Disrupt ransomware support networks to win the war

Ransomware operators rely on three key supports to enable them to target organisations en masse, and kicking away just two of these will be a huge win for the security community in its fight back, Chris Krebs, the former director of the United States Cybersecurity and Infrastructure Security Agency (CISA), has told an audience at data protection specialist Rubrik’s annual Data Security Summit.

Krebs, who recently joined Rubrik in an advisory capacity as chair of its CISO Advisory Board to address global security and confront the ransomware crisis explained these supports. First, he said, the attack surface and installed base is highly vulnerable; second, attackers have figured out how to monetise vulnerabilities, generally through the crypto ecosystem; and third, there is an historic safe haven – that is to say, Russia – from where they can operate with impunity.

“You’re seeing it [ransomware] spread throughout the world because it pays – there’s a profit motive here and until we disrupt at least two if not all three legs of that stool, we’re going to continue to see it happen,” said Krebs.

“We have seen movement in improving or disrupting the activities, which I’m really excited to see continue, the FBI and the Department of Justice [DoJ] and Treasury targeting the cryptocurrency community…targeting some of those mixers and some of those exchanges [to] disrupt the ability of the criminals to make money.

“You also have to actually go after the ability of the criminals themselves to conduct their activities, so on the front end, you disrupt their command and control [C2] infrastructure, disrupt their ability to work with other affiliates, you  have them doubt themselves. That was one of the interesting activities of last year – whether it was the US government or other partners – getting inside some of the communities and sowing doubt and distrust and so you see these groups break up because they just can’t work together anymore.

“The third thing, and this is where CISA has done such a remarkable job over the last year or so, is working with partners in industry and government – state and local government continues to be a top target as well as schools and in the healthcare industry – giving them the tricks of the trade rather and just basic tools to improve,” he said.

Speaking at the same event Eric Goldstein, current executive assistant director at CISA, echoed Krebs’ sentiment about the criticality of working with partners, and the calls of others for more collaboration between government cyber agencies, the security community, and at-risk organisations.

“We’ve learned a lot over the past year and change given the changes in the threat environment, and the biggest attribute that we’ve learned is this need to move from episodic ad hoc partnership that frankly can’t meet the speed of the adversary, and the speed of change in the technology environment to a model of persistent operational collaboration,” said Goldstein.

“What that means in practice is moving to an environment where operators and practitioners  – across government, critical infrastructure, the international cyber defence community – are working together continuously [and] we are not waiting for the worst possible incident to happen before we start sending out requests for information or getting on conference calls.

“We’re all already there, we’re all already working together in virtual collaboration channels, working together in person. We have not just the relationships, but the expectations and the platforms to do collaborative work continuously and at scale.”

This model informs CISA’s relatively new Joint Cyber Defence Collaborative, which was piloted during the Christmas 2021 Log4Shell crisis and then scaled up dramatically in early 2022 during Russia’s invasion of Ukraine.

“We’re still in the fairy early days of this model, but it really is an innovation in how we think about collaboration, and how we think about the role of government as being a co-equal partner in this collaborative model with critical infrastructure, with the cyber security and tech sectors, and with our partners around the world,” said Goldstein.

Krebs added: “Organisations are starting to contextualise, enrich and operationalise the data that they have resident on their networks. CISA alone has access to a massive amount of net-flow data just from federal agencies alone…and with all that data, if you start looking over the top and you identify trends, you can look back, you can look at today, and then you can look forward and see where things are going.

“What I love seeing out of CISA is more of that enrichment, more of that contextualisation, more of that sharing. And every organisation has the ability to derive insights from the data they have – Rubrik is standing up the Rubrik Zero Labs team, which is looking at the data you have, whether it’s from clients or your own networks, and then pulling insights for better defensive posture and activities from that data.

“Everybody can do this. It’s something that I was pushing CISA to do when I was the director, and it’s great to see Jen [Easterly], continue and really put the foot on the gas of that ability,” said Krebs.

Looking ahead, Krebs said he hoped to see governments taking a closer look at appropriate market interventions to drive better security practice, which could ultimately lead to more regulation or standard setting.

“That will put, certainly the most critical of industries, in a better posture to defend themselves, and more clarity and certainty around what they need to be doing, contextualise information with the right security controls around the things they need to do, because we’re not necessarily seeing the right investments or the right security controls in certain places,” he said.

Krebs added that the US Congress “got it right” with the new cyber incident notification requirements – part of a law currently making its way through the system, and encouraged community members to offer feedback and guidance on an anticipated requests for information on consultations.

He urged security pros to continue evolving, saying that the established tricks of the trade are not necessarily going to work tomorrow because the threat landscape is so fast-moving.

“My business partner Alex Thomas talks about how you don’t become a grandmaster in chess by reading a book, you have to play. That’s what the bad guys are doing, they’re playing every day,” he said.

“We have to be active, we have to be testing, we have to be continually evaluating what works and what doesn’t work, and keep pushing the ball forward.”