Andy Warhol, the famous artist, film director and producer, said in 1968 that "in the future, everyone would be famous for 15 minutes."
He could have been talking about ransomware too. Ransomware attacks have stepped up and are commanding attention like never before. But unfortunately, it looks like these first 15 minutes of fame won't be their last.
Ransomware today has become the threat actor's weapon of choice. Everyone from nation-states to organized crime gangs to lone criminals are more frequently carrying out ransomware attacks, causing millions in dollars of reputational damage, recovery expenses, extorted ransom payments, loss of revenue, inability to use critical infrastructure and much more. Recognizing this, the US government has begun taking steps to improve the nation's cybersecurity posture.
Last week, President Biden signed a memo outlining plans to strengthen cybersecurity in the nation's critical infrastructure services. In it, the President directs the country's national security agencies to develop cybersecurity performance measures intended to guide operators of critical infrastructure — banks, hospitals, utilities — when it comes to protecting their networks.
The memo aligns with a TSA security directive issued earlier in the month requiring infrastructure operators to take additional measures to protect their networks from cyber-attacks such as the ransomware infections that froze Colonial Pipeline's operations. Both come on the heels of the White House's Executive Order in May to protect the federal government's networks by improving cyber intelligence-sharing between the public and private sector to strengthen the country's ability to respond to incidents when they occur.
These directives are welcome frameworks for both sectors to act. But it's up to each organization to maintain an incident response playbook and team. The administration notes in the newest memo that it "expect[s] that all responsible critical infrastructure owners and operators will apply them." As Anne Neuberger, the deputy national security advisor for cyber and emerging technology, noted in May: "All organizations must recognize that no company is safe from being targeted by ransomware, regardless of size or location. To understand your risk, business executives should immediately convene their leadership teams to discuss the ransomware threat and review corporate security posture and business continuity plans to ensure you have the ability to continue or quickly restore operations."
Therefore, the ball is squarely in the private sector's court, and executives across industries need to take steps to protect their networks and data from cyber-attackers. To help, the White House has suggested five best practices for safeguarding against ransomware attacks that organizations around the world can use to secure their networks:
- Backup your data, keep backups safe, regularly test them and keep them offline, as any ransomware variants try to find and encrypt or delete accessible backups.
- Update and patch systems promptly and consider using a centralized patch management system.
- Test your incident response plan by asking yourself questions such as how long you can sustain business operations without access to certain systems and what the effects would be if they went offline.
- Check your security team's work with a third-party pen tester to find unlocked doors.
- Segment your networks to mitigate the effects of an attack and filter and limit internet access only to those who need it.
To these five, we can add using DNS security as the first line of defense. As the President's most recent memo notes, "We cannot address threats we cannot see; therefore, deploying systems and technologies that can monitor control systems to detect malicious activity and facilitate response actions to cyber threats is central to ensuring the safe operations of these critical systems."
DNS is one such technology. As one of the first protocols a device uses to connect to a network, DNS gives security teams visibility into how each connected device behaves. And since ransomware, like more than 90% of malware, uses DNS at one or more stages of the cyber kill chain, DNS can provide a powerful, foundational layer of security to protect corporate devices, workloads and data, whether they are on premise, in the cloud or remote/home offices. Using threat intelligence and analytics on internal DNS enables teams to detect and block malicious activity early before ransomware spreads or downloads the encryption software, making it an incredibly cost-effective method for securing a network.
This year's attacks against meat processor JBS and Colonial Pipeline represent the types of ransomware attacks that organizations worldwide face every day. Cyber-attacks like these against critical service providers can potentially impact not just these businesses themselves but also everyday life — from causing long lines at gas stations to sharply increasing food prices.
Now is the time for organizations to act. Otherwise, more than just our infrastructure will be at risk.