Simon Townsend, CTO – EMEA Ivanti, discusses how cybercrime has become a booming business over the last few years and offers steps for organisations to defend against this growing and ever-evolving threat.
The dependence of 21st century organisations on technology opens the door to a very dangerous business risk – the growing threat of cybercrime, with ransomware being one of the costliest weapons at a criminal’s disposal. This claim is backed up by commercial data consultancy Dun & Bradstreet which saw the second largest global business risk in Q2 2018 as organisations’ dependence on, and heightened connectivity to, technology leading to more frequent and more damaging cybersecurity issues.
The recent onslaught of ransomware has pushed many organisations to tighten up their cybersecurity measures in order to prevent these attacks from taking place. Unfortunately, cybercriminals are tech-savvy, so are able to evolve to work around many defences, modifying their methods in order to continue with their attack campaigns. The only way to properly protect against these attacks is with a defence in depth strategy that ensures no one security control is a point of failure, as well as an internal security culture embedded throughout the organisation.
Ransomware has been around for a long time. The first attack saw Joseph Popp PhD hand out 20,000 infected floppy disks to attendees of the World Health Organisation’s AIDs conference in 1989. Along with the disks, Popp also handed out leaflets that warned the software would ‘adversely affect other program applications’ and that victims would ‘owe compensation and possible damages to PC Cyborg Corporation’.
Victims would have to send US$189 to a PO box in Panama if they wanted their files back. Arguably, Popp was also an early example of an Internet troll. Yet, as technology developed and the public got more savvy over the following decades, security pros can be excused for believing that ransomware became a bit of a cybercrime dinosaur – Popp’s ransomware, for example, was incredibly easy to decrypt and it wasn’t impossible to track down the owner of a PO box.
However, the rise of cryptocurrency triggered a technological Jurassic Park, as demanding ransoms suddenly became something that cybercriminals could do completely anonymously, without any risk of being tracked down.
Furthermore, it’s also easier than ever for cybercriminals to put out these attacks with a great return on investment. Until recently, those who used ransomware had to have the high level of coding knowledge required to actually manufacture these attacks. Today, with the rise of ransomware-as-a-service, anyone with access to the Dark Web can buy an ‘off-the-shelf’ ransomware kit which costs an average of just US$10.50. Any amateur can now create and deploy a sophisticated attack in a matter of minutes.
There are many different motivations for why criminals perpetrate cyberattacks, with wreaking havoc and warmongering between nation states being increasingly prevalent reasons. However, the main motive continues to be financial with 76% of breaches analysed in Verizon’s 2018 Data Breach Investigations Report being motivated by cash gain. Developing and deploying a ransomware attack is very cost effective – the total sale of ransomware equalled US$6.2 million in 2017 yet the predicted damage caused by ransomware in the same year was a whopping US$5 billion. This easy ROI for cybercriminals has meant that the ransomware business continues to grow, becoming an even greater threat to the security of businesses.
Defence in depth
According to Verizon, 92.4% of malware attacks infiltrate a system via email, but organisations can also be affected via other vectors. For example, WannaCry was caused in part by unpatched and legacy software and hardware – namely technology that hadn’t been properly updated to patch up security holes or technology that was so old that developers are no longer even producing updates.
Because many attacks do infiltrate via emails targeting employees, user education is important – but this isn’t a valid anti-ransomware strategy on its own. It will most likely reduce ransomware and malware infection rates. However, in many cases malware distribution campaigns are created by professional social engineers. They implement proven methods, such as developing highly targeted and realistic mails, which increase the effectiveness of each campaign in order to convince even educated employees to download malware. However, in terms of implementing proper defences, a defence in depth approach is the only way to truly protect against the ransomware threat.
A well-protected organisation should be like an onion. If cybercriminals get through one layer of security, they should be stopped by another layer. Some key measures to include within a defence in depth approach include:
AV and next gen threat protection – these tools are critical but they can’t do it all. Only 30% of AV vendors were able to catch WannaCry when it happened and AV struggles to protect against the first wave of a new malware variant. AV must act as a very last line of technological defence
Patching OS and applications – patching is the fundamental way to reduce cyber-risk, because it reduces attack surface. If your AV has to defend against 1,000 vulnerabilities, it will be harder-pressed than if it has to defend against 10
Application control – whitelisting, memory injection protection, privilege management and other tools fall under the application control umbrella. Some organisations fear whitelisting because of the hassle associated with implementation, maintenance and the impact on users. However, there are dynamic whitelisting and privilege management approaches that can effectively deliver a level of security without major drawbacks.
Additional technologies can help as well but patching and application control are the most critical and are at the top of most security frameworks because they can reduce the most risk and mitigate against the greatest attack surface area. Of course, frequent backups are also key so that if ransomware does manage to get through, infected devices can be wiped and restored to their most recent backup.
Developing a culture of security
Technology is key, but effective defences can’t be put into place without c-suite buy-in. The c-level need to understand the enormous cost and business risk associated with cyberthreats such as ransomware, so that they place security at the top of their boardroom agenda. If the board doesn’t understand cybersecurity, an organisation cannot defend itself against cyberattacks because ultimately these people control business purse strings. If they act as security role models, promoting the highest levels of cybersecurity in their departments as well as with their own actions, the employees will likely also pick up secure behaviours and take cybersecurity just as seriously.
Having a culture of security within the organisation, as well as an in-depth approach to security technology, will best prepare your organisation for the money-making attack of the decade, the ransomware attack. Cybercriminals are always thinking of new ways to infiltrate, so the entirety of the organisation must always have security top of mind so that they can aim to stay ahead.