White House Ransomware Panel: What You Need to Know

In response to ransomware’s devastating effects on businesses large and small around the globe, President Biden convened a special committee of public- and private-sector security professionals. The result was an extensive list of recommendations for both government and private industry. Below are the four key recommendations made in the panel’s report and our approach to delivering proven solutions to address them.

1: Deter Ransomware Attacks

Go smaller. Booz Allen works to decrease our client’s ransomware attack surface. Below are five simple but proven steps. Let’s talk implementation:

• Endpoint Monitoring – Establish an alert protocol when suspicious activity is detected. Of course, actioning alerts is critical here either internally or with an incident response partner that also provides detection and response capabilities.
• Email Scanning – While brute-force attacks do occur, the delivery of malicious code via email is still one of the two most common attack methods. An inline solution for email scanning is effective at identifying malicious attachments.
• Multifactor Authentication – When credentials are stolen or otherwise compromised, multifactor authentication is your best defense against unauthorized access and internal privilege escalation.
• Patching Program – In addition to using malicious email, ransomware attackers often scan networks looking for published critical vulnerabilities. Developing and implementing a comprehensive patching program is essential.
• Data Backups – One of the first objectives of any ransomware attacker after gaining access to your network is to locate and encrypt your data backups. Ensuring your critical systems are backed up in multiple locations ensures that you will be able to restore without the need of the attacker’s decryption tool.

2: Disrupt the Ransomware Business Model

Government certainly has a role here. Action items we anticipate government taking include increased regulation in the crypto-currency space, expansion of the sanctioned entity list, increased scrutiny and more resources for law enforcement, and diplomatic and economic pressure against host nations of ransomware.

What can you do to disrupt the ransomware business model? Our recommended solutions listed above are a good start. Beyond that, we recommend making a corporate commitment to network security that is commensurate with the threat. Attackers never stop developing their tactics, techniques, and procedures (TTPs), which makes network security and resiliency a living commitment. Booz Allen is in the fight against nation-state and criminal attackers in both the public and private sector. We are familiar with their TTPs and are positioned to provide our clients with an over-the-horizon view of emerging threats and solutions to mitigate those threats.

Besides the recommendations we already discussed, other solutions include developing a comprehensive insider-threat program, vendor risk management program (SolarWinds), comprehensive penetration testing program, comprehensive threat-hunting program, annual network assessment, and an annual training program for senior crisis managers to test and review internal response strategies.

Why Booz Allen Threat Hunting?

• Technology agnostic - We apply our hypothesis-based hunt analytics to the client’s endpoint detection and response data.
• Immediate value - On day one, we deploy our hunt analytics library with 450+ analytics signatures, rules, and queries, aligned to the MITRE ATT&CK® knowledge base.
• Proven approach and experience - Booz Allen’s processes, methods, and technologies have been tested, refined, and proven at Fortune 500s and the U.S. government across the most significant attacks in U.S. history.

3: Help Organizations Prepare

Even if your organization has not been the targeted victim of a ransomware attack, you have likely felt their impact. The cascade of attacks has caused a ripple effect through value chains, straining almost every organization’s ability to deliver their services and products. Booz Allen prepares business leaders to navigate and thrive in the face of unexpected events. We bring a business approach for managing and containing incidents that is executed across many channels.

• Breach Readiness Assessment – Benchmark current detection, response, and recovery capabilities before developing a target-state roadmap report that prioritizes program enhancement recommendations.

• Program Testing - Resilient programs are built with both hands-on keyboard and discussion-based testing. Our program testing solution includes a blend of scenario-specific war games and red teaming based on our pre- and post-breach work, tailored to your organization.

• Incident Response Plan and Ransomware Playbook - Establish comprehensive operating procedures for technical and non-technical stakeholders with clear escalation criteria, roles and responsibilities, ransom payment conditions, restoration requirements, and enabling response actions.

• Incident Management Plan Development - A whole business approach to managing large-scale incidents and minimizing damage as much as possible.

• Response and Recovery Program Development – Build and test your maturity to weather various crisis scenarios including ransomware, product recalls, and natural disasters.

• Cyber Fusion Center – Design and implementation of robust security operations with a hybrid model that includes strategic consulting, advisory support for key initiatives, and on-shore managed detection and response services that accelerate visibility and response operations while clients build or enhance their existing capabilities.

• Business Continuity Planning – Enhance ability to continue business operations during a disruptive enterprise event through analyzing business impact scenarios, developing key protocols to enable continuity of operations, and standing up global and regional business continuity teams.

• Enterprise Recovery and Preparation – Manage risks related to security operations, network, endpoint, and architecture issues.

• Backup Strategy, and Architecture/Technology Enhancement – Make improvements to support strategic priorities for business and operations.

4: Respond to Ransomware Attacks More Effectively

Ransomware attackers have evolved to a new method of steal, encrypt, and extort with emphasis on “extort.” Once these attackers have exfiltrated a victim company’s critical data, deleted backups, and encrypted critical systems, they now target the company’s executives with vicious email campaigns; weaponize the media against the company; create division between the company and its customers, strategic partners, and service providers; and threaten consequences—for instance, distributed denial of service (DDoS) attacks, or the public release of sensitive data—if the victim company does not pay.

The first step in effectively responding to a ransomware event is having a retained relationship in place with an incident response service provider. Speed to engagement is critical. Booz Allen is a preferred incident response provider to several of the largest cyber insurance underwriters in the world. We also have retained incident response relationships with some of the largest companies in the world representing the high tech, manufacturing, energy, pharmaceutical, and financial services sectors. Incident response support and services we provide to our clients include:

• Crisis Management – Support for the command and coordination of crisis-level cyber incidents, including key decision making and response activity orchestration from 50+ Booz Allen crisis management experts to navigate towards seamless and successful incident mitigation and remediation.
• Ransomware Negotiations - For many reasons, some of our clients choose to make a payment. When they do, the price paid is more than 90 percent less the initial ask. Often, there is no payment at all.
• Investigations and Incident Response Support - Our full incident response lifecycle of services enable our clients to effectively address sophisticated security incidents, minimize data loss and business impact, and provide long-term solutions to protect against future attacks.
• CISO Advisory – Mentorship and guidance from actual CISOs who have successfully solved for the complex challenges today’s leaders face.
• Threat Intelligence – Insights about particular threat actors or ransomware.
• Remediation Plan Implementation – Our experts' scope, triage, and remove malicious activity or threats from the network.
• Advanced Threat Analysis, including Malware Reverse Engineering–Threat analysis by skilled analysts with extensive experience dealing with advanced threats.

Learn more about how Booz Allen can help your organization become cyber resilient, by contacting us.