Prevention is key, but being ready to act during a breach can save a company's reputation.

Ayesha Prakash, Director of Global Channels

October 25, 2019

7 Min Read
Ransomware
Shutterstock

Prakash-Ayesha_Flashpoint-author-2019-150x150.jpg

Ayesha Prakash

As ransomware attacks grow increasingly targeted, it’s more important than ever for managed service providers to critically evaluate how they’re protecting customers from this evolving threat. This is especially true following reports that the actors behind the ransomware attacks on 23 local city governments may have accessed their victims by compromising third-party IT software managed by an external service provider. This underscores the reality that under-resourced government agencies and small private-sector companies with small-to-nonexistent IT departments often rely on MSSPs as a major line of defense.

Small, local government agencies with limited resources often outsource most if not all aspects of IT operations to MSPs; the same can be said of many nonprofits and low-tech businesses. These organizations are focused on their core activities — keeping cities running, serving local communities and providing goods and services. Consequently, these organizations may lack adequate cybersecurity protections due to a lack of awareness or resources.

Prevention is key when it comes to dealing with ransomware, but unforeseen contingencies can still arise despite defenders’ best efforts so organizations must also be ready to spring into action in the event of a ransomware attack. By delivering proactive defense measures alongside the resources needed to prepare for and effectively respond to incidents, MSPs can not only protect themselves and their customers from costly reputational damage, they also can reap the benefits of being able to position themselves as a comprehensive, managed solution for defending against ransomware threats.

Proactive Cyber Defense

MSPs can gain a competitive edge by empowering customers with the tools, capabilities, and intelligence needed to reduce the likelihood and potential impact of a ransomware attack. For starters, MSPs can support the remote data backup of critical assets on external servers, thus providing a critical lifeline for helping customers restore access to these assets in the event of a ransomware attack.

But to help customers prevent ransomware attacks from occurring in the first place, MSPs must also deliver meaningful vulnerability management support. There’s no blanket solution for effective vulnerability management, and customers need contextualized intelligence to determine which security patches to prioritize. As such, automated tools can never deliver truly effective cyber defense and must be supplemented with access to the data and insight needed to inform an appropriate course of action.

Ransomware Education and Planning

Empowering customers with strong cyber defenses is essential, but there’s no foolproof way to prevent a ransomware attack with absolute certainty. And since the impact of a ransomware attack on operations and revenue is compounded the longer it goes unmitigated, having the knowledge and predefined response procedures needed to act quickly and effectively during an attack can reap considerable returns in terms of harm reduction.

A comprehensive incident-response plan should outline procedures for verifying that a ransomware attack has occurred, assessing which assets have been exposed and to what extent, preventing further exposure, and include a decision-making framework for determining how to go about retrieving affected assets. Unless an organization just so happens to have an in-house ransomware guru, ransomware response planning should involve workshops, practice exercises and other professional services led by external experts experienced in dealing with these events.

Threat-Actor Engagement

By working with external advisers to proactively prepare a ransomware incident-response plan, IT staff can rest assured knowing they won’t be running around like chickens with their heads cut off in the immediate aftermath of an attack. But this doesn’t necessarily mean they’re equipped to independently deal with a ransomware incident from start to finish.

When responding to a ransomware incident affecting critical data or systems, teams are faced with …

… a Catch-22: to pay or not to pay an attacker’s ransom demands. Law enforcement continues to advise that organizations should never pay the ransom demanded to restore access to encrypted assets. But a growing number of cybersecurity practitioners have been forced to consider payments as a course of action to minimize financial loss and other damages.

The question of whether to pay a ransom to threat actors is foremost a business decision, which should be informed by conducting a cost-benefit analysis defined within an organization’s incident-response plan. But if an organization decides to explore the option of ransom payment, it will need the support of external response specialists. The reasons for this are threefold:

  1. Given the inherently nefarious nature of ransomware payments, regaining access to encrypted assets after paying ransom is never a guarantee. However, by having external analysts with visibility into illicit online communities investigate the threat actor behind the attack to assess their track record of reputability, teams can determine whether the actor is reasonably likely to uphold their part of the bargain.

  2. When it comes to negotiating with threat actors, experience and savviness can make all the difference. Having an external specialist who is well-versed in strategies for haggling with adversaries carry out the engagement on an organization’s behalf can ensure the best possible outcome while avoiding the substantial operational security risk posed by directly engagement.

  3. Acquiring the cryptocurrency needed to pay ransom at a moment’s notice is rarely feasible, and engaging in a direct transaction with a cybercriminal can have security ramifications for ransomware victims. The support of an experienced third party with access to cryptocurrency and the ability to ensure secure payment greatly reduces the risk posed by such transactions.

No organization wants to ever be in a position where it needs to call in to make a ransom payment to a cybercriminal. And by providing customers with the resources needed to implement proactive cyber defenses, you can greatly reduce their likelihood of finding themselves in such a predicament. Notwithstanding, by including threat-actor engagement and ransom-payment services as part of your comprehensive MSSP offering, you can provide your customers with the peace of mind of knowing that in a worst-case scenario, they’ll have expert support every step of the way.

Key Takeaways

A comprehensive strategy for addressing ransomware threats requires multiple components. First, organizations must have access to the tools and intelligence sources needed to adopt risk-based vulnerability management and other cybersecurity best practices that reduce the likelihood of an attack occurring in the first place. Second, organizations must implement education and response planning to ensure IT staff are prepared to act quickly and effectively in the event of a ransomware attack. Third, if it’s determined that paying a ransom is a necessary last resort, organizations need rapid access to cryptocurrency and the ability to pay the ransom securely.

These are daunting requirements for smaller or cash-strapped IT security teams to fulfill without external support. MSSPs have the power to help organizations address this predicament by partnering with vendors that offer the necessary resources for addressing these requirements and delivering those resources to customers as part of their subscription services.

By partnering with vendors that recognize the importance of approaching cybersecurity strategy from a nuanced, contextualized point of view that acknowledges how various situational factors determine the best course of action when responding to a ransomware attack, MSSPs can deliver enormous value to customers. Better yet, by bundling ransomware readiness and response capabilities with services that address other common IT-security capabilities gaps with a similar level of contextualized nuance, an MSSP can position itself as a comprehensive provider of solutions that empower customers to make smart decisions around risk and defend against the threats that matter most.

As senior director, head of worldwide channels and partnerships at Flashpoint, Ayesha Prakash leverages her extensive experience driving business development and marketing efforts in the IT sector to build Flashpoint’s global channel program. Follow her on Twitter @yoursocialnerd and @FlashpointIntel.

Read more about:

MSPs

About the Author(s)

Ayesha Prakash

Director of Global Channels

As vice president of global channels and alliances at KELA, Ayesha incorporates more than 15 years of experience across IT and cybersecurity industries. She has extensive experience driving global business development and marketing efforts in the cybersecurity space, previously holding prestigious positions, such as head of global channels and partnerships and chief revenue officer at leading cyber intelligence firms. She was awarded a Top Gun 51 designation from Channel Partners Online. Ayesha serves on the board for the cybersecurity program for Pace University, Ithaca College and Rutgers University. She is also an active participant in the Information Systems Audit and Control Association (ISACA), Women in Cyber (WiSys), and the Alliance of Channel Women.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like