This post also appeared on LinkedIn.
In a 1991 Saturday Night Live sketch, host Joe Mantegna portrayed a New York City official tasked with reducing violent crime. He offered brochures titled "So, You've Been Shot," "So, You've Been Stabbed," and "So, You've Been Doused with Gasoline and Set on Fire." The satiric message: Being the victim of crime is inevitable, but "that's the price you pay for living in the most vibrant, exciting city in the world."
There is a school of thought in IT circles that ransomware victimization isn't just a risk, but an inevitability, and the best thing a CIO/CISO/CTO/CEO can do is prepare for recovery. At best, that’s a fatalistically-misguided assumption that reinforces enterprise commitment to flawed perimeter-based security models. At worst, it’s a cynical acceptance of defeat that invites adversarial attack: “Ransomware is coming, but that’s the price you pay for sticking with 'the way we’ve always done things.'”
Preparing for ransom isn’t the same thing as preparing for ransomware.
Last year, the WSJ Cybersecurity group sponsored a webinar that emphasized the ransomware-inevitability message. The session’s participants, several of whom were ransomware victims, discussed how enterprises should react to attacks. They spent little time advising how enterprises could proactively prevent ransomware attacks in the first place. One panelist recommended CIOs develop negotiation skills, and invest in Bitcoin to make ransom payoffs easier. Another speaker told of negotiating with a "friendly" hacker, a "family man" whom the moderator suggested was a "gentleman thief." (I half-expected to see a slide titled, "So, You've Been Hacked.")
I can’t believe I have to say this, but it's naïve to pretend there's any sense of honor among ransomware criminals. Whatever their methods, hackers have simple, sinister, materialistic motives. They may seek to exfiltrate data. Or lock data in place. Or demand a ransom with the promise not to destroy or release data. (By the way, that "promise" isn't worth the paper it's not printed on.)
Outdated infrastructure makes for an easy target.
Legacy networks, legacy security architectures, and legacy thinking all increase potential ransomware attack damage.
So-called “castle-and-moat” security was designed more than a half-century ago to protect pre-internet, in-place LANs. Today, it cannot effectively secure work done outside the network perimeter. (How do you establish a boundary around the open internet?) Worse, it's relatively easy for a hacker to breach a traditional corporate network firewall. As we pundits are fond of noting, a ransomware hacker needs to get lucky just once to break through a perimeter. A hacker’s (or, more likely, a state-sponsored criminal organization’s) "luck" often comes from an unsuspecting employee clicking on an attachment in a phishing (or spear-phishing) email. Or a guessed password. Or successfully piggy-backing on a “trusted” software deployment. Once inside the “moat,” the hacker’s malware can move "east-west" through the corporate network with relative impunity, infecting (and seizing) adjacent data, systems, or applications within the castle walls.
Ransomware attacks? Bad. Hackers? Evil. Now that that’s settled…
It's cheap for a hacker to launch a ransomware attack. It's expensive for an enterprise to recover from one. For hackers, ransomware is easy and lucrative. They are launching more-sophisticated attacks and developing more complex business models. Some hacking groups even offer "Ransomware-as-a-service" kits to recruit new attackers.
Their attacks have also become more destructive: Some hackers double-down on monetizing criminality, demanding a ransom to "unlock" an enterprise's encrypted data, and then demanding another payment not to auction that same proprietary information off to the highest bidder on the dark web. (Oh, and then they might destroy the data anyway. Gentlemen thieves, indeed.)
Want to prepare for ransomware? Adopt zero trust.
If we really want to do something about ransomware threats—something more meaningful than stocking up on digital currency to facilitate payment to the next Sandworm—we must remove hackers’ incentives. How can ransomware be made less rewarding for cyber-criminals? We can't devalue proprietary assets. But we can make those assets—data, applications, systems—more difficult (if not impossible) for hackers to seize.
Hackers attack what they can see. Most enterprises still expose IP addresses to the open internet. Each publicly-visible IP address represents a potential attack vector. In a legacy network environment, cloud apps can also introduce risk: Publishing apps to the public cloud using a traditional firewall advertises those apps to hackers, increasing an organization's attackable surface.
There are two ways to disincentivize ransomware attacks: Obscure enterprise attack surface and eliminate lateral movement. Both can be achieved with the adoption of a Zero Trust Architecture (ZTA). ZTAs supplant the traditional network model, replacing it with ephemeral, direct connectivity, be it user-to-app, user-to-datacenter, or app-to-app. Security is policy-based, specific to user, proxied, and delivered inline via cloud-edge service. Nothing—and I mean nothing—is visible to the outside world. ZTA eliminates east-west travel risk: Without a traditional MPLS network to navigate, a hacker—even one who successfully breaches a single endpoint—cannot infect proximate systems. Take away navigability to other destinations and there’s no internal path for hackers to travel, no corporate lucre to plunder, and no reason to attack.
We can never take threats or threat adversaries for granted. We all must prepare for ransomware. But ransomware preparation should not assume its inevitability. CXOs who stick with “the way we’ve always done things” put their organizations at unnecessary risk, and open their doors to cyberattack. We can all aim higher than a “So-you’ve-been-hacked” pamphlet. We can move from “preparing for ransomware” to preventing it...with a Zero Trust Architecture.