A Popular Opinion Quandary About Ransomware
There seems to be a limited range of popular opinion among IT professionals about ransomware. I read a survey recently that most IT pros believe that backups are the only defense against ransomware. I’m still amazed that another survey claimed that 39% of cyber professionals believed that they were “powerless” to stop ransomware.
The recent iNSYNQ cloud provider ransomware attack should puzzle anyone holding the popular opinion that backups are the only defense against ransomware. The bad actors patiently spent 10 days getting to a position in which they could encrypt backups.
Bad actors. Ten days.
Ten days to integrate with and infect backups.
This isn’t just a blow to the idea that popular opinion might be a perfect fit for a given incident. It’s also a blow to the idea that of most organizations being configured and able to detect bad actor behavior within a reasonable amount of time….especially malicious activity directed to their backups.
Backups are a good thing.
That said, I sometimes wonder if popular opinion about backups and ransomware is just the end product of an entire industry looking at the frequency of successful attacks and collectively deciding that nothing but backups can help. Because, you know, we’ve all heard about some organization restored from backups that one time. And that seemed to work. And backups are easy. And we do backups already.
Box checked for ransomware defense.
And yet here we are with the lessons from iNSYNQ where backups were infected too. The organization’s primary control compromised. Conventional wisdom crushed.
It’s as if now we’ve forgotten that ransomware shares all of the same strengths and weaknesses as other malware. Once that line is crossed, we’ve been reduced to a strategy of “cross fingers and hope”.
There is an opportunity cost in sinking all hope into a single control. Perhaps that hope should have gone into improving capabilities to actually protect the network before, during, and after those emails get to users.
But where to invest?
- The obvious capabilities like having a modern AV, email filter and email attachment sandbox.
- The controls that require ongoing work like user awareness training.
- The less obvious and more complex things like removing user accounts from the local administrator group or GPOs that restrict file macros.
But, if we do these things, we are left with a quandary. We have to build consensus around a harder, potentially unpopular approach versus an easy and popular approach that reflects conventional wisdom.
An organization may not justify the investment. So, they stick with popular opinion. And that’s a purposeful choice. Popular opinion may also be why so many IT security professionals feel helpless against ransomware. But, popular opinion won’t necessarily save your network from ransomware or any other serious malware.
Popular opinion has no success, failure, or even consequences if it doesn’t stop ransomware.
Only you, your threat modeling, and resulting defensive depth in security controls will.
For more insights into how cyber leaders can best enable the business and build rock solid cyber programs, please follow me on Twitter at @opinionatedsec1