Natasha Taylor, Head of Research & Portfolio Development for DTX Manchester, argues that you can’t win the war against ransomware, but this is how you fight your next battle. When compromise is inescapable and perfect is unattainable, how can you be just secure enough to fend off the next wave of ransomware attacks?

In a recent survey of 5,600 IT professionals, 46% paid a ransom to regain data access, but only 4% received the data in full. Bad enough you would think, but considering the current reliance on back-ups, it is even more concerning that a study of 300 IT leaders found 86% of ransomware attacks attempted to infect back-ups.

With the average ransomware recovery time now hitting the one month mark, it is unsurprising that this severe business disruptor was front of mind at the recent DTX Cyber Security Leaders Summit.

As John Chambers, former CEO of Cisco Systems, once stated: “There are two types of companies: those who have been hacked and those who don’t yet know they have been hacked.”

To other teams a potentially bleak outlook, but to infosec leaders a gauntlet thrown and a challenge set. At the Cyber Leaders Summit, whether it was on stage or in hushed corner conversations, the question at hand was clear: how do we fight back against ransomware?

Over the course of the day, a front-running tactical mindset emerged, touted by an incident response expert: take the time to know your knowns and learn your unknowns.

This approach was referenced in a speech given by Donald Rumsfeld, former US Secretary of Defense, who stated: “As we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns - the ones we don’t know we don’t know.”

At the time of delivery, the public struggled to make sense of Rumsfeld’s nonsensical response, yet now it acts as a truism for the complex task facing security leaders.

How do you operate in a landscape of knowns and unknowns?

The ransomware threat landscape may be vast, but it is increasingly structured. As a DTX cyber strategist explained, threat actors have evolved from smash and grab operations to hierarchical corporations.

To build the right defences, you need to know which group is likely to target you. Will you be sought after by a private scheme, the established innovators behind Conti and WastedLocker?

Are you set to face affiliate groups, the hidden faces gaining access to malware on Sodinokini or NetWalker? Or perhaps, your shoestring team will have to resist a RaaS attack from a group testing out a one-off builder.

There is a wealth of insight to be gained from understanding your opponent’s toolset, tactics, past targets, reputation and level of sophistication. As one threat detection specialist pointed out, the value of comprehensive and actionable threat intelligence is never more clear than in the moments when you are up against the clock, without enough information to make a decision.

Although seemingly counterintuitive when considering the stretched infosec resources battling a surge of threat actors, there is an invaluable benefit to taking a lesson from legendary investor Warren Buffet: “I insist on a lot of time being spent, almost every day, to just sit and think.”

Ask yourself what could be lurking in the supply chain, missed by early due diligence checks? What off-radar shadow IT could derail your system if infected? What zero-day threat could be more than a weekend-ruiner?

In this process, a senior leader in security cautioned against the limitations of a single perspective, instead pushing cyber leaders to look beyond traditional viewpoints. What does the network engineer with two decades of experience think is an unaddressed infrastructure risk? What does the HR exec think is the most plausible phishing tactic? What does your developer lead think are the potential security gaps in recent rapid deployments?

The aim is to seek out a black-swan event, an unpredictable incident with a paradigm shifting impact. It might seem strange to be mentally hunting for future problems but this pathfinding exercise allows you to face the unknowns that sit right on your doorstep.

One DTX cyber executive shared concerns, not about a break-in, but of doors left open for the next attacker to walk through. In light of the current economic climate, enterprise security teams need to ready themselves to protect against, detect and respond to a spike of insider threats.

Researchers from Palo Alto Network’s Unit 42 expect threat actors to lure both financially stressed or opportunistic insiders, with remote and hybrid work environments easing the way for malicious activity or data theft.

With phishing attacks continuing to be a top vector for initial environment access, distracted employees could be just as much of a challenge to securing against ransomware. While email and phone remain key targets, collaboration tools, such as Slack and Microsoft Teams, also offer a new threat surface in need of guarding against exploitation.

This expanded scope is ever more complicated by covert attacks becoming increasingly harder to spot, with tools such as ChatGPT advancing the intelligence of previously weak phishing expeditions.

Another area of concern is the amount of dwell time attackers spend in systems, a precursor to data exfiltration attacks, with Unit 42’s research now showing a median dwell time for ransomware attacks of 28 days before detection.

This perfect storm of easy attack targets and high-risk outcomes has given many cyber leaders further incentive to get closer to the employee base. When debating the carrot versus stick conundrum of security compliance, one cyber leader pointed out it all came down to trust. You need to be hands-on with targeted and relatable training, but your systems experience for the end user should be as hands-off as possible.

Another security operations lead highlighted the need to prepare for all-hands-on-deck moments. Comparing it to the instinctive response people have when a fire alarm goes off, there was deep discussion on how to improve a team’s ability to respond in a crisis.

When facing the unfortunate inevitability of ransomware attacks in modern cyber warfare, it does all come down to what happens in the pivotal moment of breach. The instance when defences have been bypassed and all eyes are on the security team.

In that instance, think back to the known and unknowns. Do you know how to reach the whole team when workplace comms are down? You might not know how a new member of your team handles the stress of a crisis. Will we ever know what the next big target, threat vector or zero day will be?

As drinks flowed towards the end of the DTX Cyber Leaders Summit, jokes were passed about infosec: the few, the proud, the paranoid. If there ever was a field though where paranoia is a benefit rather than a concern, it might just be cybersecurity. Perhaps the real unknown unknowns are hiding in a conspiracy theory dissected at the next cyber leaders forum.