Maksim Kabakou - Fotolia

Security Think Tank: Let’s be transparent about ransomware

Greater transparency regarding ransomware attacks, including details about attack methods used and what kinds of assets were compromised, would likely help the community prevent future attacks

Ransomware continues to afflict companies, non-profit organisations and government agencies worldwide. Stories about new ransomware attacks regularly appear in the tech news headlines – and there are many other incidents that don’t make the news, but we hear about anecdotally.

Being exploited by ransomware perpetrators has a negative stigma that is exacerbated by a common perception that the victim must have done something wrong or not taken enough precautions. This results in a culture of secrecy in the business world.

Greater transparency regarding ransomware attacks, including details about attack methods used and what kinds of assets were compromised, would likely aid the community in preventing future attacks.

Ransomware most commonly arrives via phishing emails or through direct network access. In the case of phishing email, the recipient gets an email containing malicious files or links that install the ransomware, which leads to compromise. In the case of direct network access, ransomware operators obtain valid credentials and configuration information from the dark web, allowing them to survey, exfiltrate data, and detonate ransomware payloads on victim assets.

Regardless of the vectors used, ransomware attacks have some things in common: malicious code, network access and valid credential usage, for example. Perpetrators traverse victims’ networks, email systems or services, web gateways and endpoints. A failure or even a weakness at any point in the IT infrastructure increases the risk of compromise by ransomware.

What is needed to increase ransomware resistance?

The appropriate defensive measures must be in place at every relevant part of an organisation’s architecture, but here are the top five security technologies that should be addressed first:

  1. Endpoint protection detection and response (EPDR) tools provide many functions to detect malware before it runs and stop it from executing, as well as look for signs of compromise in case the warning signs were missed.
  2. Vulnerability and patch management: Many forms of malware, including leading ransomware families, exploit known vulnerabilities in operating system or application code. Knowing which vulnerabilities are present in your environment and being able to patch them in a timely manner is a foundational element of proactive hardening in security architectures.
  3. Email, messaging and web security gateways and services: Email and other messaging platform content should be analysed and scrubbed of malicious content before landing in users’ inboxes or apps. Connections to and from known malicious or suspicious IPs and domains should be blocked.
  4. Zero-trust network access: Properly authenticate and authorise every resource request in your environment, including all permutations of user, device, network, system, application and data object. Taking away the hacker’s ability to pivot across flat local networks can massively reduce the potential impact of a ransomware attack.
  5. Offline backups: Online backups and backups to the cloud have become standard in many organisations due to the ease of use and lower costs and maintenance. However, ransomware operators leverage compromised admin privileges to delete online and cloud backups. Having offline backups available is the safest method for ensuring successful recoveries in the event of a ransomware attack.

Other security tools that should be in place include identity and access management (IAM)/identity governance and administration (IGA): Users should have the appropriate level of entitlements to get their jobs done; identity lifecycles should be managed, removing those who have left your organisation; and multi-factor authentication (MFA), risk-adaptive authentication and fine-grained access controls should be deployed.

Privileged access management (PAM): The most devastating ransomware attacks leverage credentials of admins or service accounts to gather, exfiltrate and encrypt data across multiple and disparate systems and applications in the victim organisation. PAM systems help enforce the principle of least privilege.

Data security: Data leakage prevention (DLP)/cloud access security brokers (CASB). DLP and CASB tools can extend granular access control to the data object level for on-premise and cloud-hosted applications.

Network detection and response (NDR): If sophisticated attackers find ways to bypass other security controls or delete log files on endpoints and servers, often the last place that their activities can be detected is at the network layer itself. NDR tools can find the trails attackers leave during reconnaissance, lateral movement and data exfiltration attempts. NDR tools are increasingly aligning with EPDR tools in extended detection and response (XDR) suites.

For years, many organisations have been training users to identify or at least suspect malicious emails and files. Although user training is still a necessity, the reality is that attackers constantly innovate on their insidious techniques to disguise their operations. Ransomware attackers can craft very realistic emails and documents that can deceive even trained security professionals.

It is better to invest in security tools that can be updated as new threats emerge than to rely on annual or quarterly security training for users. Blaming the user when failures happen is not an effective security strategy.  

Having all the right elements of a security architecture in place improves your chances of preventing ransomware attacks and/or minimising damage. Although the security incident rate at cyber security and IAM solution providers is comparatively low, it has increased somewhat in the last few years. Attackers have been targeting members of the software supply chain and are likely to continue to do so. Comprehensive defences are needed to boost resilience across the IT industry.   

Read more from the November 2022 Think Tank

  • Ransomware defence is failing because we don’t view our digital infrastructure in the same way as our physical infrastructure, argues Elastic’s Mandy Andress.
  • Ransomware has the potential to cause irreversible business damage, so CISOs should consider not only protection. but also response and recovery.
  • To combat the ransomware scourge, we must work harder to monitor and learn from the increasingly complex threat environment, keep a closer eye on supply chains, and share our insights.

Read more on Hackers and cybercrime prevention