VIEWPOINT
HOW TO PROTECT AGAINST RANSOMWARE THE BUSINESS OF RANSOMWARE IS CHANGING – DETECTION AND RESPONSE NEED TO CHANGE TOO, WRITES AMMAR ENAYA, REGIONAL DIRECTOR – MIDDLE EAST, TURKEY & NORTH AFRICA (METNA) AT VECTRA
I
t hasn’t been long since ransomware was an untargeted, opportunistic, verbose, and rapid attack. 2017’s WannaCry and its Server Message Block (SMB) network worm vulnerability EternalBlue propagated its multiple variants spread around the world’s networks at machine speed, impacting over 230,000 hosts in more than 150 counties. While the damage caused by WannaCry was significant, the ransomware operator only pocketed a comparatively low number of bitcoins, currently valued around $621K USD. More recently we’ve seen criminals move from a high-volume, opportunistic approach — or “spray and pray” — to lower volume, targeted ransomware attacks. Instead of monolithic ransomware, or a single piece of software that did everything and was highly automated, today’s ransomware tends to be modular and often obtained from a malicious developer or acquired “as a service”. There’s an organised dark ecosystem for ransomware with component and service supply chains, not dissimilar to the structures and practices we see in the legitimate world. It’s expeditious to change and morph, which makes traditional fingerprinting for signatures less effective. Much of ransomware detection and response has focused on the identification and mitigation of the actual cryptolocking code and its actions. Characteristics of a ransomware attack Cybercriminals will start with open source intelligence gathering and analysis of potential targets. They’ll evaluate a target’s ability to continue operating, along with likely propensity to acquiesce, if successfully penetrated and ransomed. Then, attackers
will estimate a pain threshold price that would result in a payment being made. Initial compromise and penetration of a target may be outsourced, or simply purchased “off the shelf” on the dark web from as little as $300. From the time of the initial infection to the deployment of the ransomware, attackers perform reconnaissance inside a compromised network to discover which systems are critical before stealing and encrypting files. Once organisations are hit by a ransomware outbreak, they find themselves in an all-hands-on-deck emergency: they need to effectively halt the attack’s progress and immediately restore systems, all while business functions are held hostage. Even if an organisation is willing to pay the ransom, there is no guarantee that the encryption key will be provided by the attacker. Without the encryption key, files will have to be restored from a backup, and any changes since the last backup will be lost. How to mitigate and respond to attacks Early spotting and isolating in the attack lifecycle prevent the loss of data. Rapid host isolation should be considered a good practice once an infected device has been identified. Isolation can occur by quarantine of hosts, removal of offending systems from the network, and killing the processes causing propagation. Due to the speed and severity of ransomware attacks, isolation could require the use of automation, like orchestration platforms or native integration with hosts or network enforcement points from detection tools. It is also vital to observe privileged access to know which accounts have access to critical systems. Ransomware
can only run with the privileges of the user or the application from which it is launched. Comprehensive knowledge about the systems and users with access to specific services enables security operations teams to monitor misuse of privileged access and respond when that access is compromised — well before network file encryption occurs. Another strategy to improve detection is to focus on monitoring internal traffic for immutable attacker behaviors. Instead of attempting to detect specific ransomware variants in network flows or executables, focusing on reconnaissance, lateral movement, and file encryption allows you to have a more proactive approach when threat hunting. Stay vigilant and adopt proactive strategies To reduce the impact of contemporary ransomware attacks, we need to pivot to a model based on detecting behaviour rather than detecting specific tools or ransomware used. Such behavior detection is much more effective and requires in-depth analysis of network traffic. With advances in artificial intelligence (AI) augmenting security teams, we’re already seeing the industry shift to identifying attacker behavior in real time. AI can detect subtle indicators of ransomware behaviors at a speed and scale that humans and traditional signature-based tools simply cannot achieve. This enables organisations to prevent widespread damage. When organisations recognise these malicious behaviors early in the attack lifecycle, they can limit the number of files encrypted by ransomware, stop the attack from propagating, and prevent a disastrous business outage. Ransomware will continue to be a potent tool in cybercriminals’ arsenals as they attempt to exploit, coerce, and capitalise on organisations’ valuable digital assets. When you are fighting a ransomware attack, time and contextual understanding are your most precious resources.
DECEMBER 2020
CXO INSIGHT ME
43