There are myriad scams and criminal business models in play online today, but few as popular and effective as ransomware. As a company we haven't done anything with ransomware in over a year, but it is still the #1 reason why people seek us out. Have you given any thought to how your professional life would change if the bad guys decided to go all-in on the ransomware model? What happens to the field, to your career, to the lives of ordinary people, if a payoff is cheaper than calling for help? Defenders like to promote the idea of “raising attacker costs,” but the genius of ransomware is that it is “reducing the expense of response.” If you’re hit with a successful ransomware attack, no company, no practitioner, regardless of reputation or skill, can help. You have to pay if you want your data back. If for some reason the ransomware failed to fully execute, no effort to recover files will be as cheap as the ransom.
If you’re a cyber-criminal, a million dollars $300-at-a-time seems pretty tedious, but given what happens to people who go to the trouble of building elaborate criminal schemes (and living where the FBI can get you), running a few ransomware campaigns from somewhere that won’t extradite you seems like a much better way to go.
What if ransomware is only the beginning? What about exposé-ware? I’ve copied your files. Pay me a minimal amount of money in a given time-frame or I’ll publish your data online for everyone to see. Live in a community that frowns upon certain types of behavior? Pay me or I’ll make sure the pitchfork brigade is at your door.
If future digital criminal schemes were done with the same level of (illicit) professionalism as ransomware, why would a victim do anything but pay? The cops won’t help you; incident response can’t help you. A security company can charge you but they won’t recover your proprietary or private information, or defend your reputation, or save your life.
If an era when remedying computer security failures is cheaper than calling in computer security experts is even remotely realistic, we need to collectively get on board with some new ways of doing things.
For starters, we need to work at scale. Botnet takedowns are one example. I’m proud to have been associated with a few, and I’m not going to pretend every effort like this goes off without a hitch, but we need to do more at or near the same scale as the bad guys, and often. That’s really the only way we have any hope of raising attacker costs: when they’re fighting people in the same weight class with similar skills on a regular basis.
We also need to accept that the future has to be more about restoration than conviction. Most corporate victims of computer crime don’t want to prosecute, they just want to get back to work. Tactics, techniques, procedures and tools need to reflect that reality. If you’re law enforcement you don't have a lot of leeway in that regard, but everyone else: are you really doing right by your customers if you are adhering to a law enforcement-centric approach simply because that’s how you were taught?
Finally, we need to retire more problems. You've heard the phrase: “if you’re so smart how come you’re not rich?” My variation is: “if you’re such an expert how come you haven’t solved anything?” Now not every computer security problem can be solved, but there are problems that can be minimized if not trivialized. That would require regularly growing and then slaughtering cash cows. Business majors who run massive security companies don’t like that idea, but it is not like we’re going to run out of problems. So as long as there are new opportunities to slay digital dragons, you have to ask yourself: am I in this to get rich, or am I in this to make the ‘Net a safer place? Kudos if you can honestly do both.