Ransomware is a devastating, costly and persistent tactic. NIST’s new reference architectures go a long way to guiding organizations toward a stronger ransomware defense, but user training is required as well. Crypsis Group’s Stephen Boyce discusses the role of end-user training in ransomware defense.
Ransomware threat actors have become increasingly sophisticated in their approaches for effectively deploying ransomware. In our experience with these incidents, a significant vulnerability remains the victim organization’s employees: All too often, employees are falling victim to phishing attacks that result in ransomware infections.
Recently, The National Institute of Standards and Technology (NIST) released a pair of reference architectures, currently open for public comment, designed to provide an overview of available technologies, best practices and methods to improve the detection and mitigation of ransomware attacks.
This guidance is helpful in delivering an end-to-end approach for increasing the cybersecurity posture of the organization, leveraging much of the solid framework put forth in NIST CSF 1.1 and drawing from both the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce and the NIST Privacy frameworks. While the NIST CSF directly discusses the importance of user education in mitigating cyber risk, the new NIST ransomware guidance does not, and I think it is worth focusing on what else organizations need to be doing to help mitigate the risk of ransomware.
Organizations have suffered tremendously from ransomware. Symantec noted in their 2019 Internet Security Report that ransomware attacks have significantly increased. From our data involving hundreds of ransomware incidents, not only are organizations more commonly targeted, but ransom demands have also risen approximately 200 percent between 2018 and 2019, with the average payment totaling nearly $115,000 per incident in 2019.
Ransomware actors will continue to quickly shift their tactics, tools and procedures, and organizations will continue to scramble to shift their defenses — a costly match of cyber jiu-jitsu. Many organizations have adopted either sector-specific cybersecurity frameworks (such as ANSI and HITRUST) or general frameworks such as the NIST CSF. While NIST’s forward-leaning approach in their ransomware guidelines has gone a long way in addressing remaining cyber gaps with respect to this devastating tactic, let’s turn our attention to employee training, a “must” in the arsenal against ransomware.
Effective Employee Training: What Does It Look Like?
The key to successful employee training is understanding that threat actors have highly variable tactics — they evolve, are customized by organization and/or user and can be escalated as needed. With this understanding, you should customize your employee training to not only take into account threat actor methodologies, but also the unique traits of your organization and individuals within that organization. Below are some guidelines for customizing your security training:
Tailor the Training
While most training will be web-based, you can still create modules customized to individual groups pertinent to their roles and how they specifically may be targeted. IT will need to know how to respond and inform; finance will receive different tactics than marketing and HR; executives may be more highly targeted for spear-phishing and should be provided specific guidance on what to look for and how to communicate to employees on the importance of security. As one example, marketing employees may receive emails about meeting up at a trade show or offers from third parties they work with regularly, all of which will look quite legitimate. By training teams in their own language about tactics they may see in their realms, they can better spot and avoid tactics that may be used against them.
Make Training Incrementally Harder
Phish-testing will be more effective if you train users incrementally, starting with the easiest tactics and progressing to techniques that are harder and harder to spot. By tracking your organization’s strengths and weaknesses in these tests, you can custom build phish-testing that focuses on areas of weakness, creating a stronger human shield against ransomware and other attacks.
Keep it Comprehensive
The tactics threat actors use go beyond phishing and spear-phishing. They could attempt physical access using a number of social engineering tactics, meet up with employees at a trade show and give them a USB drive or other nefarious techniques. Employee training should address all social engineering and physical security concerns.
Additionally, the following ideas can increase the effectiveness of your training:
Try Gamification
Security training can be made fun by “gamifying” the testing and results. Gamification involves setting goals, rules for reaching the goals, rewards or incentives, feedback mechanisms and, often, leader boards (organizations can compete against each other). By making it more fun, employees are more engaged and learn more. Security training is by its nature dry, and if it sounds frightening and potentially punitive, it will be less effective. If you can turn the game into “outsmarting the hacker,” they will learn something and have fun along the way.
Make Training More Frequent
Conducting training once annually is helpful, and it’s better than nothing; but it is easy to forget about security in the intervening months. We suggest holding across-the-board security training annually, as well as a mid-year “refresh” that builds on specific areas of emphasis, such as advanced techniques. This will keep security awareness front and center and allow employees to build on what they learn.
Make it Cultural
Creating a “security awareness culture” is essential. If security is something employees only focus on when doing a 30-minute, web-based training once a year, they aren’t going to have it on their minds when they receive an email with a questionable attachment. Company leaders must buy into the importance of cybersecurity, support and promote richer cyber training programs and emphasize security in company communications. Some organizations display posters in public areas reminding employees to be security aware, send out regular security tips emails, have proactive alerts that inform about malicious emails seen by individuals, etc.
By adding these effective employee education techniques to the NIST ransomware reference architecture, organizations should be in a stronger overall position to defend against ransomware attacks. There is no silver bullet against threats, and employees are likely to remain our biggest vulnerability, but we should do our best to keep employees as aware as possible of the techniques that may be leveraged against them and the organization.
Stephen Boyce, Principal Consultant at 
