Ransomware attacks are the key cyber threat facing businesses and organisations warned Lindy Cameron, head of the UK’s National Cyber Security Centre (NCSC), while US President Joe Biden is signing a national security memorandum to strengthen cybersecurity for critical infrastructure, in the wake of a series of recent ransomware attacks.
For cyber criminals, ransomware is a low risk, high reward activity, with a virtually unlimited supply of potential victims. And the arrival of Ransomware-as-a-Service (RaaS) only serves to lower the bar to entry and increase the scale and volume of attacks.
It is clear that businesses and critical national infrastructure need to do more to build cyber resilience to stop attacks from reaching their targets. Relying on nation states including Russia, China and North Korea to mobilize their law enforcement bodies and work together to fix the ransomware threat is not going to happen any time soon.
Governments and industry bodies have published pages of guidance and advice for mitigating malware and ransomware attacks. The long list of recommendations includes making regular back-ups, along with measures to prevent malware from being delivered, spreading to and running on devices, and how to prepare for an incident. That’s a lot to take in and sort out, particularly for SMEs without the time, expertise and budget to implement all the recommendations.
Maybe I’m missing the point, but I like a simple solution to a problem rather than a complicated one. Ransomware is clearly a major problem and not surprisingly, the cyber security industry is not short of its own advice and solutions. Increasingly complicated technologies try their best to identify the ‘bad stuff’ before it can do any damage. Things like Managed Detection and Response (MDR), which combines threat intelligence, threat hunting, security monitoring, incident analysis and incident response, all leveraging telemetry on endpoints that monitors user behavior, while looking for anomalies.
Very clever but that all sounds very complicated. Here’s my thinking. In a business context, the software that runs on an endpoint such as a PC or laptop is pretty stable. Even modestly sized organisations will establish a standard ‘build’ that’s rolled out to all endpoints and any changes will have to be assessed and authorized by the IT department before being deployed. Therefore, we know which software is authorized to run on each endpoint. And we know that ransomware and any other form of malware has to run to do its work. Finally, we know that malware, however well disguised, is not one of the processes that is authorized to execute on any endpoint in the business.
This being the case, why bother with all the complicated software looking for the bad stuff – malicious code running on your devices – a procedure that can never be 100% effective? Isn’t it better to simply assume that if something is not authorized then it shouldn’t be allowed to run. A zero tolerance approach to applications and code, driven by machine learning and AI technology.
To block ransomware, all we really need to do is to block everything which is not recognized as being on the authorized list of processes.
It’s the bouncer at the nightclub approach: ‘If you’re not on the list, you are not coming in’. No argument. Simple.
[To share your insights with us, please write to email@example.com]