The event marked the first ever Massachusetts Municipal Cybersecurity Summit, convened by the MassCyberCenter, a state agency focused on bolstering cybersecurity across the commonwealth.
NEVER “TOO SMALL” FOR ATTACKERS
Today’s perpetrators are well-oiled criminal enterprises who easily purchase ransomware from tech-savvy hackers and deploy it with relative impunity from safe havens overseas, said Jen Ellis, Task Force co-chair and vice president of community and public affairs for cybersecurity solutions provider Rapid7. For them, ransomware is a low-effort, low-barrier-to-entry scheme that can be conducted with little risk of law enforcement response — meaning they stand to profit even from the smaller ransoms that can be squeezed out of municipal budgets.
National debate has swirled over whether to ban ransom payments, and ransomware task force members unanimously agree that paying encourages more attacks, Ellis said. Ransoms financially reward perpetrators, prove that this particular victim is likely to pay up again and give funding to fuel future crimes.
But banning ransoms without first providing more victim supports could cause a lot of short-term pain– especially to municipalities, Ellis said. Cyber criminals are likely to test victims’ resolve by redoubling assaults on essential services providers that can least afford disruptions, as well against targets with limited resources for recovering from attacks.
“Which, in many cases, is also going to be you guys,” Ellis told municipal attendees. “The net of this is that if we ban payments tomorrow, you guys are probably going to be on the very pointy end of that.”
CORE RANSOMWARE RESOURCES
Local governments often report difficulty sorting through the vast amount of cybersecurity advice floating around, and of resources that may be either too simplistic or overly complicated, Ellis said.
On the federal level, the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) both can serve as key sources of information. CISA launched a Stop Ransomware website this year and NIST released a draft document in September that demonstrates how to apply its Cybersecurity Framework (CSF) to combating ransomware.
The MassCyberCenter has also tried to simplify the space, publishing a Municipal Cybersecurity Toolkit and a Minimum Baseline of Cybersecurity for Municipalities framework. The latter aims to boil down cybersecurity recommendations into four key goals for municipalities to focus on: raising employees’ cyber awareness, adopting cybersecurity best practices and securing agencies’ technology setups, improving regional threat sharing and developing incident response plans.
“What we've tried to do is put together resources to help you, the municipalities, get started with cybersecurity, and also to dive a little deeper when you need to,” said Meg Speranza, resiliency program manager at the MassCyberCenter.
TRAINING AND PATCHING
Speakers underscored the value of many of such preventative steps. FBI Special Agent Doug Domin said phishing emails remain the most way cyber criminals penetrate systems — which makes training employees to recognize social engineering an essential step.
Even cyber-trained staff will make mistakes sometimes, however, and so agencies must be sure they offer ways to report incidents and are encouraging — not punitive — when employees do, said Sam Curry, chief security officer at cybersecurity firm Cybereason. That kind of positive reinforcement can be essential to leadership getting intelligence quickly.
Another simple but impactful practice is to update software regularly.
Agencies may only formally interact with the criminals negotiating the ransoms, but tech-savvy hackers are working behind the scenes to penetrate municipal systems, then sell that access or use it themselves to extort the victims. Hackers deploy a wide variety of attack methods to gain access, ranging from phishing to software supply chain compromises, Curry said.
State police Lt. Brian Gavioli said that zero-day exploits have become an increasingly popular penetration method among ransomware perpetrators, which makes quickly patching vulnerabilities all the more important.
“There’s a zero-day marketplace that has been flourishing over the past couple of years, where cyber criminals and other threat actors who don't have those types of resources and technical expertise can just go on these marketplaces and buy these zero-day exploits,” Gavioli said. “[in 2021,] we're actually at a record already for zero-day exploits.”
INCIDENT RESPONSE PLANS
Prevention measures — while important — cannot be expected to catch everything, and agencies need to have clear response plans ready to guide them when an attack strikes. These documents should specify each personnel’s role in the response, as well as which partners to contact first and what systems to prioritize when restoring from backups, speakers said.
“In a ransomware attack, the goal is basically just to deny availability to your data,” said Bill Fisher, a security engineer at NIST’s National Cybersecurity Center of Excellence. “This provides a much greater level of immediacy, and a much greater business impact right away. For that reason, we always say, you've got to be prepared.”
Given that ransomware extortionists lock down infected systems, agencies need to ensure that their plans — and any important accompanying information such as staff and partner contact information — are written down on paper, various speakers said.
Rick Rossi, CISA’s cybersecurity adviser for New Hampshire, also warned that malicious actors might get into email systems and employees’ devices to monitor discussions about the attack. That makes it essential for agencies to pinpoint ways to maintain communication through devices unconnected to the impacted network. That could be by using personal cellphones, said MassCyberCenter Director Stephanie Helm.
The risks of hackers spreading from one part of a system to another also means that agencies need to keep their backups isolated — to avoid the attack compromising them as well — and secure their network logs where cyber criminals are less likely to access and delete them.
“Threat actors will typically try to clear out logs so that that will destroy a lot of evidence that law enforcement is going to rely on,” said Gavioli, who recommended securing them in a central location rather than storing them at each endpoint.
Once organizations make their plans, they can’t just let their cyber incident response plans sit in a drawer. Personnel need to practice response and backup activities so they can smoothly put these steps into action when the time comes, speakers said.
A variety of organizations offer free evaluations and tabletop exercises, including CISA and the Multistate Information Sharing and Analysis Center (MS-ISAC).
Massachusetts also enables municipalities to leverage a statewide contract for cybersecurity and data security solutions, which can help them quickly identify vetted organizations and avoid needing to negotiate prices, according to the state Operational Services Division (OSD) website. OSD strategic sourcing services manager Tim Kennedy said the contract includes 44 vendors of various services such as risk and vulnerability assessments, penetration testing and managed threat detection.