Andrew Rose, Resident CISO for EMEA at Proofpoint, tells CNME Editor Mark Forker how the current conflict between Russia and Ukraine could completely transform ransomware attacks – and stresses the importance of deploying effective cyber resilience to prevent digital attacks on your business operations and infrastructure.
Can you tell our readers how the ongoing conflict between Russia and the Ukraine has once again realtered the threat landscape and how can it revolutionise the ransomware threat?
The pandemic provided an opportunity for cybercriminals to target people and organisations with a variety of social engineering-driven threats, using COVID-19 lures, such as vaccination campaigns and infection warnings, to push phishing emails, ransomware and identity theft. In a similar manner, global conflicts create an opportunity for cybercriminals to take advantage of information gaps, and sensitive political situations to play on a potential victim’s heightened sense of fear and vulnerability.
The ongoing Russia and Ukraine conflict is an example of this and is unfolding in real time across our highly connected digital society. We see this in the attacks. As an example, Proofpoint’s threat research team identified a number of campaigns capitalising on the conflict, such as activity from the China-aligned actor TA416 in which they target European diplomatic entities, using lures related to refugee and migrant services, which are obviously very topical.
This conflict also has the potential to escalate the frequency and sophistication of digital attacks, as state sponsored actors, and supportive vigilantes, on both sides become involved in attacks to increase political pressure and disrupt activities.
Cyber resilience becomes imperative in this situation, and we can expect to see governments and businesses prioritising this. I know that many CISOs are already creating multi-level fallback plans to protect their core value proposition, including identifying the different positions and controls they can adopt to increasingly isolate from any global threat, while still operating core services.
Ransomware is one of the biggest threats facing organisations today, and Ukraine is driving a narrative that must surely create an associated policy change. To date, governments and regulators have tolerated significant payments being made to threat actors such as REvil to enable businesses to recover and operate. When such funds are likely flowing into a clearly hostile jurisdiction—one under international economic sanctions, and incentivised to turn to illegal methods to bypass such restrictions – the Western governments must surely draw a legislative line.
In your op-ed, you believe cyber resilience will become as important to an enterprise as its balance sheet. However, in your expert opinion, what practices and policies do companies need to deploy to become cyber resilient?
Technology is embedded in every part of a modern enterprise, and the resilience of those functions is imperative to continuing operation and profitability – but it’s a complex topic.
Without effective cyber resilience, digital attacks can seriously impact business operations and national infrastructure. We’ve already seen how the Colonial Pipeline attack triggered panic purchasing that emptied most gas stations in parts of the US. Meanwhile, a separate attack on meat processing company JBS USA Holdings, Inc., sparked fears about a domestic beef supply shortage. Both attacks were ransomware, and both resulted in large ransom payments.
Resilience, however, is a wide topic – in includes the ability to prevent incidents happening, keep operating despite attacks, and recover rapidly from any impactful event. Most attacks target staff and start via email, so putting in place effective email filtering and a strong security culture are both vital. Similarly, having effective incident detection and response, contingency working methods, secondary communication channels, and offline backups are all critical aspects of a strong resilience programme.
It is essential that Boards fully understand the systemic risks inherent in complex digital systems, and how investment in cybersecurity translates into business value. They will have to adopt a top-down approach to cyber resilience. This includes identifying vulnerabilities, educating all resources and developing a comprehensive response plan.
Some security analysts that I have spoken to believe that companies should not pay the ransom, as it creates a marketplace, whilst others argue that many enterprises don’t have any other option. What is your viewpoint on paying the ransom?
Ransomware often begins with a simple click on an inconspicuous email or link that can result in a complete shutdown of business operations until ransoms are paid. It is one of the most active and profound threats facing organisations today. A recent Proofpoint survey found that 27% of CISOs in KSA and 22% in UAE expected to face a ransomware attack in the past year.
Every firm has a “we will not pay” policy however statistics show that, when confronted with the reality, almost 60% actually pay. That reality may include a total shut down of operations, massive data theft and, more worryingly, an absence of backups – deleted by attackers who have been on your network for weeks with admin permissions.
Paying the ransom is no simple solution, however. For one, there has been a clear trend toward ‘double dipping’ in terms of ransom demands, with 42% of firms finding that their ransom payment is actually followed by a second demand, not the unlock key they were expecting. Secondly, organisations have to ask how much they can trust their recovered infrastructure and data, knowing that malicious attackers have had full access to it for a period of time. How can you be sure there are no backdoors, no data poisoning, no malicious time bombs planted away? A rebuild from the hardware up is the only way to be sure – but that is an overwhelming concept for many firms.
We believe that prevention is better than cure. This means securing your most vulnerable entry points. Because email is the key attack vector, it’s important to invest in advanced email threat detection to identify threats early. Most ransomware attacks begin with malware or downloaders. Therefore, preventing ransomware via email by blocking the downloader is effective. Email detection tools can also stop downloaders early and give you visibility into ransomware-linked malware campaigns. Email isolation is another layer of security that protects the click by providing safe access to content while preventing first-stage downloaders and credential theft.
Can you outline to us how the role of the CISO has evolved during what has been labelled as a decade of digital disruption?
There’s no question that the past decade has been challenging from a cybersecurity standpoint, but the past two years in particular have ramped up the pressure for CISOs globally. Security leaders around the world were challenged to shore up their security posture in this new and changing environment, some overnight. They attempted to pull off a balancing act between supporting remote work and avoiding business interruption, all while keeping their businesses secure.
This is not behind us, the number of priorities that CISOs have will continue to grow, in line with the ever-evolving threat landscape and the growing recognition of the criticality of technology to every firm’s ultimate value proposition.
Although cyber shifts from the pandemic feel largely behind us now, CISOs continue to feel the pressure. In fact, 67% of UAE CISOs agree that the expectations placed upon them are excessive and more than half (57%) do not think their board sees eye-to-eye with them on cybersecurity issues. This represents another unwanted challenge for CISOs as only by fully understanding the style, tactics, and motives of the attacks we face and achieving boardroom buy-in can we equip those on the front line to defend our organisations.
Despite the unprecedented disruption of the past couple of years, there are many positives to take forward. CISOs understand that hybrid working is here to stay and are now better able to accommodate it securely full term. Many also believe that they will have the budget to achieve this goal, with the majority of UAE CISOs expecting their cybersecurity budgets to increase.