Clarke: How to mitigate ransomware, protect the cloud

These days, ransomware is high on the list of cybersecurity worries for enterprises and governments. It’s incredibly prevalent, highly visible, and extremely damaging (remember the WannaCry ransomware attack in 2017?). It can easily cripple your network infrastructure unless a ransom is paid.

It can also generate a great deal of fear and not much clarity about what to do about it. That’s especially true when it comes to the cloud.

On the Season 3 premiere of the Network Disrupted podcast, cybersecurity expert Richard A. Clarke sat down with host and BlueCat Chief Strategy Officer Andrew Wertkin. He unpacked how we can think about ransomware protection and what cloud adoption means for your security strategy.

Now an author and the CEO of cyber security risk management firm Good Harbor, Clarke served under three U.S. presidents in various senior national security positions. Under President Bill Clinton, he was the National Coordinator for Security, Infrastructure Protection, and Counter-terrorism, a cabinet-level position. He was also the first special advisor to the president for cyberspace and was the national crisis manager on 9/11.

How to start protecting your organization from ransomware

It can be daunting to understand all the ways that network flow and access require protection from ransomware to ensure safe operation.

Clarke says to first start by understanding your insurance policies. Often the first thing a hacker will do upon gaining access is look up an organization’s insurance policies to see what dollar amount they can ransom. Routinely, insurance companies would rather pay the demanded amount than rebuild a system, because rebuilding can be vastly more expensive.

If you can’t prevent it, at least mitigate the damage

Second, Clarke says, is to realize  that, no matter how hard you try to prevent it, you might still get hit by a ransomware attack.

To that end, he suggests some best practices for mitigating the damage and restoring services:

• Back up services and infrastructure offline. Backup routinely, store backups completely offline, and have several of them going back at least two months. Use golden disks for key pieces of software. Furthermore, develop and maintain a restoration plan.
• Micro-segment the network. To minimize the hurt caused by an attack, divide your data center(s) into distinct security segments and define multi-factor security controls for each.
• Create a stealth network. Create a stealth website that you can activate when needed, or even a whole stealthy network. It doesn’t have to be a complete mirror—just the essentials to get up and running again.
• Educate your workforce about phishing attempts. Most of the time, ransomware finds success through phishing methods. It pays to improve internal knowledge and educate end users on how they can avoid phishing attempts.
• Create a clean communications alternative. People can’t manage crises without communications devices. Develop a backup communication plan plan and make a kit of mobile phones, printers, VoIP, and other essential tools to only access when your organization is hit with an attack.

Get expert help if you need it

Clarke and Wertkin agreed that small and medium-sized organizations typically don’t have the staff or expertise to effectively manage cybersecurity themselves and should consider using managed security service providers to relieve some of the burden.

Governments should consider deterrence at the policy level

Organizations go to great lengths to protect themselves from cyberattacks. Even so, there is only so much to do.

To further deter them, governments have several options that they could consider implementing at a policy-level, Clarke says.

For example, they could make it illegal for organizations infiltrated with ransomware to pay hackers. (Clarke caveats that governments could waive penalties if ransoms are paid under certain circumstances. For example, hospitals are a critical service that might need to pay in order to resume operations quickly.)

Furthermore, governments can underestimate cybersecurity’s importance and the devastation it can wreak on daily operations and revenue and when breaches occur.

Clarke pointed to the example of Baltimore’s city government, which was hit by the RobbinHood ransomware in 2019. It took down voicemail, email, a parking fines database, and a system used for paying water bills, property taxes, and vehicle citations for more than two weeks. It delayed about 1,500 pending home sales as well.

The hackers demanded the equivalent of 13 Bitcoins (roughly $76,000) in exchange for restoring access. The mayor considered paying it, but ultimately did not. Instead, the city instead spent more than $18 million restoring services and infrastructure.

In a way, ransomware is Darwinian. It identifies the people in the herd who are going to lag behind and be eaten by the tiger. It’s a great way of identifying companies and institutions that haven’t done a good job on cybersecurity.

Clarke suggests that governments should anticipate ransomware and other cyber threats, which would ultimately save taxpayers money if planned and budgeted for in advance. Governments paying for their cybersecurity, he says, is as essential as paying for water or electricity.

Remember that cloud service provider security is a shared model

Adopting a cloud strategy comes with several benefits to businesses for optimizing their infrastructure and even their security posture.

However, Clarke and Wertkin both stressed that public cloud vendors work on a shared model of responsibility when it comes to security. Azure or AWS can be part of your security posture and often are. However, it’s wrong to assume that Microsoft or Amazon will take care of everything for you. They won’t.

When considering the transition, Clarke noted some important questions to consider, especially as some on-premises tools may not work in the cloud. For example, does your data loss prevention software work in the cloud? Does your vulnerability scanner work in the cloud? What alarm will go off if you have an unsecured Simple Storage Service (S3) bucket somewhere?

Answering these questions may require adding some new skill sets and expertise to your team.

While it’s important to ask the right questions, it’s equally critical to create a cyber register—or roadmap—that outlines current cybersecurity policies and projects to stay ahead of potential threats. According to Clarke, if something can happen, it probably eventually will, even if it’s very unlikely.

Clarke recommends an approach that is both hybrid—keeping some services on premises—and multi-cloud—using multiple cloud service providers. And for migrations beginning afresh, he says, you should consider hiring a consulting service due to the complexity of the task.

Avoid mis-prioritizing by recognizing “first-occurence syndrome”

Security leaders often prioritize addressing more probable attacks than low-likelihood ones. Clarke calls this concept “first-occurence syndrome.” Even though an expert clearly warns of a new way that a disaster can happen, no one seriously acts on it because it has never happened previously.

People who haven’t seen failure can’t anticipate it.

For his book Warnings: Finding Cassandras to Stop Catastrophes, Clarke recounts conducting case studies both on events that happened and on events that might occur in the future. For each they asked, ‘Why in every case, was there an expert who predicted the disaster precisely and was ignored?’”

While there were a number of reasons, they found that the overwhelming one was because that specific kind of disaster had never happened before.

In fact, his entire history in crisis management—whether in the government or outside of it—revolved around things that were entirely unlikely but nevertheless occurred. Knowing this, he says, it’s vital to create a safe space where experts from several departments in any given organization can ask hard questions. Doing so could help predict potential threats outside of what executives might consider high-priority.

Bluntly, he says, they should be able to freely discuss what they could do to really screw up the organization. He calls them “dirty thinking sessions.” They should also ask questions like:

• What do you think you have blocked from happening?
• What would have to change, or what would a bad actor have to do, to get around the security measure you put in place?
• How could a smart person who really wanted to make it happen achieve it?
• What’s the cost to you if it happens?

To hear more of his ideas in depth, listen to Richard Clarke’s full episode on the Network Disrupted podcast below.