Frankly Speaking 7/20/21 - No one can solve ransomware!
Hope everyone had a great July 4th! I decided to take some time off writing and enjoy the summer weather, but now I’m back.
A couple of exciting developments:
I started to code again. I used Python, Go, and C++ primarily during my PhD. I have to say that I don’t like Python3, and C++ is well…. C++. I have to say that Go is a slick language, and it’ll probably be my go-to language from here on out. It’s also surprisingly fast, but mainly, it closely models C++ but smooths out most of the weird syntaxes.
I am going to Blackhat, mostly out of curiosity. So, if you want to meet up, send me an email!
LET’S BE FRANK
I have a feeling I’m going to have a bad time at Blackhat because everything is going to be about ransomware. As an infosec person, I have a dirty secret… Most security companies don’t actually solve the problems they claim to solve.
I’m sorry to those VCs out there who thought they invested in a company that solves or mitigates ransomware. You probably should have tried to understand the problem instead of getting stuck in deal heat and buzzwords. I guess it’s ok as long as Tiger marks it up eventually right?
Anyway, the truth is that no product can solve the ransomware problem. In the same way, no product prevents hacks or data leakages. Like a hack, even with all the precautions, you can’t fully prevent ransomware from occurring, so an organization needs a strategy to address ransomware. There’s no magical panacea.
Instead of talking about ransomware, let’s make sure we know what it is. This writeup by Malwarebytes describes ransomware pretty well, but you want a non-vendor version, this FAQ from Berkeley is well-written.
There are two main ways ransomware occurs. First, most commonly, a user clicks on a phishing email that downloads an attachment with malware. Second, a user visits a site that fingerprints his/her computer and sees if there’s anything exploitable. If so, the malicious website installs malware through an iframe. Of course, there are other ways, such as hacking into a system to install the malware, but these two are the most common.
The most common type of ransomware is malware that encrypts files and demands payment in order to decrypt them. This is the type that has been making the news.
Now, we have a baseline for what it is… why can’t a single solution prevent it? Nothing about ransomware is new or unique. It’s just a form of malware that is commonly delivered through phishing. Malware and phishing have been around since the beginning of the internet. Despite all the security tools and products, we haven’t been able to solve these two problems.
Just calling it something different doesn’t change the underlying problem. In short, we need to manage ransomware the same way that we manage malware and phishing. Here are some examples (by no means comprehensive):
Limit or even eliminate local admin rights on endpoints. Over 80% of hacks occur as a result of leaked credentials. CISOs see over 90% reduction in malware on endpoints once they fully revoke local admin rights.
Have a strong phishing management program with training. Surprisingly, this reduces and helps minimize the number of phishing attacks. However, the annoying thing is that phishing is a low-effort but high-impact method of attack. All it takes is one employee clicking the wrong link.
Strong endpoint management program. Having an endpoint security product helps companies respond to attacks that inevitably happen.
The list goes on. The main difference with ransomware is that it targets and encrypts files, so there needs to be a strategy to regularly back up and manage file access. In some way, an organization needs to treat ransomware as if an employee lost their computer or accidentally deleted files.
Solving ransomware is hard, but it’s not a scary, new thing. I hate how security companies are playing on that fear. It’s rooted in two things: phishing and malware. They have been around since the beginning of infosec. However, I have to applaud those who have managed to trick VCs and security newcomers! It’s all fun and games until these people find their way to me and try to explain why ransomware is the biggest threat since the cloud…
Anyway, I’m happy to discuss this more via email as always. But please don’t send me emails saying that you can solve ransomware. I will report those as phishing.
TWEET OF THE WEEK
Zing!
Good post Frank. Phishing is the #1 attack vector for a reason. Great points on hygiene. We see lots of opportunity to improve / limit admin rights across the mid market.
Have you thought about including the software supply chain attack phenom? Trusted applications (like Orion and VSA) with full network access gone bad are very difficult (impossible) to prevent but can be detected and stopped.