Technology Executive Council
To join the CNBC Technology Executive Council, go to cnbccouncils.com/tec
Technology Executive Council

We're starting to see a national response to ransomware, says Mandiant CEO

Bob Violino, special to CNBC.com
WATCH LIVE
Key Points
  • An August 2021 report from research firm International Data Corp. showed that more than one-third of organizations worldwide have experienced a ransomware attack or breach that blocked access to systems or data in the previous 12 months.
  • We're beginning to see a coordinated national and international response to cyberthreats because of ransomware, Mandiant CEO Kevin Mandia said.
  • A good example of an effective coordination was the takedown earlier this year of REvil, a ransomware-as-a-service operation linked to Russia.
Kevin Mandia testifies during a Senate Intelligence Committee hearing on Capitol Hill on February 23, 2021 in Washington, DC.
Drew Angerer | Getty Images

As the recent Log4j breach demonstrates, U.S. businesses and government organizations have been taking a pounding from cybercriminals. It's coming in the form of ransomware, data breaches, distributed denial-of-service (DDoS), and other damaging attacks.

Now, many are saying enough is enough.

"I think more people are taking advantage of the United States — and our openness and our true global workforce — than in any other nation," said Kevin Mandia, CEO of cyber security company Mandiant, in a session on cybersecurity at CNBC's recent Technology Executive Council (TEC) Summit in New York.

Rather than simply bolstering traditional defenses such as firewalls and waiting to be the next potential victim of a cyber assault, companies are beginning to take a more proactive approach to security. They're going on the offensive, actively seeking out cyber threats and disabling them before they can wreak havoc on systems and networks.

The increase in ransomware, one of the more insidious and damaging types of attacks, is a major driver for going on the offensive. An August 2021 report from research firm International Data Corp. showed that more than one-third of organizations worldwide have experienced a ransomware attack or breach that blocked access to systems or data in the previous 12 months.

Weary of the ongoing assaults, organizations are fighting back.

"What you're starting to see is a coordinated national response — maybe even a coordinated international response — because [of] ransomware," Mandia said. "Quite frankly everybody hates it except for people doing it and the people harboring those who do it."

A good example of an effective coordination was the takedown earlier this year of REvil, a ransomware-as-a-service operation linked to Russia. A group of countries and law enforcement organizations used technical and legal methods to knock the operation off the Internet.

While it's uncertain exactly how REvil was taken out of commission, the collaboration by multiple entities is a positive development in the effort to minimize or eliminate threats, Mandia said. With ransomware becoming a national security issue as well as a criminal one, the U.S. needs to consider bringing military assets to bear in the fight to stop these attacks, he said.

"We can do a lot of different things rather than just constantly making it a clean-up on aisle nine after the crime," he said. Military action "doesn't mean drone strikes, it means proportional response" to the attacks, he added. That can only happen when the sources of the attack are identified.

A strong step would be the creation of a national "doctrine" that states how the U.S. will deal with creators of ransomware and other cyber threats, as well as the nations that harbor them, Mandia said.

"There could be some vagueness to that doctrine, but people need to know that the nation is going to have a coordinated response" to attacks, he said. "There comes a time where you just can't stand there and take it anymore."

Technology executives expect the high level of external threats to continue, with TEC members responding to a recent CNBC survey saying that state-sponsored cyber warfare (32%) and criminal organizations (25%) remain the most dangerous cyber threats. They give the Biden administration decent marks in its cybersecurity efforts so far, with less than 5% of TEC members saying Biden has done a "poor" job on cybersecurity during his first year in office. Thirty-nine percent of respondents said the Biden administration has done a "good job," while another 9% described its efforts as "excellent." Another 35% said the administration has done an "average job" when it comes to cybersecurity.

LOG4J vulnerability the most serious I've seen in my decades-long career, says CISA director
VIDEO2:2702:27
LOG4J vulnerability the most serious I've seen in my decades-long career, says CISA director

Deploying threat hunting and intelligence tools

On an individual basis, businesses can take steps to get ahead of cybercriminals. For example, they can deploy threat hunting and threat intelligence tools or services.

With threat hunting, companies' security teams proactively search through networks and systems to find and isolate advanced threats that can evade older security tools such as firewalls, intrusion detection systems, and security information and event management products. The latest threat-hunting offerings can be at least partially automated via technologies such as machine learning, so companies don't need to rely on time-consuming manual hunting processes.

Threat intelligence is also effective at detecting and stopping cyber attacks. Security teams can tap resources such as open source intelligence, social media intelligence, and services from a number of vendors to track existing and emerging threats.

Threat intelligence lets companies develop a more proactive approach to cyber security, in large part because it's predictive. Another key benefit of using such resources is that they promote the sharing of knowledge and experiences among the cyber security community, which supports the idea of a broad effort to "attack" cybercriminals before they strike.

Identity technologies such as multi-factor authentication (MFA) and advanced endpoint security tools, both of which support the concept of "zero trust" security, can also help companies be more proactive.

"Multi-factor authentication is a phenomenal thing for breaking lateral movement," Mandia said. MFA is the first step toward a zero-trust network, he says.

The recent TEC survey finds more than half (52%) of respondents saying their firms are in the initial stages of implementing zero trust security; another 27% say they already have implemented the approach and are seeing the benefits.

Monitoring of networks and endpoints, such as mobile devices, will continue to get increasingly sophisticated and effective with the addition of AI, machine learning, and data science, because security teams can better predict when suspicious activities are actually the beginning of an attack.

Aside from technology, employee training in security awareness is essential for building a proactive security program.

Tactics such as phishing, malware, and social engineering in many cases succeed because employees are not properly trained — or not trained at all — in how to recognize these incidents.

With the proper mindset, tools, and training, companies can create a proactive cyber security program that thwarts cybercriminals before they can do damage.

Bob Violino, special to CNBC.com