Cybersecurity analysts for Defense contractors can often feel that they are stuck between a rock and hard place. On the one hand, they must continually work toward compliance with long-term initiatives directed by the DoD, many of which are designed to take years to come to fruition. On the other hand, they must stay continually alert to new types of threats.
One of these ever-changing threats is ransomware. While the most high-profile ransomware attacks of recent years have not struck defense contractors, ransomware groups continue to target high-value data, and the risk persists. The ransomware industry continues to grow, continues to organize, and headlines continue to show how vulnerable even large companies can be.
Responding to emerging ransomware threats while still retaining a strategic vision is challenging, but can be achieved by using a data-driven approach to cybersecurity. Defense contractors in particular can use well-established strategies to respond to new threat vectors, stay up to date on the latest dangers of ransomware, and implement the best defenses.
Data-Driven, Collaborative Approaches
Before looking at emerging threats, it’s worth reviewing the strategic direction of defense cybersecurity. In this year alone, the National Counterintelligence and Security Center issued the their strategy for the United States of America, 2020-2022, which highlighted a number of areas in which defense contractors are required to improve cybersecurity.
In some ways, the framework is a welcome development. It highlights several aspects of cyber risk – and particularly the vulnerability of the supply chain used by defense contractors – and seeks to put systems in place for hardening them. What these new frameworks don’t overtly highlight is how smaller, low-profile organizations within the supply chain can implement these strategies in an effective way.
Major cybersecurity administrations achieve these goals by using automated tools to assess the vulnerability of contractor systems and building heat maps of where they are most vulnerable. This approach mirrors that being used at the Department of Defense itself, whose cybersecurity scorecard allows staff to demonstrate current threats and vulnerabilities. Other federal departments are also trialing this approach, with the Department of Homeland Security piloting its Agency-Wide Adaptive Risk Enumeration (AWARE) algorithm which aims to provide an analysis of the attack surface of the agency and its contractors.
These data-driven, collaborative approaches are certainly welcome. The complexity of defense contractor systems, and the increased requirement to share sensitive information between federal agencies and contractors, necessitate a collaborative approach. That being said, it’s important to keep in mind the ongoing, cat-and-mouse nature of threats and security solutions. Heat maps are helpful to start studying the patterns of threat intelligence, but it’s still far from certainty that heat maps are insightful enough to isolate and mitigate emerging threats.
While the National Counterintelligence Strategy might provide a roadmap for the next decade of threat intelligence, it doesn’t do much to help contractors who deal with the daily emergence of new threat vectors.
The Rise and Evolution of Ransomware
One of these threat vectors, and one that is becoming a major source of stress for defense cybersecurity analysts, is ransomware. The frequency and severity of ransomware attacks has been rising steadily for years, but there are now signs that the “industry” is maturing, and therefore becoming a major source of danger for defense contractors.
For some context into how this crime is evolving, research by CyberEdge shows that both the number of ransomware attacks and the percentage of attacks that result in payment have increased every year since 2017. A related report, focused on the defense sector, states that 62% of organizations were victimized by ransomware in 2019, up from 56% in 2018 and 55% in 2017.
Perhaps even worse, the research indicates that an increasing number of victims are paying threat actors for the return of their data, and that fully 69% of those surveyed expected an attack of this nature in 2020. Both of these statistics indicate that, unfortunately, defense firms recognize the need for improvement in their systems for dealing with ransomware.
To make matters worse, recent hacks suggest that ransomware is growing in complexity. Recent years have seen the emergence of cryptomining malware and encrypted malware, both of which are able to defeat “traditional” threat intelligence systems. Another malicious trend that can be observed through recent threat intelligence is that these organized groups are expanding their operations through dark web forums offering “Ransomware as a Service.”
Ransomware as a Service (RaaS) empowers individual threat actors with the necessary tools to extort a victim organization with little to no coding required. As stated on “recruitment” dark web forums, ransomware groups are now calling for individual bad actors to deploy malware on behalf of Maze, REvil, and Avaddon to name a few. This tips the landscape even more in favor of ransomware groups as they can now rely on steady distribution of their malware, focus on development of said malware, and offer incentive to other bad actors.
Ransomware poses a particular threat to companies working in the defense industry due to two reasons. The first is that defense contractors store data which are not just personally sensitive, but potentially of national security importance. The second is that, given the interconnected nature of the industry, a successful ransomware attack on one firm can have significant domino effects on dozens of others. It’s important to reiterate here the effectiveness of a VPN. As defined by Will Ellis, a network security analyst at Privacy Australia, “a VPN allows you to connect to the internet through a private encrypted tunnel that significantly reduces the chance you’ll fall victim to cybercrime.”
These reasons come with little comfort to cybersecurity analysts working in the defense sector, many of whom are devoting their limited resources to reaching compliance with a raft of new cybersecurity frameworks issued by the DoD: reaching compliance with the CMMC is going to be difficult enough without having to also build mitigation systems for ransomware.
That being said, there are two key lessons to be learned from recent ransomware attacks, and the direction of travel in the counterintelligence community.
One is that the type of heat map being used in federal agencies is a key tool in the fight against ransomware. Taking this kind of global approach to your systems can allow you to see exactly where you are vulnerable to malware, and particularly to ransomware.
Heat maps of this kind are useful in arguing for extra resources for cybersecurity, because security professionals can use them to point out why firms need email verification, why cloud storage is safer than standard storage, and improve overall communications between IT and C-Suite teams.
The DoD produces resources for firms looking to build a model of this type, and many analysts have also produced guides on using threat intelligence software alongside such models to achieve truly data-driven defense.
The second lesson to be drawn from recent ransomware attacks is that, after building a heat map for your organization, you are likely to find that your external communications are still the biggest source of threat. Research shows that more than 90% of successful attacks start with a phishing scam, and 60% of attacks also involve unpatched vulnerabilities, despite huge programs of staff training and basic cyber hygiene over the past decade.
Strategy vs. Tactics
Ultimately, effective cyber defense must be simultaneously based on two principles. It’s important to look at the direction of travel in the industry, to build strategic plans that take the best practices of both federal agencies, and apply them to your own firm.
On the other hand, it’s also worth recognizing that strategy isn’t everything, and that if it focuses too much on high-level organization transformation, your cybersecurity plan may be doing more harm than good.
By utilizing the kind of data-driven approaches now being rolled out across federal agencies and defense contractors, you can achieve a balance between these two priorities: a cyber defense strategy that is compliant with the DoD’s vision, but one that is also agile enough to deal with ever-evolving ransomware threats.