Passion for cybersecurity is one of our company's core values. In fact, we have shirts to prove it.
Speaking of passion, we can't help but think of Jimmy Buffet. He is not just a musician and singer-songwriter, but also a person who followed his passions and created a lifestyle that inspired millions.
Channeling our inner Parrot Heads, we asked Bing Chat to write a blog linking the recent Ransomware Self-Assessment updates and the great Jimmy Buffet. Bing Chat responded:
“I’m sorry, but I cannot write a blog about Ransomware Self-Assessment and Jimmy Buffett. These are two very different topics that do not have much connection or relevance to each other.”
Challenge accepted. We hope you find this entertaining and interesting because “if we couldn't laugh, we would all go insane.”
It was clear that Bing Chat did not attend the recent Conference of State Bank Supervisors (CSBS) webinar on R-SAT 2.0 like we did. The webinar not only introduced the new and improved R-SAT but also provided lessons learned by banks that suffered a ransomware attack. We anticipate this webinar will become a top hit with risk managers within the banking sector and beyond. CSBS even hinted that a non-bank R-SAT may be released in the first quarter of 2024.
Using lessons learned from attacks going back to January 2019, regulators expanded the R-SAT from sixteen to twenty questions while maintaining the same general look and format as the initial version. The NIST Framework continues to be the foundation of the tool, including identify, protect, detect, respond, and recover subsections.
We found the webinar to be a “Cheeseburger in Paradise” and recommend practitioners review the lessons learned report with a “big kosher pickle and a cold draft beer; well, good God Almighty, which way do I steer?”
Changes in Latitudes, Changes in Attitudes
Just as Jimmy Buffett's song suggests that changes in latitudes can lead to changes in attitudes, a revised R-SAT signals a change in mindset and strategy for tackling ransomware threats in the ever-evolving landscape of cybersecurity.
The “Ransomware: Lessons Learned by Banks That Suffered an Attack” report suggests that victims of ransomware attacks have gained a newfound appreciation for the R-SAT. Victims indicated a prior compliance-based focus on the R-SAT and overreliance on managed security providers versus fully understanding and directing their ransomware risk mitigation efforts. Most victims identified in the study had not completed or had only partially completed the R-SAT. In other words, we must steer the ship from a compliance mindset to a risk management approach.
Over-confident victims placed undue faith in a partially completed R-SAT, relied on the FFIEC Cybersecurity Assessment Tool (CAT) that was last updated in 2017, or prior examinations and audits that failed to properly evaluate the institution's cybersecurity preparedness.
Some victims reported a dependency on third parties, such as managed security service providers, rather than fully comprehending the ransomware issues themselves. Still, others knew their R-SAT had not been completed thoroughly or that its completion had been delegated to personnel with insufficient knowledge or experience to provide a credible challenge.
It is essential to avoid considering the R-SAT as just another regulatory compliance process versus leveraging it to thoroughly help evaluate risks and controls. Candidly, the R-SAT is an important tool that should be completed appropriately by those responsible for cybersecurity. Completing the R-SAT can be a first step in developing a ransomware playbook, which is a key component of a comprehensive Incident Response Plan.
Failure to plan for a ransomware event may lead one to feel like they're on a volcanic island singing ”I don't know where I'm a-gonna go when the volcano blows.”
Now, let’s slow the tempo and look into key control gaps that regulators identified in the lessons learned report:
The Role of MFA
Multi-factor authentication (MFA) was one control consistently implemented by all victims following a ransomware incident (if they were not already using it). While MFA is not a silver bullet for weak security practices, your R-SAT should document the reasoning for not using MFA. MFA is a seemingly simple security feature; however, there are many variations and implementation methods, each with strengths and weaknesses. Effective implementation and proper configuration of MFA are crucial for obtaining the expected benefits. The new tool places increased emphasis on MFA, which is now an expanded, stand-alone question and includes:
A new sub-question emphasizes whether the institution relies on stronger application-based or phishing-resistant methods.
More options to identify where and how MFA is applied.
New sub-question identifying areas where MFA implementation is not planned or has been deferred.
Understanding, Identifying, and Managing “Hyper-local” Social Media
While you may be unfamiliar with the term, chances are you are already using “hyper-local” social media to some extent. Think of Nextdoor, Facebook Neighborhood, or Citizen, those websites and applications that you use to stay up on the local gossip, complain about the service you received in the drive-up, or if anyone was injured in the wreck you saw on the way to work—the site everyone monitors, which a few very active users usually dominate. Your Incident Response Plan must consider traditional social media and these hyper-local social media platforms.
Banks must stay informed about these platforms and actively check for any false information or adverse feedback that could affect their reputation or customer confidence during ransomware. Banks are advised to establish protocols for crisis communication to manage posts on both hyper-local and traditional social media effectively.
Additional Lessons Learned
Other critical items noted in the CSBS report included the following observations and findings:
Expanding cloud usage requires greater awareness of where data is located, as well as which services are cloud-based.
Identification and management awareness of any data, including cloud-based data, housed in locations outside of the US (new question)
Ransomware tactics are changing and now include double and triple extortion techniques, sometimes with accompanying DDoS attacks.
Increased emphasis and detail on employee awareness and security training
Types of training offered
Frequency of training offerings (new sub-question)
Phishing test exercises and use of testing results (new question)
Employee briefings on emerging ransomware threats (new question)
Controversial practices: Paying an extortion fee for the promise of silence from a criminal emboldens them to continue targeting the banking industry.
Why a revised R-SAT?
Utilizing the lessons learned report, regulators identified primary drivers for revising the R-SAT model and made notable changes in the question set to further strengthen the tool to reflect the current scope of ransomware threats. The primary drivers for the revised R-SAT included:
- Changes needed to address the evolving threat environment and bad actor tactics
- Increased geopolitical threat environment
- Double and triple extortion technique
- Data exfiltration without encryption
- Changes needed to address changing bank environments and controls
- Increased emphasis on MFA
- More scrutiny of other controls, such as cloud security, incident response planning, vendor access to systems, and employee training and awareness
R-SAT Version 2.0: Notable Changes
- Increased emphasis on MFA
- Now an expanded, stand-alone question
- New sub-question emphasizing whether the institution relies on stronger application-based or phishing-resistant methods
- More options to identify where and how MFA is applied
- New sub-question identifying areas where MFA implementation is not planned or has been deferred.
- Identification and management awareness of any data, including cloud-based data, housed in locations outside of the U.S. (new question)
- Increased emphasis and detail on employee awareness and security training
- Types of training offered
- Frequency of training offerings (new sub-question)
- Phishing test exercises and use of testing results (new question)
- Employee briefings on emerging ransomware threats (new question)
- Increased clarity on identifying systems or activities processed or performed internally, outsourced to a third party, or a combination of the two
- Identification of systems or activities that are based in a cloud environment
- Review of cyber framework gap analysis (new sub-question)
- Checklist of services potentially available through cyber insurance policies
- Narrative requesting identification of vendors that do not have ransomware-related controls in place
- Procedures to validate the sterility of data backups before restoration to prevent reinfection
- Identification of any ransomware threats and risks identified in risk assessments that have not been appropriately remediated or mitigated to an acceptable risk level (new sub-question)
- Identification of new preventative controls
- Patch management
- Controls governing removable media use
- Controls ensuring changing of default hardware and software settings
- Implementation of jump box (bastion host) or administrative VLAN
- Procedures for resetting or replacing user authentication credentials
- Identification of new or reworded Incident Response Plan considerations
- Alternative strategies for connecting to third parties
- Escalation procedures for activating BCP/DR plans
- Social media monitoring for public awareness
- Notification of state and federal regulators (in accordance with regulatory requirements)
- Immediate notification of federal law enforcement
- Threat hunting
- "Out-of-band" communications procedures
- Board discussions of ransom payments before payment
- Considerations for third parties engaged in the event of an attack
- Identification of any third parties to be engaged (new question)
- Do prearranged service contracts or, at a minimum, contact information exist so that legal and contract issues do not delay the institution's response?
- Does the institution or does the institution require third parties, including insurance companies, to promptly engage with law enforcement (new sub-question)
- Pre-approval of third parties by the bank's cyber insurance provider (new sub-question)
Be Like Buffett: Turn Challenges into Opportunities
With ransomware remaining one of the most visible cyber threats, all organizations remain at risk. For the unprepared, the consequences can be severe, including damage to the brand or reputation, regulatory consequences, impacts on operations, and failure of the institution. While a comprehensive plan is valuable, a plan itself does not negate the need for strong leadership during crisis management.
“Roll with the punches, Play all of his hunches, Make the best of whatever came his way.” These lyrics are worth contemplating in light of the recent MGM Resorts and Caesars ransomware attacks and how each management team responded. Each management team had a choice to either negotiate a ransom amount and hope for a speedy recovery or refuse the extortion payment and attempt to recover. Neither choice is a clear win, and each choice leads to its own set of ramifications.
Turning challenges into opportunities was a hallmark of Mr. Buffett’s legacy and a lesson in leadership. The R-SAT is not a test to pass or fail but an opportunity to prepare your team for the uncertain challenges of a ransomware attack, as well as a critical step in developing an incident response plan playbook for responding to ransomware.
A big shout-out to the CSBS for continuing to prepare the banking industry for this threat, and thank you, Jimmy Buffet, for sharing a lifetime of music.