While ransomware has been around for a while, it has absolutely SURGED in the past year. In part, this is due to the move to work-from-home environments, as well as the emergence of ransomware-as-a-service (RaaS) - which enables less sophisticated cybercriminals to execute a ransomware attack.
Protecting against bad actors in a constantly evolving threat landscape is and always will be a challenge for cybersecurity professionals. Government mandates for cybersecurity compliance like PCI DSS, HIPAA, and CMMC – while built with good intentions – but often become just another box to check in an organization’s cybersecurity posture.
That said, with CMMC becoming a mandate for any contractor or subcontractor doing business with the United States Department of Defense (DoD), it raises some questions:
Related Reading: Threat Focus: What Is Ransomware-as-a-Service?
The CMMC cybersecurity framework is sort of carrot and stick. The stick is complying with the framework in the future to conduct business with the DoD. And the carrot is a robust security framework and protection against bad actors and attacks like ransomware. Can you get to a state where you are protected from Ransomware? Let’s find out.
In last month’s blog, we briefly discussed the CMMC Levels. Here we want to go into the standard a bit to discuss not only the requirement but some of the perceived benefits of implementing such a framework. And yes, to continue conducting business with the DoD, you’ll have to attain a certain level of certification, but what are Processes, and how do they relate to your business and protection goals?
The CMMC framework describes Processes as a way to measure organizational maturity; they really discuss documentation, organizational oversight, and governance. As we know the Process Maturity Levels are cumulative.
Regardless, attaining level 3 certification may allow you to continue to conduct transactions with the DoD, but won’t afford you the level of protection needed to protect you from Ransomware (and possibly other forms of advanced malware).
Related Reading: To CMMC & Beyond: What you can do today to prepare for CMMC tomorrow
From a protection standpoint, Level 1 Practices (Domain, Level, and Practice Number) may start to formulate the Zero Trust Architecture (ZTA) / Ransomware protection picture. For instance:
With this type of control and the associated technology in place, you should be able to prevent lateral movement within the environment. But do keep in mind, it’s only one piece of the ZTA / Ransomware puzzle.
This could be accomplished with an EDR Technology monitoring real-time for this malicious behavior and stopping ransomware before it becomes a problem. Once again, if requested a Managed EDR version (MDR) can be put in place, so there’s 24/7 coverage working with Avertium from this type of attack.
From the Risk Management Section, you might want to consider your threat intelligence resources to bolster defenses, third party, and supply chain risk management as potentials for ransomware infiltration vectors.
Avertium’s Threat Intelligence Service will keep your infrastructure informed of current risks and how to react to them and our third-party risk assessment service can assess and monitor your third-party supply chain for their risk potential providing remediation steps to keep that vector secure.
Another example comes from Level 5 and the Incident Response (IR) Section:
With this type of control and the associated technology in place, you’ll be better aware of anomalous behavior in the environment and how to react quickly to them in order to stop or limit the damage before it gets out of hand. This is where you could partner with a trusted advisor like Avertium if you don’t have the cycles, or awareness to maintain such a 24/7 monitoring environment.
We’re not trying to architect your CMMC System Security Plan with this article, but merely show you what’s possible with this comprehensive framework. We could go on with more examples from the different levels, but you get the picture.
In short, there is a level of protection afforded with Level 3, which most will have already achieved having previously certified to NIST 800-171. Unfortunately, 800-171 was mainly self-certification and didn’t have any teeth. With CMMC, to achieve additional levels of protection to thwart ransomware, you might have to continue along the certification journey into levels 4-5 to see additional protections.
Relevant Threat Report: Darkside Ransomware Overview
At the end of the day, compliance for compliance’s sake does not necessarily protect your organization. There are no guarantees. CMMC requires businesses to have visibility into logs, to monitor, and interpret logs - but if you’re not engaged in the monitoring process, for example, that check-the-box approach can leave you vulnerable.
You may also have to consider advanced technologies to combat ransomware techniques. A Zero Trust Architecture may be the better answer to combat the lateral spread of this type of attack within your environment. CMMC doesn’t specifically spell this out but gives you some guidance that puts the proper technology in place for you to implement this architecture. With CMMC, you may only find that guidance in the upper levels within the CMMC Maturity Model, so it’s important to look outside basic, check-the-box compliance.
Compliance for compliance’s sake doesn’t really get you anywhere…if you do it with the right approach, strategy, philosophy, you’ll better understand it. The nice thing about CMMC is that it has a maturity model built in so that you can continuously improve. If you explore the higher levels of CMMC certification and do it with the right approach, compliance happens alongside an improved cybersecurity posture.
Unfortunately, ransomware will always be a threat, but you can greatly reduce the attack surface with the right approach.
Related Reading: CMMC Compliance: Everything You Need to Know
Avertium is an RPO certified by CMMC-AB. We will get to know your company, establish a baseline maturity index, and collaborate with you to develop a compliance and security program enhancement strategy that suits your business model.
Click here to learn more about how Avertium can help you through the CMMC compliance process. Also to learn about the corresponding Managed Security and Professional Service Offerings that apply to any of the CMMC Levels, Domains, and Practices, your Sales Team can assist you.