Am I Secure From Ransomware?
The short answer is no. But let’s dig into that. How can we tell how at risk we are?
I was recently asked for my opinion on the best way to know someone’s risk level of being hit by ransomware. My first response was a smirk, then I started thinking. If I needed to understand the risk level what would I want to look at. I realized there were a few key concepts to realize. There is no single way to prevent or prepare for ransomware. It is a complex relationship between business resiliency, technology architecture, and risk tolerance.
Naturally, the first thing I did as I thought of this was spend some time googling. One of the first items that pops up is NISTIR 8374 - Ransomware Risk Management. Starting on page 1, I was pleasantly surprised to find quite a complete list of actions that should be taken to help prevent ransomware, though very little as far as how to actually accomplish those things. And let’s be frank, in an ideal world or a greenfield environment, I think we could all pretty easily come up with a plan to create a rock solid security architecture for an organization. The reason security leaders are so expensive and in such high demand is those environments don’t exist. We have to figure out how to retrofit those ideas into 30+ years of comingled technologies, ideas, architectures, and false starts. Everything else I found was either from a vendor who ultimately tried to sell you their product or was about preparing for an incident response.
So how does this help?
It doesn’t. So I took a different approach because no one will ever be able to provide a walk through for securing an organization from ransomware. Either it will be too high level, much won’t be applicable to many, it would be too complex to ever write down, or it will reveal too much about their org. So I decided I’d want to think about what things would indicate an increased risk of ransomware and what I want to monitor. Here is my stab (and it’s open for collaboration) of the things that I would want to show as an indicator or in order to inform the risk associated with ransomware in an organization. Also keep in mind that ransomware is a complex animal and the risks are numerous. We can consider data exfil, data loss, business continuity, loss of operations, Advanced Persistent Threat (APT), and many other scenarios.
The reality is, we can spend enormous amounts of effort to build models, run simulations, quantify the potential loss, etc. Regardless of the effort put into precision, the response is always going to be the same. The point of diminishing returns occurs quickly, so my take is the KISS approach. Let’s balance a needle between “we’re about to get our butts kicked” and “we’re better than most” and I believe we can determine that with a handful of KRIs.
I am not necessarily approaching every area or specific domain relevant to ransomware individually, but rather just prioritizing the areas where I think the most value will be gained from measurement.
I’d love input on these, feel free to make PRs and suggestions: https://github.com/andrewdalaniz/ransomware-KRIs (note: this is not about detecting ransomware or preventing it, but understanding the risk. If you don’t know the answer to one of these items, “I don’t know” still informs risk.)
Other references: