Infosec pros demand precision in their work, as well they should. Part of that precision is relying on threat information that allows CISOs and risk officers to make knowledgeable decisions on allocating money, personnel resources and technology to meet challenges.
But sometimes too much knowledge can be a dangerous thing — or not very informative.
That’s what security researcher Brad Duncan argues in a blog posted on the SANS ISC InfoSec Forum on the weekend. Specifically, he urged researchers to stop calling ransomware infections “attacks,” which he argues implies they are targeted. Unless there’s evidence of targeting, he says, they should more appropriately be called “incidents.”
An issue of semantics — especially if you’re a victim? Not necessarily. Duncan points to a recent ransomware survey by a research firm which breaks down ransomware attacks by industry. One conclusion of that report is healthcare is hit more than others. But, asks Duncan, does that mean healthcare is targeted more than other sectors? No, he says. The evidence is ransomware is largely spread through malware campaigns. Therefore one question is whether healthcare is being hit more than others because the sector is inherently more vulnerable. If so, Duncan says, the industry is more likely to get infected during massive campaigns that indiscriminately targeting everyone.
The media — including myself — like using exciting words, and “attack” is one of them. Certainly when your team is busy defending something out of the ordinary you don’t care if it’s an incident or an attack. Unfortunately there’s aren’t widely-accepted cybersecurity definition of the terms, although some sources suggest an “incident” is an attempt to get past the firewall, while an “attack” is a breach. Others argue an “attack” is an attempt, while a “breach” is a successful attack.
Duncan argues the word “attack” implies a specific intent against a target. I’m not so sure. But I agree it would be more informative for vendors, security researchers and market research firms to distinguish between general and targeted attacks.
“We tell ourselves we must know our enemy so we can better protect our network,” writes Duncan. “However, I think we put too much focus on the enemy and not enough focus on ourselves. Is everyone in your organization following best security practices? Is security a truly essential part of your corporate culture? Is security a primary concern when establishing or upgrading your network architecture, or does cost outweigh the best security measures?”
While managers may want to know if an a ransomware infection was the result of being targeted, the odds are it wasn’t. “If we continue thinking of ransomware infections as “attacks,” we’ll never seriously consider a wide variety of issues that allow ransomware infections to happen in the first place,” says Duncan.
What do you think? Let us know in the comments section below.
Meanwhile there are new reports that the Cerber ransomware has been upgraded with improved encryption. Cerber2 now uses Microsoft’s 32-bit CryptGenRandom encryption model, which makes previous successful attempts at the decryption of the .Cerber files useless.