We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 - 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!
Today is Sunday, and there has been yet another ransomware attack. Ransomware is a daily affair, and its impacts are growing increasingly detrimental with each attack. Despite this, the cybersecurity industry continues with their favorite go-to dance move: buying more (and better?) detection technology with the hope that it will mitigate breaches — and yet we are still failing to stop attacks. We continue to witness the most catastrophic breaches in history on a regular basis, despite security spending that is expected to top $150 billion this year.
The reality is, breaches happen — and they will continue to happen. Cyber resilience is the new black. It’s important to understand how you can make your organization durable to infiltration and, in the unfortunate event that you are attacked, it helps to know what your options are.
You’ve been breached; now what?
Picture this: Ransomware attackers have broken in and gotten past your security defenses. Whether it be through a supply chain vulnerability, penetrating your perimeter defenses, a malicious insider, or some new threat we haven’t conceived of, they are already in your systems, and they now have access to your organization and its customers’ most critical data. What’s more, they’re not going down without a fight, and they’re demanding millions of dollars in order to get your assets back.
So, what do you do? After an attack, you have two options to recover your assets.
Option 1: Have a backup.
This option requires an organization to have a full backup of all databases, essentially up until the point of the ransomware attack. (But how far back did the infiltration happen?) This backup can then be restored, and from there, you can restore other systems, such as application servers, web servers, domain controllers, and so on. It takes a tremendous amount of structure to make this work. If an organization has exceptional operational diligence, this will be a difficult task, but not impossible.
Option 2: Pay the ransom.
In federal policy there’s an adage: “Don’t negotiate with terrorists.” The same principle applies to ransomware attackers. They’re an unreliable source to strike a deal with. However, sometimes that’s the only option for an organization. We know that 80% of organizations that have paid ransom demands confirmed they were exposed to a second attack. What’s more, even if you pay the ransom, the full recovery of your assets is not guaranteed, and the chance of ever seeing your ransom payment again is slim to none.
Colonial Pipeline was one of the rare instances where the FBI was able to recover part of the ransom payment. In that instance, they had already been tracking DarkSide (the hacking group behind the attack) ahead of the cyber incident. In the end, Colonial Pipeline got lucky; it recovered some of the money it paid because “luckily” the FBI had already infiltrated the hacker’s Bitcoin wallet (raising the question: Is luck a strategy? My money’s on no).
That said, Colonial Pipeline did make smart decisions in the midst of a crisis. By shutting down the pipeline before the ransomware made it into the main line, they were able to buy additional time to decide whether or not they should pay or recover their stolen assets. They also contacted the FBI quickly and, in the end, these decisions enabled them to successfully recover some of the ransom.
Not every breach needs to be a catastrophe
Colonial Pipeline recovering some of the ransom was a rare cyber success story (if you can call it that), predicated on luck. And in this world where networks and assets are increasingly interconnected and bad actors are growing even more sophisticated and ruthless by the day, there is no room for luck in your cybersecurity strategy. Hope and luck are not strategies, but zero trust is.
Zero trust has never been a more important and necessary cybersecurity framework than it is right now. Zero trust is a strategy where you assume you’ve already been breached (because if you haven’t been yet, you will be soon). Instead of relying on the egalitarian nature of IP networking, where anyone can theoretically connect to anything, zero trust strategies verify people and only allow connections that should be allowed. This approach flips the odds of resilience in your favor.
With billion-dollar assets on the line, across every industry, organizations need a cybersecurity framework that accounts for the misses in the perimeter defenses and the gaps in the supply chain. Organizations must start investing in tools that account for the breaches, rather than only in those that prevent them. Failing to do so puts our organizations, communities, and people at risk.
If you’re looking for a way to recover a ransom, the solution is simple: Protect yourself from needing to pay the ransom in the first place. Invest in bolstering your cybersecurity posture and amplifying your zero trust defenses now. Only then will you be able to economically withstand the onslaught of cyberattacks permeating cyberspace.
How do you get started? The first step is realizing that there is no one vendor that solves all your zero trust needs. In addition, if you only think about users, then you are not thinking broadly enough — consider supply chain attacks. A good way to implement the strategy is simply to create a zero trust architecture for your users, datacenter, and cloud environments, and then select solutions that fit your particular needs.
Bad actors are going to get in; the math is in their favor. Our perimeter and detection technologies need to keep out 100% of attacks; attackers only have to break through one time. By investing in a zero trust strategy now, you and your organization will be able to determine just how impactful those attacks will be. Not every breach needs to cost your organization $5 million, but you must invest in zero trust architectures to ensure not every breach becomes a million-dollar cyber disaster.
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.