IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Massachusetts Cyber Summit Homes in on Local Ransomware Fight

Public- and private-sector speakers during the Massachusetts Municipal Cybersecurity Summit highlighted local agencies’ particular vulnerability to ransomware as well as key strategies and resources to help.

IST taskfroce.png
IST Taskforce co-chairs Kemba Walden (left) and Jen Ellis (right) spoke during the Summit.
Massachusetts agencies took aim at the ever-increasing issue of cyber attacks against local government. The Oct. 7 virtual summit that was designed to inform local officials about how ransomware attackers strike, and direct them to appropriate and impactful state and federal resources.

The event marked the first ever Massachusetts Municipal Cybersecurity Summit, convened by the MassCyberCenter, a state agency focused on bolstering cybersecurity across the commonwealth.

NEVER “TOO SMALL” FOR ATTACKERS


Small towns and agencies may be accustomed to thinking they’re too small to get hit, but today’s ransomware attackers aren’t individual actors spending precious time and energy on each target, said Kemba Walden, assistant general counsel for Microsoft’s Digital Crimes Unit. Walden is also a co-chair of the Institute for Security and Technology (IST)-coordinated Ransomware Task Force, which earlier this year produced a comprehensive report about the ransomware ecosystem and recommendations for tamping down on the threat.

Today’s perpetrators are well-oiled criminal enterprises who easily purchase ransomware from tech-savvy hackers and deploy it with relative impunity from safe havens overseas, said Jen Ellis, Task Force co-chair and vice president of community and public affairs for cybersecurity solutions provider Rapid7. For them, ransomware is a low-effort, low-barrier-to-entry scheme that can be conducted with little risk of law enforcement response — meaning they stand to profit even from the smaller ransoms that can be squeezed out of municipal budgets.

National debate has swirled over whether to ban ransom payments, and ransomware task force members unanimously agree that paying encourages more attacks, Ellis said. Ransoms financially reward perpetrators, prove that this particular victim is likely to pay up again and give funding to fuel future crimes.

But banning ransoms without first providing more victim supports could cause a lot of short-term pain– especially to municipalities, Ellis said. Cyber criminals are likely to test victims’ resolve by redoubling assaults on essential services providers that can least afford disruptions, as well against targets with limited resources for recovering from attacks.

“Which, in many cases, is also going to be you guys,” Ellis told municipal attendees. “The net of this is that if we ban payments tomorrow, you guys are probably going to be on the very pointy end of that.”

CORE RANSOMWARE RESOURCES


Local governments often report difficulty sorting through the vast amount of cybersecurity advice floating around, and of resources that may be either too simplistic or overly complicated, Ellis said.

On the federal level, the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) both can serve as key sources of information. CISA launched a Stop Ransomware website this year and NIST released a draft document in September that demonstrates how to apply its Cybersecurity Framework (CSF) to combating ransomware.

The MassCyberCenter has also tried to simplify the space, publishing a Municipal Cybersecurity Toolkit and a Minimum Baseline of Cybersecurity for Municipalities framework. The latter aims to boil down cybersecurity recommendations into four key goals for municipalities to focus on: raising employees’ cyber awareness, adopting cybersecurity best practices and securing agencies’ technology setups, improving regional threat sharing and developing incident response plans.

“What we've tried to do is put together resources to help you, the municipalities, get started with cybersecurity, and also to dive a little deeper when you need to,” said Meg Speranza, resiliency program manager at the MassCyberCenter.

TRAINING AND PATCHING


Speakers underscored the value of many of such preventative steps. FBI Special Agent Doug Domin said phishing emails remain the most way cyber criminals penetrate systems — which makes training employees to recognize social engineering an essential step.

Even cyber-trained staff will make mistakes sometimes, however, and so agencies must be sure they offer ways to report incidents and are encouraging — not punitive — when employees do, said Sam Curry, chief security officer at cybersecurity firm Cybereason. That kind of positive reinforcement can be essential to leadership getting intelligence quickly.

Another simple but impactful practice is to update software regularly.

Agencies may only formally interact with the criminals negotiating the ransoms, but tech-savvy hackers are working behind the scenes to penetrate municipal systems, then sell that access or use it themselves to extort the victims. Hackers deploy a wide variety of attack methods to gain access, ranging from phishing to software supply chain compromises, Curry said.

State police Lt. Brian Gavioli said that zero-day exploits have become an increasingly popular penetration method among ransomware perpetrators, which makes quickly patching vulnerabilities all the more important.

“There’s a zero-day marketplace that has been flourishing over the past couple of years, where cyber criminals and other threat actors who don't have those types of resources and technical expertise can just go on these marketplaces and buy these zero-day exploits,” Gavioli said. “[in 2021,] we're actually at a record already for zero-day exploits.”

INCIDENT RESPONSE PLANS


Prevention measures — while important — cannot be expected to catch everything, and agencies need to have clear response plans ready to guide them when an attack strikes. These documents should specify each personnel’s role in the response, as well as which partners to contact first and what systems to prioritize when restoring from backups, speakers said.

“In a ransomware attack, the goal is basically just to deny availability to your data,” said Bill Fisher, a security engineer at NIST’s National Cybersecurity Center of Excellence. “This provides a much greater level of immediacy, and a much greater business impact right away. For that reason, we always say, you've got to be prepared.”

Given that ransomware extortionists lock down infected systems, agencies need to ensure that their plans — and any important accompanying information such as staff and partner contact information — are written down on paper, various speakers said.

Rick Rossi, CISA’s cybersecurity adviser for New Hampshire, also warned that malicious actors might get into email systems and employees’ devices to monitor discussions about the attack. That makes it essential for agencies to pinpoint ways to maintain communication through devices unconnected to the impacted network. That could be by using personal cellphones, said MassCyberCenter Director Stephanie Helm.

The risks of hackers spreading from one part of a system to another also means that agencies need to keep their backups isolated — to avoid the attack compromising them as well — and secure their network logs where cyber criminals are less likely to access and delete them.

“Threat actors will typically try to clear out logs so that that will destroy a lot of evidence that law enforcement is going to rely on,” said Gavioli, who recommended securing them in a central location rather than storing them at each endpoint.

Once organizations make their plans, they can’t just let their cyber incident response plans sit in a drawer. Personnel need to practice response and backup activities so they can smoothly put these steps into action when the time comes, speakers said.

A variety of organizations offer free evaluations and tabletop exercises, including CISA and the Multistate Information Sharing and Analysis Center (MS-ISAC).

Massachusetts also enables municipalities to leverage a statewide contract for cybersecurity and data security solutions, which can help them quickly identify vetted organizations and avoid needing to negotiate prices, according to the state Operational Services Division (OSD) website. OSD strategic sourcing services manager Tim Kennedy said the contract includes 44 vendors of various services such as risk and vulnerability assessments, penetration testing and managed threat detection.
Jule Pattison-Gordon is a senior staff writer for Governing and former senior staff writer for Government Technology, where she'd specialized in cybersecurity. Jule also previously wrote for PYMNTS and The Bay State Banner and holds a B.A. in creative writing from Carnegie Mellon. She’s based outside Boston.