Anti-Ransomware Day – Probe, Protect, and Prevent

Falling on the anniversary of the WannaCry ransomware attack, which impacted more than 60 NHS trusts in the UK, Anti-Ransomware Day is a stark reminder of the damage that cybercriminals can inflict on an organisation.

Jasson Casey, Chief Technology Officer at Beyond Identity, reveals: “Of the UK businesses who identified a cyber attack in 2022, while ransomware only accounted for around one in five of all attacks, it was cited as the most significant threat.”

The average downtime following a ransomware attack is 22 days, during which the organisation suffers from significant reputational and financial damage. With the penalty of a successful ransomware attack being so high, Cyber Protection Magazine spoke to cybersecurity professionals about cybercriminals’ ever-growing and maturing methods and the defences organisations must have in place. Remember, it’s a matter of ‘when’, not ‘if’ your organisation will suffer a cyberattack.

Out with the old, in with the new

The rise in ransomware attacks has been accompanied and aided by the rapid growth in technological innovation. This has enabled employees to work both from home and on the go more than ever before.

Hubert Da Costa, CRO at Celerway, points out that, unfortunately, “a lack of available connectivity often means staff rely on their personal mobile phone connections and unsecured public Wi-Fi networks to connect back to their company’s corporate network. With an estimated 43% of people having had their online security compromised while using public Wi-Fi, the opportunities for threat actors to place ransomware or malware through these unsecured networks will put companies’ (and their customers’) data at risk.”

However, although this technological innovation has led to security weak points through remote working, it has also enabled the world to get better at defending and recovering from attacks. But this hasn’t deterred cybercriminals, argues Andy Swift, Cyber Security Assurance Technical Director, Six Degrees, who explains that attackers have also evolved and changed tactics.

“The old ‘We have locked all your systems. Pay us to unlock them.’ just doesn’t work on a large scale anymore. Today it’s all about the quality of the data. In 2022 we even saw groups not using payloads at all, rather relying solely on data extortion. The attacker would spend time in a given network, working out how the company works, who it works with, and what data is valuable to them specifically. Once the attacker knows what data is valuable to an organisation, the attack becomes about how you leverage that data,” he emphasises.

Stolen credentials and issues with endpoints

Even for seasoned security professionals, there are common misconceptions about the main causes of ransomware attacks and sometimes, methods put in place to increase security end up unintentionally leaving a welcome mat out for attackers.

Beyond Identity’s Casey explains: “Attackers don’t break in, they log in. The Verizon 2022 Report illustrates that a significant majority of ransomware breaches are a result of stolen credentials, with an almost 30% increase in use since 2017, cementing it as one of the most tried-and-true access methods in the past four years. Antiquated authentication methods – be it passwords or traditional MFA – continue to put organisations at risk.”

Alongside credential-based authentication, endpoint detection and response (EDR) solutions – which are also designed to identify behaviour – also have high susceptibility to exploitation.

Randeep Gill, Principal Cybersecurity Strategy at Exabeam, explains that, “If an adversary were to take advantage of an EDR tool, they would have access to a variety of an organisation’s telemetry, including user and identity authentication, access to files, system variables and key business applications. All of which increases the scope through which ransomware can be deployed.”

Landmines within organisations’ infrastructure

Unfortunately, not only can businesses’ own security processes be used against them, but criminals also target companies’ unknown vulnerabilities. Laurie Mercer, Director of Security Engineering at HackerOne, elucidates that it was unsurprising that unpatched vulnerabilities were a common access method when you consider that cybercriminals have CVE databases at their fingertips.

Related:   World Password Day: Video - Interview with Dr. Johannes Ullrich

Mercer continued: “Beyond known CVEs, organisations’ unknown assets have the potential to pose an even greater risk. One-third of organisations say they observe less than 75% of their attack surface. Where the unknown is so vast, it is no shock that ransomware is on the rise. A simple solution? Using a cybercriminal’s own strengths against them to protect and patch vulnerabilities by adopting the outsider mindset.”

Using their own strengths against them

Arguably the most obvious tactic to utilise against cyber criminals should be the ethical hacking community, matching their ingenuity and inventiveness. Both utilise the human mind and therefore possess the skills to either defuse or dig out any potential organisation landmines.

HackerOne’s Mercer explained: “In the case of both Vulnerability Disclosure Programs (VDPs) and Vulnerability Rewards Programs, including Bug Bounty programs, the outsider mindset is harnessed to complement organisations’ offensive security strategy.

“Organisations should continuously evaluate and improve their security practices, keeping up with the latest threat intelligence, and investing in regular security assessments by skilled security professionals, testers and hackers. Where cybercriminals look for ways onto your system without your permission, businesses that allow ethical hackers to access their systems will ensure unknown entryways are effectively blocked.”

Threats – Detection and Deception

An often overlooked approach is to source and implement a managed threat and detect service, Andy Bates, Practice Director – Security at Node4 argues.

A Security Operations Centre service (SOC) uses the latest AI technology and third-party intelligence sources to deliver proactive security management. The external team of expert security analysts will monitor alerts 24/7, and be on hand to immediately respond to any threats that occur. Working with a managed service partner provides an agile and responsive way to tackle IT security threats. It is also incredibly cost-effective, removing the need to recruit and retain an entire Information Security team that would be needed for such around-the-clock protection.”

Both methods – ethical hackers and SOC – enable organisations’ security as both monitor businesses’ security from an external perspective. However, Cesar Cid de Rivera, INTL VP of Systems Engineering at Commvault, elucidates that companies should focus on prevention just as much as protection: “The urgency for strong cybersecurity measures has led to huge innovation in the industry. Cyber deception is one of the methods that has come to the fore of cyber defence in recent months. It puts organisations one step ahead of attackers in protecting their data by deploying decoys to throw the attacker off course and lure them to fake assets, rather than the real ones. Organisations are alerted as soon as the attacker enters the decoy IT environment, and security teams can then take immediate action and isolate the real data. It’s an innovative approach to modern challenges that transform the organisation into the manipulator, rather than being blindsided.”

The way in which attackers target organisations is diverse and constantly evolving, making it imperative for organisations to keep up-to-date with the latest security processes and utilise varying security methods to make sure that all ground is covered.

Node4’s Bates summarises: “In the same way that we look after our hearts rather than simply deal with a heart attack, we should constantly be monitoring our systems to protect them from ransomware, rather than just reacting to the attack once it has happened.”

Leave a Reply

Your email address will not be published. Required fields are marked *