Overview of the Cyber Threat Landscape
As a key stakeholder in commercial transportation security and research program , NMFTA works to educate the transportation industry on potential cyber threats to connected vehicle fleets. In 2018, transportation became the nation's second-most attacked critical infrastructure area. The trucking industry has become a top target of ransomware attacks. The FBI's October 2019 Public Service Announcement (PSA) High-Impact Ransomware Attacks Threaten U.S. Businesses and Organizations states, "Although state and local governments have been particularly visible targets for ransomware attacks, ransomware actors have also targeted ... the transportation sector."
According to the Department of Homeland Security's (DHS) Cybersecurity Infrastructure Security Agency CISA Insights - Ransomware Outbreak, "Ransomware has rapidly emerged as the most visible cybersecurity risk playing out across our nation's networks, locking up private sector organizations and government agencies alike. ... We strongly urge you to consider ransomware infections as destructive attacks, not an event where you can simply pay off the bad guys and regain control of your network (do you really trust a cybercriminal?)."
NMFTA's Work to Harden Fleet Defenses
NMFTA created several documents for participants to customize for use in their own organizations. These templates are being released for public use to maximize benefits to the transportation sector. They are published here as Word documents so that organizations may customize them to best suit their organization's needs.
Organizations without a mature, documented incident response plan may wish to utilize the Ransomware Playbook as a starting point to build a plan. Others may wish to vet their organization's current plan against the compilation of best practices and resources cited in the Playbook.
The Tabletop Exercise package can be used to test the strength and weaknesses in current plans and responses. The Facilitator's Handbook and the Participant's Handbook contain all of the materials necessary to conduct a tabletop exercise based on a technology-based business disruption scenario.
The Facilitator's Handbook provides guidance on each event (i.e., "inject") that occurs/is discovered as the business interruption unfolds throughout the day. There are questions to prompt discussion/decisions by participants and suggested timings for each event to mimic the reality of information flow, pressure to act and resource constraints. Facilitators should read the Facilitator's Handbook thoroughly in advance of the exercise and take particular note of the suggested timing for each session and inject scenario when planning and scheduling the exercise. It may be helpful to designate a time keeper to ensure the participants' experience is as realistic as possible.
The Participant's Handbook should be handed out in sections throughout the day, when triggered by prompts in the Facilitator's Handbook, to create a realistic experience. A copy of the participant view is embedded in each section of the Facilitator's Handbook. Customizations to the Participant Handbook should be reflected in the Facilitator's Handbook too.
After the events conclude, it is important to conduct a debrief to capture the strengths and weaknesses in the organization's response that were identified during the exercise, identify improvements that can be made and, if possible, specify action steps and assign action owners to implement improvements before the participants are dismissed. The goal of the exercise is to identify what went right/wrong in the simulated incident response so the organization can continually improve its response and response time. It may be useful to hand out the Playbook as a reference during the Hotwash/Debrief to identify improvement steps. The Facilitator's Handbook contains a link to FEMA's Hotwash/Debrief template, which can serve as a guide to structured discussion to solicit lessons learned.
In the days following the exercise, organizers should translate the lessons learned into an After Action Report/Improvement Plan (AAR/IP). A link to an online template AAR/IP is included in the Facilitator's Handbook. The completed AAR/IP should be distributed to all participants and action owners to ensure proper follow-through and implementation of key action steps.
Incident response is an area that can be improved with practice and experience. Regular exercises can lead to improved communications, better decision-making and reduced response time. These are crucial defenses in limiting the scope and effectiveness of a cyber-attack. NMFTA hopes you will find these templates and below resources useful tools in your organization's cyber-tool kit.
Listed below are some of the free resources available to the public some of which are referenced in the Ransomware playbook.
- CISA Ransomware Guidance and Resources is a one stop destination for ransomware resources and guidance from the Cybersecurity and Infrastructure Security Agency (CISA) department of the US Department of Homeland Security
- US FBI Bulletins This is one of the few places that you can find US FBI Private Industry Notifications (PIN) and FBI FLASH messages posted on a public site
- NMFTA Ransomware Top 10 Defensive Tips provides you with our top 10 tips on how to protect your company against ransomware. While nothing is absolutely certain, following these 10 steps should help you prepare and defend against ransomware.
- IOActive Threat modeling is a technique for identifying potential issues and rating their risk. Gaining a risk picture for individual systems across the organization affords a solid basis for making risk-based, data-driven strategic decisions. Threat modeling is security culture accelerator. It helps organizations proactively prepare for security challenges, build defenses, and constructively prioritize security needs.
- FireEye report: Ransomware Protection and Containment Strategies
- FBI: Ransomware Prevention and Response for CISOs
- Center for Internet Security (CIS): 7 Steps to Help Prevent & Limit the Impact of Ransomware
- Lockheed Martin: The Cyber Kill Chain
- MITRE: ATT&CK framework
- INFOSEC Institute: Threat Hunting: IOCs and Artifacts