Cyber-risk is about much more than ransomware…

For mature cyber defenders, understanding risk is critical. The adage of “he who defends everything, defends nothing” is almost always true in cyber because both the threat landscape and attack surface evolve so quickly (see here for some examples). If an organisation tries to cover every attack vector, the pace of change means that they usually fail. Consequently, good cyber defenders invest the most into the controls that mitigate their greatest risks.

Ransomware is all the rage right now – senior decision makers are concerned by it, governments are legislating against it, and bad guys are making a lot of money from it. This is so much the case that cyber-risk conversations nowadays often start with the question “what is the risk of our network being crypto-locked?” or “should we pay the ransom?”.

These are important questions, but they can also lead to tunnel vision towards a single type of threat (ransomware) and cyber risk is about so much more than that. Cyber risk is about how malicious actors might attack you – it’s a game of cat and mouse between two parties with a wide range of potentially epic consequences:

“When apps used by billions of people worldwide blinked out, lives were disrupted, businesses were cut off from customers — and some Facebook employees were locked out of their offices.” (New York Times, 04 Oct, 2021)

This was not a cyber-attack, but other than not mentioning crypto-locker malware, doesn’t it sound exactly like every hacking story that has emerged throughout 2020/2021? Indeed, this sounded so much like a cyber-attack that there were more than a few folk in the cyber community describing it as a potential malicious insider or DDoS incident. It wasn’t… ultimately, an internal Facebook team made an error during an approved network update, and accidentally disconnected every one of the trillion-dollar company’s data centres from the internet for about 6 hours. Because they were disconnected from the internet, Facebook technicians couldn’t even ‘remote in’ to solve the problem and had to physically travel to many locations to reboot servers and routers to bring services back online!

The reason this incident sounded like a cyber-attack is that it could have been one. Consider that if someone had stolen the network credentials of the error-prone administrator who executed the change that brought Facebook down, how would they use them? They may have used ransomware, but there is an equally good chance that they would instead execute the attack in almost exactly the same manner as the erroneous change played out in real life.

If the above scenario sounds unlikely, then this one may sound even more so: just under 2 weeks ago Syniverse, one of the largest SMS text message infrastructure companies in the world, disclosed a massive cyber incident to the US Securities and Exchange Commission (SEC). Syniverse route billions of messages every year, and “in May 2021, Syniverse became aware of unauthorized access to its operational and information technology systems by an unknown individual or organization… the unauthorized access began in May 2016…  the individual or organization gained unauthorized access to databases within its network on several occasions, and that login information allowing access to or from its Electronic Data Transfer (“EDT”) environment was compromised for approximately 235 of its customers.”. Each one of the 235 customers are some form of mobile operator with thousands or potentially even millions of customers themselves – people like you and I - whose information could be at risk: “whoever hacked Syniverse could have had access to metadata such as length and cost, caller and receiver's numbers, the location of the parties in the call, as well as the content of SMS text messages.”.

The malicious actor was in the network for 5 years and did not deploy ransomware. However, most folk would agree that this is nonetheless a massive hack, and probably one of the “top 5” types of cyber-risk that Syniverse should have had in their ISMS and risk register.

The point is not that Ransomware shouldn’t also be addressed in companies’ cyber risk-registers (it should!), but rather that tunnel vision toward a single type of threat could skew defensive postures. For example, many organisations these days are investing in “ransomware playbooks” so that everybody in their organisation is singing off the same sheet if the worst should happen. But as proponents of the Mitre ATT&CK know, every cyber (including ransomware) incident must start with some form of reconnaissance, resource development and initial access. To highlight this point, in NTT’s latest Global Threat Intelligence Report, remote access trojans which are used to (among other things) gain initial access accounted for 35% of all malware detections, whereas ransomware accounted for only 6%. If you only focus on making sure you have a playbook to respond to ransomware, you may miss the opportunity to stop such an attack before it starts.

Avoiding tunnel vision in cyber-risk falls into the category of “easy to say and hard to do”. Indeed, most defenders could quote the statistics in the paragraphs above from memory. The hard part is doing it in practice. Getting it right starts at the top. The focus on ransomware is usually driven by decision makers’ desire to not be attacked in cyberspace, and the disproportionate coverage of ransomware over the past few years means that this threat is often disproportionately 'top of mind'. Decision maker’s have the right motivation (protect the company); it’s on us as defenders to give them the data so that they can make informed calls on investment prioritisation. Here are some tools (among many others) that can help:

• Align with the broader organisation: Albeit more volatile, cyber risk is just risk, and most organisations have well developed enterprise risk management regimes. Where possible, defenders should try to align with their organisation’s risk management practices, processes, checklists and templates. Doing so helps senior decision makers and boards to engage with the topic in the same balanced and broad way that they do other risks.
• Use a recognised framework to define your risk: Taking the time (and it will take time) to use industry standard frameworks like SABSA, ISO27001 (among others) to identify and define cyber risk both forces a defender to be holistic in their assessment, as well as legitimises their risk register for decision makers who mightn’t be as close to each risk it contains on a day-to-day basis.
• Monetise the risk: Ransomware is often seen as ‘scary’ because it’s easy to quantify the cost of an incident by the size of the ransom. Other attack types can cost a company much more, but the consequences are usually less tangible. Applying a toolset like FAIR alongside the frameworks listed above gives defenders an industry recognised way to transform all types of cyber-risk into a dollar figure. This provides a fact-based way to handle the objection of “but a ransomware incident will cost us more than <insert type of hack here>”.
• Breach and attack simulation: Once cyber risks are defined and quantified, the conversation often turns to "which one of the “top 5” risks would get through if we were hit inside the next 3 months?”. Breach and attack simulations help to answer this question and also to decide which risks are truly most important / deserving of the most immediate attention.

The scourge of ransomware has emerged and grown faster than almost any other cyber threat in recent memory – this is undeniable, and any organisation that isn’t preparing themselves for the fight may well become the next headline. Equally though, any organisation that focuses too exclusively on ransomware, who does not drive a broader, balanced focus on other potential cyber-risks is also likely to get owned by the bad guys. Cyber-risk is not just about ransomware… it’s about keeping your organisation safe in the high stakes cyber-game of cat and mouse between attackers and defenders.