Richard Cassidy, Senior Director of Security Strategy, Exabeam, discusses the recent changes in the cyber landscape and the new strains of ransomware, why companies should not fall into the trap of paying ransom demands (and the repercussions if you do) and how to detect and defeat ransomware with threat intelligence.
In an ever-evolving cybersecurity landscape, ransomware remains one of the most prolific threats facing modern businesses. Despite a plethora of tools and solutions specifically designed to identify and stop such attacks, a worryingly high number still successfully get through. When they do, they can cause considerable, operational, financial and reputational problems for the victim – just ask Garmin, which was recently forced to pay a reported US$10 million ransom to regain control of its systems after such an attack. But why do so many attacks get through? Why aren’t the tools being put in place doing a better job of stopping them? This article will answer these questions and discuss how businesses can protect themselves more effectively going forward.
The resurgence of ransomware
Ransomware is nothing new. In fact, the first recorded attack took place as far back as 1989 when delegates at a World Health Organisations AIDS conference in Stockholm were targeted with something called the AIDS Trojan. Fast forward a couple of decades and ransomware was almost on the verge of dying out, but a huge resurgence in recent years has seen it return right back to the top of the cybercrime tree.
In the midst of a global pandemic and many economies in a state of crises, you can rest assured that the adversaries are also feeling the strain. As such, there’s been a need to diversify income streams with a back-to-basics modus operandi of financing, which is, the path-of-least-resistance attack. Cybercriminals have normally offered decryption keys to sensitive data in return for cryptocurrency via anonymous wallet transactions. Once paid, keys are provided (usually) and access to data is restored, corporate wounds are licked and the PR machine is in full swing to limit brand reputation damage. Industry has long talked to the need for secure effective backup and disaster recovery programmes to ensure Business Continuity, which – in theory – meant organisations could recover swiftly from a ransomware attack and return to normal operations. Unfortunately the very nature of cybercriminals means that we’re now seeing data being auctioned on public and Dark Web sites for a princely sum, meaning that even if your organisation can recover from encrypted data through backup and restore, there’s no escape from the sinister extortion techniques now being enacted by these groups, often leaving CISOs and boards in a lose/lose scenario when hit by ransomware.
Most businesses don’t have a ransomware problem, but a ‘technology effectiveness’ one.
For most modern organisations, ransomware itself isn’t the biggest problem, but rather the effectiveness of the technology in place to protect against it. As vendors launch new security tools over time, CISOs buy and deploy them in the belief that they are bolstering their existing solutions. However, with every new tool creating its own constant stream of information and alerts, if this data flow isn’t properly managed or centralised, it can quickly become overwhelming which leaves business more vulnerable than they were before in some cases.
To put this into context, a recent Cisco Benchmark report found 40% of organisations receive 5,000 alerts every day – with 16% facing more than 10,000 – from the 30+ different security tools they have deployed. Not only does this cause extreme alert fatigue among security teams, it makes genuine threats much harder to identify quickly. Even when a noteworthy threat is spotted, it can take an average of 25 minutes to triage, with deeper investigation extending to hours or days thereafter. Cybercriminals capitalise on this fact, which if we consider the fastest time from breach land to expand being at 18 minutes or so, it’s critical that we look to capabilities that enable effective detection and response functions in the fight against malware in general.
Further compounding the issue is the fact that many CISOs don’t actually know where their most sensitive data resides, having never taken the time to properly classify it all. The recent hyper adoption of cloud SaaS offerings, in response to a forced shift in working practices, only compounds this problem. If we don’t truly know where their sensitive data is – or even why it needs protecting – then it goes without saying that the security solution put in place won’t be anywhere near as effective as it could be.
Understand your adversary to build an effective mitigation strategy
It’s long been said (according to Sun Tzu) that to ‘know your enemy, you must become your enemy’. Advancing such a notion to the age of cyber warfare relies on two key elements. The first is that you take the time to review and research who or what you’re protecting your business assets from. Second is the implementation of continuous improvement and testing initiatives to ensure no stone is left unturned in the cybercriminal vs. corporation battlefield we’ve all been deeply entrenched in since our respective careers began.
The APT groups you should pay close attention to are:
- TeleBots, TA505, Grim Spider, Pinchy Spider, Zombie Spider (Russia)
- Lazarus Group OR Labyrinth Cholima (North Korea)
- Temper Panda (China)
- Boss Spider (Iran)
Ultimately, there are many others that we could mention if we look into historical data on ransomware attacks (major credit to ‘ThaiCERT’ for some of the above datasets), but more important in overall defence strategy is the ‘what’ over the ‘whom’. If we acknowledge the fact that ransomware has been a part of industry for just under 30 years now, then it stands to reason that as organisations, we should look to the commonalities in the anatomy of a ransomware attack, so that we can better poise our security and business operations teams to mitigate the threat. This is where you must turn to a term known as ‘TTPs’ (Techniques, Tools & Procedures) of any cybercrime group that would look to target your business with a ransomware attack. There’s a wealth of resources available that can help your security teams to understand attacker TTPs in great detail and a plethora of effective security test tools to support continuous testing against your critical assets to ensure protection against the common TTPs in operation by cybercriminals this past two decades.
An effective approach can all but eliminate zero day threats
The most effective approaches today combine automation, data science and context-based risk analysis, to identify genuine threats and better help security teams mitigate them as quickly as possible. Data streams from all security tools can be centralised through a single ‘security brain’ which monitors information flow over time, enabling benchmarks for normal user and system activity to be established. When anomalous behaviour is detected, it’s automatically analysed and assigned a score based on the level of risk they present. Only those with a high enough score trigger alerts for follow up by the security team, allowing them to focus on genuine threat prevention, rather than chasing false positives all the time.
The most critical element of monitoring, analysis and detection has to be focused on ‘credentials’; without credentials, malware is very limited in what it can achieve beyond the initial infection point (often a user’s endpoint/device or unsecured IoT device). By monitoring the use and privileges of your organisation’s credentials, you’ll be in a far better position to detect malware threats early in their attack life cycle.
When implemented effectively, such an approach can also virtually eliminate zero day threats. This is because all malware, by its very nature, has to deviate from established user/system benchmarks in order to achieve its goals. As soon as it does so, the system will detect it, giving security teams the chance to prevent an attack before it’s had time to trigger inside the network.
The first line of defence is always users, not technology
With enough dedication and effort, any business can implement an extremely effective security technology solution in 12-18 months. However, it’s always worth remembering that the first line of defence in any security chain is its users. Nearly every successful cyberattack begins with social engineering or an unaware staff member clicking on a compromised email link. As such, regular training and education will always be the strongest (and most cost-effective) weapon in the cybersecurity arsenal.
The spectacular resurgence in ransomware over recent years has left many businesses scrambling to ensure they have effective security solutions in place. However, simply stacking multiple tools on top of each other isn’t the answer and will quickly lead to security teams drowning in data. Instead, businesses need to take the time to first understand where their sensitive assets actually are, then build a solution around them that centralises data and enables teams to quickly sort genuine threats from false positives. This approach, combined with the help of trained and vigilant employees, stands them in the best stead in an increasingly challenging cyber landscape.
Click below to share this article