Ransomware: To pay or not to pay? (that is the wrong question)
October 16, 2019
In light of recent ransomware attacks against cities and municipalities, the Wall Street Journal asked two professors if cities should ever pay a ransom. The article cited a Recorded Future study that tallied 71 ransomware attacks against state and local governments this year already (up from 54 in 2018).
This article presents two opposing views. One says paying the ransom may be the responsible thing to do when systems taken hostage are responsible for public health and safety. The other argues paying is never right because it feeds the growth of criminal enterprises—which will bring more ransomware attacks and create national security concerns. Both arguments are compelling; both authors are noted experts.
The article is worth a read, but it’s asking the wrong question. Or perhaps more accurately, it is pursuing the wrong dialog. Ransomware is a clear and present threat to almost every organization, big or small. The challenges that state and local governments have is they aren’t adequately staffed to deal with ransomware attacks. The solution is not to stockpile Bitcoin, nor to accept a loss of services, particularly when they are vital.
As security has emerged from the backwaters of IT server rooms to a board-level issue, with ransomware driving home the business impact of security threats, the organizational processes for preparing for these threats have not kept pace. Expecting that an organization can be prepared for severe threats when it isn’t resourced to is a setup for disaster.
We need to collectively tackle security threats, learning from those who have been successful, sharing in threat intelligence and leveraging the strengths of organizations that have developed the capabilities to defend at scale.
The other market reality we face is there simply are not enough qualified professionals to address these threats, integrate systems and respond to attacks. Compounding this problem is that most products are point solutions. On their best day, they address only a portion of the attack.
While it’s clear that security cannot be as easily consumed as electricity, we should start to think of security as a utility. Just as it is unreasonable to ask companies to generate their own power, it may be unreasonable to ask every company to build its own security. In energy as well as security, the barriers to entry are high: There are huge capital and brainpower requirements and the time it takes to get to a level of security maturity commensurate with hackers takes many years, with consistent leadership and funding. Ransomware makes the Sec-aaS case strongly because of the immediate pain and cost of attacks and the potential loss of business and mission-critical services and data. Conversely, the economics of DIY security in the face of sophisticated threats make it no longer feasible for many companies and certainly state and local governments.
Taking ransomware as an example, the question really is, "How does one prepare for ransomware situations?" The answer is not an anti-virus solution because we know this is inadequate. Most organizations hit by ransomware are already running an anti-virus product. So is it advanced endpoint technology? Patching? Threat intelligence? Better email filtering? Tested backups from offsite? Is it detection and rapid quarantine? Account resetting? Blocking outbound connections to the source of the ransomware? Is it searching the email across all accounts for ransomware links or objects? Or maybe searching across the enterprise for ransomware indicators of compromise?
The answer is yes to all of the above and then some. The point here is dealing with ransomware requires sophistication, planning, orchestration and coordination of a plan across a range of security products and IT infrastructure. If you don’t have this in place, security-as-a-service is the fastest path to protecting yourself against ransomware and other threats.
A ransomware play is an orchestrated workflow for attack detection and response as part of our Managed Detection and Response (MDR) Security-as-a-Service solution. Below is an example of one Accenture ransomware play.
The diagram shows a typical ransomware attack in stages. Note that from an enterprise security approach, there are several opportunities to observe, detect and respond during the attack’s progression. The key of course is to do this before the attacker causes significant impact to operations (stage 9 in the above model). In the case of ransomware, time is of essence to ensure it is not a spreading threat that may shut down the entire network. This companion video shows how a ransomware response is orchestrated and response automated.
The ransomware play is but one of many we have built into MDR to address gaps in organizations’ solutions. The economics of Security-as-a-Service work from the perspective of not having to acquire all the tooling yourself, not having to hire all the people and not having to integrate the tools and develop your own content to orchestrate your ability to respond to attacks. Rather, you consume Security-as-a-Service just as you would any utility, letting the market compete on quality and price.
Recently OASIS, a standards body, established a technical committee to develop the core components of orchestrated response and a description language to develop playbooks to respond to attacks in vendor-agnostic fashion. We think this is the right approach. It encourages improved detection and response and enables the sharing of lessons learned. This is one reason we are contributing to the technical committee and promoting the use of standardized playbooks.
In short, if you aren’t ready for a ransomware attack, then you need to either build up the organization and processes commensurate to the threat or enlist a security-as-a-service partner that can get you there rapidly.
To lcurityearn more, visit accenture.com/MDR.
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.
Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.
Copyright © 2020 Accenture. All rights reserved. Accenture, its logo, and High Performance Delivered are trademarks