New JCDC Pre-Ransomware Notification Initiative warns organizations, could stop cyberattacks before damage occurs
Following the setting up of the Ransomware Vulnerability Warning Pilot (RVWP) Program to warn critical infrastructure entities of exposed vulnerabilities, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced a related effort in its Pre-Ransomware Notification Initiative. With pre-ransomware notifications, organizations can receive early warnings and potentially evict threat actors before they can encrypt and hold critical data and systems for ransom. The move is already showing impact in actually reducing the harm from ransomware intrusions
Clayton Romans, Joint Cyber Defense Collaborative (JCDC) associate director wrote in a blog post, “Like our work to reduce the prevalence of vulnerabilities, this effort is coordinated as part of our interagency Joint Ransomware Task Force.” JCDC also works with the cybersecurity research community and others to develop cybersecurity advisories on ransomware actors and variants to enable improved network defense at scale as part of the nation’s ongoing ‘#StopRansomware’ campaign.
Although the Pre-Ransomware Notification initiative is in its early days, Romans said that the agency is already seeing material results. “Since the start of 2023, we’ve notified over 60 entities across the energy, healthcare, water/wastewater, education, and other sectors about potential pre-ransomware intrusions, and we’ve confirmed that many of them identified and remediated the intrusion before encryption or exfiltration occurred.”
Furthermore, in cases where ransomware actors have already encrypted a network and are holding data and systems for ransom, JCDC works closely with the victim organizations to provide threat actor tactics, techniques, and procedures (TTPs) as well as guidance to help reduce the impact of an attack.
For example, “we have provided information to help identify the data that may have been exfiltrated from an affected entity’s network as well as details of the intrusion to support investigative and remediation efforts,” Romans added.
“We know that ransomware actors often take some time after gaining initial access to a target before encrypting or stealing information, a window of time that often lasts from hours to days. This window gives us time to warn organizations that ransomware actors have gained initial access to their networks,” Romans highlighted. “These early warnings can enable victims to safely evict the ransomware actors from their networks before the actors have a chance to encrypt and hold critical data and systems at ransom.”
Romans added that early warning notifications can ‘significantly reduce’ potential loss of data, impact on operations, financial ramifications, and other detrimental consequences of ransomware deployment.
This remarkable effort relies on two key elements, according to Romans. “First, our Joint Cyber Defense Collaborative (JCDC) gets tips from the cybersecurity research community, infrastructure providers, and cyber threat intelligence companies about potential early-stage ransomware activity. Without these tips, there are no notifications! Any organization or individual with information about early-stage ransomware activity is urged to contact us at Report@cisa.dhs.gov,” he urged.
“Once we receive a notification, our field personnel across the country get to work notifying the victim organization and providing specific mitigation guidance,” Romans added. “Where a tip relates to a company outside of the United States, we work with our international CERT partners to enable a timely notification.”
Romans added that “continuing to enhance our collective cyber defense is contingent upon persistent collaboration and information sharing between partners across government and the private sector. To enable the broader cyber community to benefit from valuable threat intelligence, we urge organizations to report observed activity, including ransomware indicators of compromise and TTPs, to CISA or our federal law enforcement partners, including the FBI and the U.S. Secret Service.”
Commenting on the initiative, Tom Kellermann, senior vice president of cyber strategy at Contrast Security, wrote in an emailed statement that this is a big step towards managing the ransomware threat. “CISA can now provide emergency notification and guidance to critical infrastructures per impending ransomware campaigns which will exploit their vulnerabilities. When a clear and present danger is identified, CISA will lean in. I would liken this to notifying police notifying homeowners that their doors are open and there is a burglar in the neighborhood.”
“While we applaud the initiative to protect and inform critical organizations, it is the smaller companies, those that make up the economic backbone of the US, that has been completely overlooked by the government as well as the cybersecurity industry,” Dror Liwer, co-founder of cybersecurity company Coro, wrote in a statement. “Especially in times of an economic downturn, an attack on a mid-market or small business could put it out of business forever.”
The CISA released Tuesday stakeholder-based updates to the Cybersecurity Performance Goals (CPGs), in response to feedback received directly from the critical infrastructure community. These CPGs have been reorganized, reordered, and renumbered to align closely with NIST Cybersecurity Framework functions to help organizations use the CPGs to prioritize investments as part of a broader cybersecurity program built around the CSF.
In January, the JCDC unveiled its 2023 Planning Agenda focused on working on joint cyber defense plans covering systemic risk, collective cyber response, and high-risk communities. The initiative will maintain flexibility to undertake urgent planning efforts as the risk environment changes, recognizing that agility is foundational to shared success. The 2023 Planning Agenda also outlines an effort to strengthen the protection of civil society organizations at higher risk of being targeted by foreign state hackers through collaborative planning with key government and industry stakeholders.
Related
