Resilience, Recovery Strategies to Combat Ransomware and Extortion

ADM. Michael S. Rogers, USN (Ret.)
Aug 14, 2023

Resilience is a state that cybersecurity professionals aspire to with regard to the health of their networks and endpoints. But it can be a tough approach to swallow because it also means that while you strategize to withstand attacks, you’ve also conceded intrusions are inevitable. 

Let’s face it, however—since the early 2000s, defenders have lagged behind attackers in this digital arms race. Zero-day exploits are the sexy, headline-grabbing attack, but advanced attackers are in the threat models of very few companies. Commodity attacks are what many of you should prioritize. Criminal entities, extortionists especially, understand this dynamic better than anyone. 

They know you're strapped for budget. They know you’re running vulnerable, unpatched servers and endpoints. Social engineering still works. And they know that paying a ransomware demand, for example, is often the quickest way you'll recover. 

Resilience, therefore, has to be the way forward when it comes to ransomware and other extortion-based attacks. You must strategically architect networks that can not only detect attacks, but also shorten recovery times in the event of a successful intrusion. 

Ransomware, Extortion Part of Extensive Campaigns

Ransomware is an attacker’s most direct line to turning a profit. Since the pandemic, attackers ramped up their targeting of organizations within industries that they deemed mostly likely to meet a ransom demand. Healthcare organizations were particularly battered, as were smaller government agencies, critical manufacturing companies, and others within the 16 critical infrastructure sectors. 

Attacks evolved too. Today’s ransomware is not just a cryptolocker. These can be extensive campaigns that begin with an exploit of a commodity vulnerability or social engineering attack to gain an initial foothold on a network. From there, attackers with the right credentials and access to resources, can try to move laterally on networks, quietly maintaining persistence for substantial periods of time. Data is eventually stolen, and systems locked down, before a hefty ransom demand is presented to the victim. 

For example, healthcare facilities, already with understaffed IT teams and underfunded security budgets, often choose to pay an attacker before patient care is affected. A ransomware attack inside a hospital can be devastating to caregivers who suddenly cannot access patient records, transmit imaging from specialists to physicians, or properly prescribe care or medications to patients in need. The same scenario may play itself out in other sectors where, if critical services are delayed or impaired in any way, human lives may be at risk. 

Resilience Strategies for Defenders

Fortunately for defenders, there are numerous resilience frameworks that exist that provide tactics and techniques to improve an organization’s ability to withstand attacks. There are commonalities among resiliency techniques outlined in NIST’s Special Publication 800-160, for example, such as timely response, defense-in-depth, and rapid recovery. There’s nothing revolutionary about any of them, but they do require experience, time, and budget. 

Let’s go through a few that NIST singles out as appropriate for cyber-physical systems and connected internet of things devices:

  • Network segmentation is a key strategy for cyber-physical systems resilience. It can be expensive and challenging to cordon off key OT systems, for example, that can traverse different levels of the Purdue Model for ICS. Isolating parts of the network that are particularly at risk allows for granular monitoring and management of these segments, which enhances an org’s ability to stand up to active attacks. It’s critical therefore, to identify assets that must be segmented, classify devices according to their criticality, and enforce policy decisions via tools in your infrastructure such as firewalls or switches. 

Caution that segmentation within OT is difficult, often first and foremost because of legacy systems that may not support segmentation or security controls that you choose to implement. Another key is the proper integration of IT and OT networks in order to properly exchange data and baseline network activity to ferret out anomalies. Remote access, meanwhile, can also undo segmentation efforts if not managed properly, and can ultimately expand the attack surface available to attackers. 

  • NIST also recommends what it calls non-persistent services as a key resilience strategy. This involves either refreshing, generating, or terminating software and firmware as needed, rather than allowing one to run indefinitely. Terminating inactive sessions, reimaging components, and services, depends on downtime, which can be at odds with many critical operations. 

  • Finally, NIST recommends considering cryptographic to ensure the integrity of software and firmware running in your environments. Cryptographically signing software and firmware allows you to verify that systems or files on your network have not been compromised or tampered with. This is vitally important in OT environments, for example, where sensors transmit data across the network to engineers who must use this information to accurately configure PLCs and other controllers to maintain operations run safely. 

  • Industrial IoT devices and connected medical devices and systems, for example, would equally benefit from these strategies. But there are some limitations to consider around processing, storage, and bandwidth that could impede resilience efforts that enable rapid, timely response to incidents, or hide critical assets from an attacker’s view via obfuscation and misdirection. 

A Clear Road to Rapid Recovery is Essential 

This is just a small sample of available tactics and techniques that improve resilience, and escalate your ability to recover from a ransomware attack, or other intrusions. For ransomware victims, available, current, protected offline backups are life-saving. It’s crucial that backups be segmented from networks, and out of reach of attackers; many flavors of ransomware purposely seek and target backups. An attacker who can successfully corrupt backups is more likely to have their ransom demands met. 

Rapid recovery from ransomware or any attack is essential. Incident response plans must be refined. Forensics and logging data must be preserved if law enforcement is involved. Breach notification is often mandated by law, and a communication plan must be in place and updated as needed. 

Segmentation will improve your chances of rapid recovery, and isolate and disconnected vulnerable and impacted systems, keeping ransomware and other malware or exploits from spreading through the network. 

Finally, it’s critical to have basic security blocking-and-tackling in place, including two-factor authentication, the elimination of default or simple-to-guess passwords, and vulnerability management to lock down any initial vectors that may be compromised to gain a foothold on the network. 

ADM. Michael S. Rogers, USN (Ret.)
U.S. Navy Admiral, 17th Director of National Security Agency

U.S. Navy Adm. (Ret.) Michael Rogers served as the 17th Director of the National Security Agency and the 2nd Commander of U.S. Cyber Command. Adm. Rogers presided over the activation of the Pentagon's Cyber Mission Forces and the elevation of U.S. Cyber Command to unified combatant command status. He is currently the chairman of Claroty’s Board of Advisors.

Stay in the know

Get the Nexus Connect Newsletter

Latest on Nexus Podcast