The Colonial Pipeline is one of a number of essential energy and infrastructure assets that have been recently targeted by the global ransomware group DarkSide, and other aspiring non-state actors, with access to the latest technology, top hackers, financing and often, nation-state backing. What is a company’s Chief Information Security Officer (CISO) to do when facing off against a well-armed adversary who comes prepared for battle and has advanced, precision weaponry and intelligence capabilities? How should CISO/CSOs respond to ransomware demands when the alternative may be data breach, compromise, leakage or worse — critical infrastructure asset impairment? CISO/CSOs of mid-large cap global industrial and financial services companies are particularly vulnerable, so it’s important to analyze how their thought processes – and actions taken pre and post event – may help knock nefarious actors off their stride.
This attack came without warning, trace or fingerprint. The government had no idea about how the cyberattack occurred or where it came from, nor did it attempt to intervene — as the recent SolarWinds data compromise and US Administration transition have our G-men in reactive mode. Following the initial ransomware demand delivered to Colonial Pipeline leadership, one may safely assume that DarkSide lurked prominently in the picture. This may – or may not – be the case, as DarkSide operates through proxies and loosely-defined ‘affiliate’ relationships with extortion-focused cybersleuths operating from their bedrooms — or the local Costa Café. DarkSide is the equivalent of a sophisticated terrorist network leveraging fear, anarchy and commercial loss as its weapons of choice. DarkSide requires payment in bitcoin, further clouding individuals’ identity, domiciliary and formal association. Combating DarkSide requires global coordination, intestinal fortitude and genuine resolve – elements very much in absence as the world hesitatingly emerges from the Covid crisis.
It’s easy to see why today’s security leadership elects to ante up what is the typical ‘ask’ by DarkSide and others of similar orientation – $5-10 million- to decrypt encrypted files and prevent dissemination of the company’s (or Government Agency) crown jewels to the public. And how can you blame the CISO/CSO for taking this most logical course of action? Shareholders don’t want to see a company go bankrupt, Directors and the CEO have a fiduciary responsibility for continuity of operations, and employees don’t want to lose their jobs. But that may be the easy, band-aid solution and will only solve today’s most pressing operational assault. The bad guys have a narrow attack window, but that attack window is now and can be devastating if a company does not take immediate action to address the breach.
Simply stated, this is a war, and you don’t let your opponents know your battle plan. Cyber companies often jump out in front of hacks and phishing attempts to promote their solutions and business models. Earlier this year, Propublica published a Darkweb post by DarkSide, in which the ransomware gang thanks BitDefender, a Romania based anti-malware solutions private company, for making known to the public their development of a decryption utility capable of parrying DarkSide attacks. DarkSide now knew that it had to address the issue and quickly returned to the driver’s seat, regaining the upper hand. Is it better that security solutions purveyors share real-time developments with the broader public, or perhaps vendors should instead sensitively alert select customers (and partners) to breaches and phishing efforts so that CISO/CSOs can decide for themselves and their companies how to respond?
CISO/CSOs are exposed, have proscribed budgets, and are the ‘neck to choke’ when a company’s data or technology operations are compromised. It is no wonder that the average tenure of a CISO with $1B+ companies in the US is 26 months. They have to be in front of the car crash, anticipate the terrorist/hacker and keep the engines running. It’s also required to be nimble, quick decision makers, and work across the company without direct reporting lines, liaising closely with their colleagues running Risk & Compliance, Data Security, Investor Relations and of course, the General Counsel. While the buck stops with the CISO-CSO, the final decision and eventual expenditure – however that may be manifested – lies with the CFO and CEO. The CISO-CSO can shut down operations, as Colonial Pipeline did, affecting millions of East Coast consumers and raising the ire of public and private sector constituents alike. S/he can engage in ransomware negotiations, or simply reject paying the bad actors and hope that they (and the attacks) go away. Security leadership wants the issue to disappear as quickly as possible, but there are no guarantees that DarkSide and others will return under a different guise and operation, and increase their demands the next time. Pay the mob once, and you may owe them forever.
So how should CISO-CSO’s address this emerging, highly profitable and unregulated business model known as “Ransomware as a Service?” Recruiting and collaborating with the right talent is key.
CISO and CSOs are the critical linchpins in effectively managing your company’s RaaS extortion policy and strategy. Insuring and protecting your assets are just two small links in the chain. DarkSide and other non-state actors know your vulnerability and are probing it on a daily and hourly basis. Vigilance is imperative.
By Martin Mendelsohn