizations in every sector of both the private and public sectors. Today’s successful ransomware attacks not only encrypt your organization’s data and backup systems but are now resulting in the organization’s sensitive data being exfiltrated prior to the encryption of the victim organization’s data leading to an additional extortion demand by the cyber threat actors. Some cyber-criminal groups are even auctioning off a victim’s exfiltrated data to the highest bidder if the victim organization fails to pay the extortion demand to get the victim’s sensitive data back.
Consider the costs of today’s successful ransomware attack. A recent successful ransomware attack on a Fortune 200 organization negatively impacted the 2 nd quarter of 2020 revenue and margins by $50 to $70 million and negatively impacted its clients. The victim organization Chief Financial Officer (CFO) noted the organization expected to incur additional legal, consulting, and other costs associated with this ransomware attack. The CFO also noted the costs related to this ransomware attack would continue to negatively impact the organization beyond the 2nd quarter of 2020.
Five Functions of the NIST Cybersecurity Framework (CSF)
There are many cybersecurity frameworks available for an organization to use for its enterprise-wide cybersecurity risk management program. The NIST CSF is an easy to understand framework with five functions. There following are the five functions of the NIST CSF:
- Identify Function – “assists in developing an organizational understanding of managing cybersecurity risk to systems, people, assets, data, and capabilities”;
- Protect Function – “supports the ability to limit or contain the impact of potential cybersecurity events and outlines safeguards for delivery of critical services”;
- Detect Function – “defines the appropriate activities to identify the occurrence of a cybersecurity event in a timely manner”;
- Respond Function – “includes appropriate activities to take action regarding a detected cybersecurity incident to minimize impact”;
- Recover Function – “identifies appropriate activities to maintain plans for resilience and to restore services impaired during cybersecurity incidents”.
If your organization has suffered a recent successful ransomware attack and senior
leadership is contemplating paying the extortion demand, your organization enterprise-wide cybersecurity risk management program (CRMP) has failed in all five functions of the NIST CSF.
Step by Step Successful Ransomware Attack and Failure of the Organization CRMP
A successful ransomware attack today may have multiple cyber threat actors working together as a team to conduct the initial compromise. Once the victim organization is compromised, the cyber threat actors establish an initial foothold on the enterprise network. The cyber threat actors then use tools to successfully escalate privileges and establish persistence on the enterprise network. The cyber threat actors then move laterally across the enterprise network searching for sensitive data. Once this sensitive data is found, the cyber threat actors copy and exfiltrate this sensitive data from the victim organization and proceed to encrypt the victim organization’s data and backup systems.
Failure of the Identify Function
The initial compromise for a successful ransomware attack (such as Maze ransomware) can be where the cyber threat actor compromises a Remote Desktop Protocol (RDP) port or exploits a misconfiguration on an Internet-facing device of the victim enterprise. This is a failure of the Identify Function whereby asset vulnerabilities and threats to these assets were not identified in its risk assessment. In today’s environment, the latest cyber threat actor tactics, techniques, and procedures (TTPs) in their use of ransomware should be included in an organization’s risk assessment.
Failure of the Protect Function
Cyber threat actors will then deploy additional malicious software on various parts of the network after gaining an initial foothold. In addition, cyber threat actors will escalate privileges (administrator level) and create a backdoor to maintain unauthorized access to the victim enterprise where no valid credentials are required for access. This is a failure of the Protect Function whereby the victim organization’s identity and access management (IAM) controls failed by allowing the cyber threat actor to escalate to administrator-level access without intervention by an appropriately trained cybersecurity team.
Failure of the Detect Function
Cyber threat actors proceed to steal valid user credentials utilizing various tools to allow them to move laterally across the victim enterprise and conduct reconnaissance to identify targets of value (i.e., sensitive data), archive this sensitive data, and exfiltrate the data without detection. This is a failure of the Detect Function where these anomalies and events were not monitored and detected by an appropriately trained cybersecurity team.
Failure of the Respond Function
Cyber threat actors then use commands to copy ransomware files to multiple hosts and servers across the entire victim enterprise. This results in the victim organization having a large portion or the entire network encrypted by the cyber threat actors. This is a failure of the Respond Function as these malicious cyber events and malicious software were not detected in time to contain and mitigate this ransomware attack before spreading across the entire victim network.
Failure of the Recover Function
If the victim organization’s senior leadership is now contemplating paying the extortion demand by the cyber threat actors to get the keys to decrypt their network data, this means the organization’s backup systems have failed. This is a failure of your Recover Function. In addition, if the victim organization is now being extorted a second time to get back the sensitive data that was exfiltrated by the cyber threat actor, the victim organization’s enterprise cybersecurity risk management program has failed.
A Strategic Perspective for Corporate Directors and Senior Executives
A successful ransomware attack on an organization today has multiple indicators that the organization’s enterprise-wide cybersecurity risk management program is failing, and the organization’s cybersecurity posture is not as mature as it needs to be.
The overall execution of the enterprise-wide cybersecurity risk management program is the responsibility of the entire senior leadership team, not just the Chief Information Officer (CIO) and/or the Chief Information Security Officer (CISO). In the event of a significant cybersecurity event, questions will be raised as to 1) how the senior leadership team addressed the cybersecurity requirements for the organization; 2) how senior leadership identified and evaluated the enterprise-wide cybersecurity risks impacting the organization, and 3) what relevant cybersecurity leadership training had been obtained by the entire senior leadership team.
This cyber-attack reality should serve as a wakeup call for corporate directors and executive management of the tactical, operational, and strategic impact of today’s cybersecurity threat to any organization. It is also a revelation of the paramount challenges in providing proper cybersecurity governance and enterprise oversight to ensure the organization’s enterprise-wide cybersecurity risk management program is mature and continuously improving to best protect the organization from the ever-evolving and sophistication of today’s cyber threat actors.
If you are a corporate director or a member of your organization’s senior leadership team who feels they are not adequately prepared to carry out your governance and enterprise cybersecurity responsibilities, consider obtaining cybersecurity leadership training and engaging an independent cybersecurity advisor for executives.