Basics Will Block Most Ransomware Hits, Says UK Cyber ChiefRansomware Remains Biggest Online Threat, Warns NCSC CEO Lindy Cameron
The vast majority of ransomware attacks could be blocked outright if victims focused on cybersecurity basics, says Britain's cybersecurity chief.
"We still think that 90% of incidents in the U.K. could have been prevented if people had followed the basics," Lindy Cameron, president of the U.K. National Cyber Security Center, told attendees at a recent cybersecurity summit in Scotland.
Ransomware remains the biggest online threat facing Britain, hitting hospitals and schools especially hard, said Cameron, who heads the NCSC, which is the public-facing arm of Britain's security, intelligence and cyber agency, GCHQ. In a new report, the NCSC cautions that it expects a surge of ransomware attacks in the coming months.
Like the U.S. government, the British government does not prohibit paying a ransom, provided doing so doesn't violate sanctions. Even so, "our standard advice is: don't," Cameron told attendees at the Oct. 27 CyberScotland Summit, held at the Balmoral Hotel in Edinburgh. "Once you pay, it's much more likely to make you a victim again."
Paying also encourages existing criminals to continue and draws new participants. Of course, sometimes paying is the only option available to an organization that might otherwise go out of business, Cameron said, and "it's really important to not revictimize victims."
To help avoid normalizing the practice, or making the U.K. look like an easy target, Cameron said anyone considering paying a ransom should treat it like standing on a street corner and handing over a massive bag of cash to a known criminal. "You should feel pretty uncomfortable," she said.
Exercise in a Box
How can organizations get better prepared to repel and mitigate online attacks? Cameron urged organizations to use the NCSC's free Exercise in a Box online tool to help identify how resilient they are to online attacks and to design and develop better incident response plans.
The exercise is designed to be easy to access, said Scottish Business Resilience Center CEO Jude McCorry. "It is only an hour and a half. It's free. Come along," she said.
According to the SBRC, the tool is "a box full of exercises based around real-world scenarios with probing questions attached to each scenario. It allows your organization to do them in your own time, in a safe environment, as many times as you want."
The NCSC's Cameron says the tool has been rolled out not just in the U.K., but also abroad, including most recently Singapore. "To be fair, we ran it ourselves as the GCHQ board, and it taught us a lot. No matter how much you think you know about cybersecurity, you can always learn more about your organization's response," she said. "For example, it's often the bits of the organization who think their job is not cybersecurity who can do more - so, the comms team … human resources," as well as whoever liaises with customers, suppliers and business partners.
For the exercise "demystifies" getting better cybersecurity understanding and response planning in place, Cameron said, adding that "it brings [people] together and gives them a shared language." She also said, "I really want to make sure that we don't let senior leaders off the hook."
Some attendees - largely, cybersecurity professionals - said a common challenge remains getting the organization to talk about security. One CISO in attendance said that senior management had increased the security budget fivefold after their organization got hit by a ransomware attack, which thankfully only took out a handful of PCs.
Learning From Past Incidents
As summit speakers emphasized, incident resilience and response planning remains an ongoing practice.
One of the touchstone cybersecurity incidents referenced throughout the day was the Christmas Eve 2020 ransomware attack on the Scottish Environment Protection Agency (see: Post-Ransomware Response: Victim Says 'Do the Right Thing').
SEPA fell victim to the attack despite having robust defenses. "SEPA is not, was not, a poorly protected organization," Malcolm Graham, deputy chief constable of Police Scotland, said in 2021 during the incident response.
The agency declined to pay a ransom. In response, its attacker - part of the Conti ransomware-as-a-service operation - leaked stolen data.
Working with police and the SBRC, SEPA launched a long-term incident response effort that involved redesigning numerous systems to make itself more resilient, despite the effort and cost involved.
The incident prompted officials to ask: "Does Scotland have the capability to manage multiple incidents at one time?" Clare El Azebbi, head of the Scottish government's cyber resilience unit, told summit attendees.
The answer now, she says, is "yes." But at the time SEPA was hit, the answer would have been "no," and if there had been more than one simultaneous incident, it would have been "catastrophic for the country," she said.
Cable Cut Highlights Cyber Risks
Multiple speakers said resilience isn't about being perfect, but rather about trying to ensure organizations have robust plans in place to cover a variety of incident types in a well-practiced and coordinated manner.
Less than three weeks ago, communications from mainland Scotland to the island of Shetland were disrupted after a fishing trawler accidentally cut an undersea cable. While the incident did not involve an online attack of any kind, it highlighted the impact that external events can have on critical resources that could be targeted by criminals and nation-state attackers, said MSP Keith Brown, the Scottish Government's Cabinet Secretary for Justice and Veterans, in his opening keynote speech.
The problem was compounded by concurrence, which happens often. In this case, the undersea cable from Shetland to the Faroe Islands was down for maintenance.
As a result, the cable cut "meant not a complete communications blackout, but most people could not use mobile phone technology or other communications that relied on the cable," he said. This meant banks were unable to issue cash - except for one that did, using handwritten ledgers; stores were unable to sell food; and the public panicked.
"It never got to a very bad situation but it was very obvious how quickly a cyber-related incident can have second- and third-order impacts," Brown said.
That message was picked up again by the FBI. "Cyber risk is business risk, and cybersecurity is business security," is a message the bureau has been attempting to convey to all organizations, said Jensen Penalosa, an FBI assistant legal attache stationed in London.
How to Use Threat Intelligence
Many organizations rely on threat intelligence to hone their cybersecurity efforts. During a panel session titled "An Intelligence-Led Approach to Cybersecurity," Chris Ulliott, CISO for NatWest Group, emphasized that threat intelligence must be an add-on to doing the basics well.
"I know from the intelligence we get that the North Koreans spend a lot of time trying to compromise financial institutions, and knowing that, I can look at how they operate and the tools they use, and that will prioritize for me the work I do," he said. But that comes after having nailed the basics, including patching and having multifactor authentication in place, "because if I try to do everything, I'll do it badly and still have a problem."
The panel moderator, Detective Inspector Norman Stevenson of Police Scotland, asked the panelists how they deal with the challenge of shaping and focusing intelligence.
"Intelligence has to be actionable," said Don Smith, vice president of threat research at Secureworks, where he runs a 40-person intelligence cell.
He offered an example: "If I look at the 79 post-intrusion ransomware engagements Secureworks did this year until the end of July, for the initial infection vector, 52% was bad guys can scan and exploit unpatched, internet-facing systems,"' he said. "So there's a free piece of actionable intelligence: Patch your stuff."
Knowing which intelligence to prioritize is a pain point. "One of the biggest challenges we have as a bank is filtering through all of the different sources of intelligence,'" NatWest Group's Ulliott said. "We need to get to the point where the intelligence is of more high quality. So maybe less might be better, and having some trusted high-level partners may be better."
Secureworks' Smith said for winnowing intelligence, he always asks: What is the source, and how was it gathered? That's because some sources and techniques are better than others, he says.
Also, he asks: Does it have a timestamp, and if so, is that "when it was published, or when it was observed?" he said. "If you use that simple, crude test, you can throw away 90% of feeds, because most of them are rubbish."
Another type of intelligence concerns ransomware. Penalosa of the FBI said one way the bureau has been working to blunt the impact of ransomware has been to relay intelligence, when possible, to victims. In a recent case, for example, she said the victim wasn't sure if it should pay a ransom to avoid stolen data being leaked, which is something the NCSC's Cameron and others have urged them to never do, since most criminals will leak or sell data anyway.
To inform the victim's decision-making, "we were able to tell them that the threat actor, based on … 14 previous incidents, they did not publicize any data," she said. "We did not tell them whether or not to pay. … We're not going to revictimize a victim and make it harder for them to recover." But the intelligence helped the organization avoid paying hundreds of thousands of dollars to criminals.