Picture an uncleaned, unfiltered fish tank. Bacteria are rapidly spreading around in cloudy water, making it harder and harder for the fish to breathe. Now, imagine you feed the fish. How much did you actually change?
This simple scenario is reflected in today’s cybersecurity infrastructure. Security teams are being slowly drowned by attacks that weaken our nation’s largest businesses and critical infrastructure with no chance to catch their breath. Ransomware gangs are demanding sums in the millions and, despite good intentions, the government’s recent efforts to remediate the situation are too little too late.
The Fish Food
Biden’s May 12 Executive Order was a step in the right direction but just isn’t enough. The primary themes of the order are improved prevention, detection, assessment, remediation, and information sharing, which are without a doubt crucial for the public and private sectors alike. However, they’re relatively obvious areas of focus that our nation’s largest companies have been fixated on for years…yet, those company names are still showing up in headlines next to the words “ransomware” and “newest victim.”
In early June, the Department of Justice elevated ransomware’s priority to the same as that of 9/11: terrorism. While it may seem dramatic to put the two scenarios under the same umbrella, they’re really not all that different. Weak security systems enable bad guys to inflict mass damage on the American population. This promotion of ransomware’s priority level is another welcomed advancement … but the path ahead is still cloudy.
Becoming the Shark
Sitting back and waiting for a 50-foot-wave to hit then trying to reach the surface is counterproductive. Intelligence is about detecting indications and warnings and preempting threats before they hit the shore. Security should be taking a similarly proactive approach. For too long, cybersecurity has been a reactive and defensive industry. Given the life-changing attacks of the past year, it’s clear this approach is getting us nowhere. And it’s time to take action.
We have to start making it clear to attackers that if they come in, they are the ones in danger. From setting up decoys throughout your network to partnering closely with law enforcement to put the bad guys behind bars, active defense can come in various forms. But whatever form it takes, it needs to be enough to show the adversary that they’re the guppy and your security team is the great white.
Put Lots of Fish in the Sea
We’re falling behind in the race against attackers and it’s time to catch up. If hackers are developing new attack methodologies, we need to be developing methodologies to stop those attacks at the same speed, if not faster.
Every company is looking to protect its critical assets, and that’s not likely to change any time soon. What security teams are failing to realize is that it’s impossible to keep those critical assets safe if we only focus on protecting our perimeter based on what we deem to be the most probable attacks. We have to work from the inside out and assume we’re about to get hooked.
You’ve Been Reeled in. Now What?
Think about the past year. We’ve seen some of the best and brightest companies like Microsoft and SolarWinds get pummeled with attacks that shook their cyberinfrastructure loose. No organization, large or small, is immune from cyber threats. That’s why it’s so critical to assume compromise and prepare accordingly. Hackers know what your perimeter looks like. It can be guarded with the biggest and scariest defenses you have, but all of that’s no use if the hacker knows what’s there and can swim around it and into the wide-open waters of an active, unsecured network.
But what if that seemingly wide-open sea of compromised credentials and weak passwords was actually full of decoys? What if at every turn and every attempt to wreak havoc, the attacker got nowhere, got frustrated and gave up? Only then have you successfully fought off a ransomware attack.
These three areas of proactive positioning, diversified threat detection and assuming compromise are what the government should be focusing on. Instead of just saying, “tell us when ransomware attacks happen,” the federal government needs to take the lead in identifying how and why companies are vulnerable to attacks right now. Organizations need a methodology that helps them determine the weaknesses that lead to attackers establishing footholds in the network and moving laterally to clutch critical assets.
Both the executive order and the DOJ’s priority promotion of ransomware are welcomed but are still not enough. We know we have to keep swimming – but a little direction on how to avoid drowning would be nice.