Expert Insights On Ransomware Task Force Report

<p>The Task Force report is very comprehensive, informative and pragmatic. Ransomware actors are an extension of organized crime. Most of time we seem to forget this because when it comes to cyber security, we are prejudiced to think of lone wolf actors in black hoodies. The report list four goals of Deter, Disrupt, Help and Respond. These goals are great, but I believe that there should have been more emphasis on the following as part of these goals, or perhaps as additional goals:</p> <ul> <li>Action 3.4.4. does not go far enough to alleviate fines and provide immunity from regulations imposed by OFAC (office of foreign assets controls). We need to encourage transparency and not penalize the company or individual who is trying to get their business back together.</li> <li>Another missing part seemed to be the lack of involvement from ISP(s) network equipment manufacturers and data center operators. Even CDN operators. All of these entities can and should play a larger role in identifying, tracking and isolating attacks, and also have consistent processes for evidence preservation.</li> <li>Table top exercises need to go farther. A ransomware attack in a red vs blue scenario should play it out to the end to identify all possible paths.</li> <li>We should also consider limiting liability for PII disclosure in a ransomware attack where a baseline of appropriate measures were taken.</li> <li>Technical controls and end user education needs to play a larger part in ransomware mitigation. Simple measures like MFA (multi factor authentication), elimination of passwords, elimination of security theater, encryption of important information at rest, and timely and ongoing backups can make a big difference. These are all well understood processes, and can help from the perspective of making it difficult for an attacker and making it easy for an organization to recover without paying a ransom.</li> </ul>