While ransomware has been around for a while, it has absolutely SURGED in the past year. In part, this is due to the move to work-from-home environments, as well as the emergence of ransomware-as-a-service (RaaS) – which enables less sophisticated cybercriminals to execute a ransomware attack.
Protecting against bad actors in a constantly-evolving threat landscape is and always will be a challenge for cybersecurity professionals. Government mandates for cybersecurity compliance like PCI DSS, HIPAA, and CMMC – while built with good intentions – but often become just another box to check in an organization’s cybersecurity posture.
That said, with CMMC becoming a mandate for any contractor or subcontractor doing business with the United States’ Department of Defense (DoD), it raises some questions:
- What does this afford your business in terms of protection from bad actors and their for-profit attacks?
- What does complying with additional levels do for you (L1, L2, L3, and beyond)?
- What are the limitations to CMMC’s ability to protect your organization?
How CMMC Helps with Ransomware
The CMMC cybersecurity framework is sort of carrot and stick. The stick is complying with the framework in the future to conduct business with the DoD. And the carrot is a robust security framework and protection against bad actors and attacks like ransomware. Can you get to a state where you are protected from Ransomware? Let’s find out.
In last month’s blog, we briefly discussed the CMMC Levels. Here we want to go into the standard a bit to discuss not only the requirement, but some of the perceived benefits of implementing such a framework. And yes, to continue conducting business with the DoD, you’ll have to attain a certain level of certification, but what are Processes, and how do they relate to your business and protection goals?
The CMMC framework describes Processes as a way to measure organizational maturity; they really discuss documentation, organizational oversight, and governance. As we know the Process Maturity Levels are cumulative.
- Process Maturity Level 1 – Process maturity is not measured at Level 1, so there are no documentation requirements. You enact the 17 practices as described and can prove this to an auditor.
- Process Maturity Level 2 – The 72 required practices have been implemented, and the business has established a policy or policies for each practice. Policies can be categorized by domain or by capability.
- Process Maturity Level 3 – For each domain, the business must develop a security plan. The plan must detail how the business is putting each practice into action. What methods do you employ? Is there a cost? What are the educational requirements? A security plan may be a single document or a set of documents that explain how you’ll execute your security measures.
Regardless, attaining level 3 certification may allow you to continue to conduct transactions with the DoD, but won’t afford you the level of protection needed to protect you from Ransomware (and possibly other forms of advanced malware).
- Process Maturity Level 4 – Now the business must assess the efficacy of its activities and be able to report on their performance to management and leadership. Some practices are straightforward, such as tracking your compliance percentage of your security patch policy or ensuring that inactive accounts are disabled as soon as possible. Others, such as assessing the effects of your CUI handling techniques, may be less evident. (AM.3.036).
- Process Maturity Level 5 – At this level, you have applied everything from Levels 1-4 across the entire organization, not just a smaller subset concerned with the DoD contracts. For most smaller organizations, once you get to Level 4, you might for the most part have Level 5 completed.
Illustrative Level and Practice Protections
From a protection standpoint, Level 1 Practices (Domain, Level, and Practice Number) may start to formulate the Zero Trust Architecture (ZTA) / Ransomware protection picture. For instance:
- Under Access Control – Level 1
- AC.1.001 | Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
- AC.1.002 | Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
- AC.1.003 | Verify and control/limit connections to and use of external information systems
With this type of control and the associated technology in place, you should be able to prevent lateral movement within the environment. But do keep in mind, it’s only one piece of the ZTA / Ransomware puzzle.
Another Level 1 practice comes from the System and Information Integrity (SI) Section:
- SI.1.211 | Provide protection from malicious code at appropriate locations within organizational information systems.
- SI.1.212 | Update malicious code protection mechanisms when new releases are available.
- SI.1.213 | Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
This could be accomplished with an EDR Technology monitoring real time for this malicious behavior and stopping ransomware before it becomes a problem. Once again, if requested a Managed EDR version (MDR) can be put in place, so there’s 24/7 coverage working with Avertium from this type of attack.
From the Risk Management Section you might want to consider your threat intelligence resources to bolster defenses, and third party and supply chain risk management as potentials for ransomware infiltration vectors.
- Level 4 RM.4.149 | Catalog and periodically update threat profiles and adversary TTPs.
- RM.4.150 | Employ threat intelligence to inform the development of the system and security architectures, selection of security solutions, monitoring, threat hunting, and response and recovery activities.
- RM.4.151 | Perform scans for unauthorized ports available across perimeter network boundaries over the organization’s Internet network boundaries and other organizationally defined boundaries.
- RM.4.148 | Develop and update as required, a plan for managing supply chain risks associated with the IT supply chain.
Avertium’s Threat Intelligence Service will keep your infrastructure informed of current risks and how to react to them and our third-party risk assessment service can assess and monitor your third-party supply chain for their risk potential providing remediation steps to keep that vector secure.
Another example comes from Level 5 and the Incident Response (IR) Section:
Another example comes from Level 5 and the Incident Response (IR) Section:
- Level 5 IR.5.106 | In response to cyber incidents, utilize forensic data gathering across impacted systems, ensuring the secure transfer and protection of forensic data.
- IR.5.102 | Use a combination of manual and automated, real-time responses to anomalous activities that match incident patterns.
With this type of control and the associated technology in place, you’ll be better aware of anomalous behavior in the environment and how to react quickly to them in order to stop, or limit damage before it gets out of hand. This is where you could partner with a trusted advisor like Avertium if you don’t have the cycles, or awareness to maintain such a 24/7 monitoring environment.
We’re not trying to architect your CMMC System Security Plan with this article, but merely show you what’s possible with this comprehensive framework. We could go on with more examples from the different levels, but you get the picture.
In short, there is a level of protection afforded with Level 3, which most will have already achieved having previously certified to NIST 800-171. Unfortunately, 800-171 was mainly self-certification and didn’t have any teeth. With CMMC, to achieve additional levels of protection to thwart ransomware, you might have to continue along the certification journey into levels 4-5 to see additional protections.
Limits to CMMC’s Ability to Protect You from Ransomware
At the end of the day, compliance for compliance’s sake does not necessarily protect your organization. There are no guarantees. CMMC requires businesses to have visibility into logs, to monitor, and interpret logs – but if you’re not engaged in the monitoring process, for example, that check-the-box approach can leave you vulnerable.
You may also have to consider advanced technologies to combat ransomware techniques. A Zero Trust Architecture may be the better answer to combat the lateral spread of this type of attack within your environment. CMMC doesn’t specifically spell this out, but gives you some guidance that puts the proper technology in place for you to implement this architecture. With CMMC, you may only find that guidance in the upper levels within the CMMC Maturity Model, so it’s important to look outside basic, check-the-box compliance.
Postface: Editor's Note on CMMC
Compliance for compliance’s sake doesn’t really get you anywhere…if you do it with the right approach, strategy, philosophy, you’ll better understand it. The nice thing about CMMC is that it has a maturity model built in so that you can continuously improve. If you explore the higher levels of CMMC certification and do it with the right approach, compliance happens alongside an improved cybersecurity posture.
Unfortunately, ransomware will always be a threat, but you can greatly reduce the attack surface with the right approach.
HOW AVERTIUM CAN HELP
Avertium is an RPO certified by CMMC-AB. We will get to know your company, establish a baseline maturity index, and collaborate with you to develop a compliance and security program enhancement strategy that suits your business model.
Click here to learn more about how Avertium can help you through the CMMC compliance process. Also to learn about the corresponding Managed Security and Professional Service Offerings that apply to any of the CMMC Levels, Domains, and Practices, your Sales Team can assist you.