Improving law enforcement resilience to ransomware
Building an effective response plan to thwart ransomware attacks requires a methodical and considered approach
By Scott Kaine
Ransomware continued to make headlines in 2022, with countless stories of cyber attackers holding IT systems and data hostage. Not surprisingly, more than half of respondents in a recent survey of law enforcement personnel identified ransomware as their top concern when asked about cybersecurity challenges.
Given ransomware’s potential to compromise sensitive information and disrupt critical public services, agencies are right to be worried. Ransomware attacks can cost substantial time and money, with no guarantee of recovering data even if the ransom is paid.
Measuring the impact of ransomware
Motorola Solutions’ threat intelligence team, a dedicated team who proactively monitor for, curate and report on cyber threats to public safety, conducted research throughout the past year on how cyberattacks impact law enforcement and tracked 74 ransomware and data breach attacks targeting police departments, accounting for nearly 22% of attacks.
The impact of an attack can be immediate and costly. When police departments are breached, attackers go after confidential data, which can include sensitive information like dates of birth, disciplinary files, home addresses and financial data that can put agency personnel at increased risk for physical or financial harm.
Threat actors' usual modes of operation are to either encrypt (lock) files and hold the decryption (unlock) key for ransom, or exfiltrate confidential data and threaten to publish it unless a ransom is paid. In some cases, criminals demand a ransom to decrypt files and later demand another to not publish sensitive information (also known as “double extortion”).
Understanding ransomware attack stages to reduce risk
Understanding the stages of ransomware attacks, as well as the methods threat actors use, can enable law enforcement agencies to help prevent and respond to them more effectively.
Ransomware attacks generally progress from reconnaissance and preparation, to compromise and payload delivery, to privilege escalation and lateral movement, and finally, to encryption and potentially exfiltration.
At each step, even the stealthiest threat actors can leave traces of activity indicating an attack is imminent or in progress. Continuously monitoring for these indicators enables agencies to detect and respond to threats faster.
Ransomware response readiness: Preparing for the inevitable
Building an effective response plan to thwart ransomware attacks requires a methodical and considered approach that includes the following:
Most attackers are opportunistic, looking for the least protected targets. By making it harder for threat actors to get into their networks and mission-critical systems, agencies can reduce their risk.
A fundamental step is requiring cybersecurity training so employees can identify and avoid common threat vectors. The most popular means of initial network access and compromise typically involve phishing emails. Attackers have become adept at creating very convincing emails and websites that can download and execute malicious software on devices, giving them their first point of entry. By training employees to recognize and immediately report suspicious activity, many attacks can be isolated at the device level so they don’t spread to the rest of the network.
In addition, maintaining offline, offsite and frequent backups can prevent attackers from compromising or holding sensitive data hostage.
Another resource is joining an Information Sharing and Analysis Organization (ISAO). These are trusted communities that actively collaborate to identify and share details about cybersecurity threats, including detailed intelligence on threat actors. The Public Safety Threat Alliance is an ISAO registered with the Cybersecurity and Infrastructure Security Agency (CISA) that gives police agencies and other public safety members access to actionable cyber threat intelligence to improve their resilience.
Installing antivirus software on devices and enabling email security controls to stop phishing emails from getting through, can aid in both prevention and early threat detection. Since malware can often bypass antivirus solutions, security experts recommend advanced endpoint detection and response (EDR) solutions so threats can be quickly remediated through automated and remote processes.
Detecting indicators of compromise through 24/7 monitoring is another important step. Deploying a managed detection and response service with advanced automated and orchestrated capabilities to filter false positives and normal behavioral alerts, combined with the support of a security operations center staffed by highly skilled analysts, can substantially reduce the burden on in-house teams.
When investigating an attack, agencies should seek to identify and understand the most likely attack vector. This can include phishing emails, remote desktop protocol tools, USB drives and others.
More advanced steps can include extracting and investigating network and system logs for signs of unauthorized or suspicious activity or extracting actual malware samples to reverse engineer them and find clues to the attackers’ identity.
If threat actors are able to bypass security controls and early detection tools to launch an effective ransomware attack, it’s crucial to identify and isolate the impacted devices and systems as quickly as possible.
A preliminary investigation should answer questions such as, which ransomware variant is likely involved? How far has the attack spread? What is the sensitivity of the data at risk? Could it result in loss of life due to mission-critical systems being unavailable, or sensitive data on victims or personnel being leaked? Could it result in monetary or reputational damages?
There are technical steps that must be taken immediately to stop the spread of an attack, too, including blocking unknown IP addresses and malicious command and control domains and traffic associated with attackers, closing open ports, and quarantining affected credentials, systems, networks and devices.
Once the attack has been stopped, it’s important to eradicate the threat. This entails removing any malware associated with the attack from all affected devices and systems and watching for any signs of re-infection or renewed activity. Eradication can include wiping systems, restoring services, applications and user groups and restoring data from backups.
Attackers often install hidden software that gives them the ability to remain undetected on systems and networks even in the midst of or in the aftermath of an attack. Many agencies have found that working with a dedicated team of third-party threat hunters with experience in public safety can be an effective means of finding and closing these backdoors that may otherwise leave agencies vulnerable to recurrences.
As part of recovery efforts, agencies must also consider their obligations and abilities to communicate with key stakeholders. Depending on the scope and impact of the attack, agencies may need to notify other state, regional or federal law enforcement agencies. A documented and regularly tested incident response plan that outlines communication processes should identify key points of contact for communications with the press, cyber insurance companies, third-party firms and regulators.
Ransomware attacks represent an ongoing danger for law enforcement that shows no signs of abating. A proactive approach to prevention, combined with ongoing monitoring and well-tested emergency response and recovery plans, can go a long way toward ensuring your agency is prepared for the inevitable. Joining a threat-sharing organization focused on public safety, as well as working with security experts who understand the unique needs of law enforcement, can give you the support and peace of mind you need so you can focus on your mission.
About the author
Scott Kaine is corporate vice president of cybersecurity for Motorola Solutions and spearheads the Public Safety Threat Alliance.