CYBEREASON INNOVATION
THREE QUESTIONS TO ASK ABOUT RANSOMWARE PREPAREDNESS Ransomware operations, or RansomOps, have grown from a small subset of mostly nuisance attacks to a mature business model specialisation and an increasing pace of innovation and technical sophistication.
R
ansomOps involve highly targeted, complex attack sequences by sophisticated threat actors that are much more intricate and akin to the stealthy operations conducted by nation-state threat actors. RansomOps are typically ‘low and slow’ attacks that can take weeks to months to quietly spread through as much of the targeted network as possible before the ransomware payload is ever delivered. Several factors have contributed to the success of RansomOps, resulting in a significant surge in ransomware attacks with multimillion-dollar ransom demands. There is a distinct need for organisations to think strategically about their ransomware defences going into 2022, with three key questions organisations should ask their cybersecurity teams:
Can we detect ransomware attacks beyond the endpoint? The question here is one of visibility, context and correlations. The reality is that other approaches to threat detection and response are limited in their ability to defend against ransomware – take endpoint detection and response (EDR) solutions for example. EDR might provide greater visibility over endpoint devices than traditional anti-virus and anti-malware solutions, but it ignores the fact that many complex RansomOps attacks don’t necessarily start at the endpoint.
H ow quickly can we mount a response? Ransomware attacks require a swift response, which requires actionable context and correlations. Tools like SIEM (security information and event management) and SOAR (security orchestration, automation and response) were supposed to solve for this, but were never able to effectively deliver. SIEM solutions require a data lake structure and cloud analytics to centralise event information, but don’t provide the necessary context and correlations to allow for an autonomous response. Event correlation requires manual processes that create operational inefficiencies, takes up analysts’ time, and prevents security teams from launching a quick response. Organisations therefore need to automate their response capabilities so that they can react as quickly as possible, which SOAR tools have struggled to deliver on. In practice, analysts still need to manually intervene. Without the necessary correlations and context, SOAR cannot effectively coordinate a response across a diversified network and multiple security tools.
id we stop the malicious D operation or just an activity? Once a ransomware attack has been detected and an initial response determined, analysts need to understand if they are actually disrupting the larger RansomOp or just one aspect of the attack. Blocking ransomware on an endpoint does not address issues like compromised credentials, persistence on the network, and does not guarantee the attackers are not also living off the land or committing in-memory attacks. That’s where extended detection and response (XDR) solutions can be a game changer for defenders. An AI-driven XDR solution can quickly assimilate and correlate telemetry from across multiple network assets to
reveal the entire attack sequence. An AI-driven XDR solution detecting based on indicators of behaviour can enable defenders to quickly identify and end all associated malicious activity, even when that activity consists of otherwise benign behaviours one would expect to see on the network.
An operation-centric approach to defeating RansomOps The combination of increased visibility across siloed network assets to produce context-rich correlations based on chained attacker behaviours is at the heart of an AI-driven XDR solution. This operation-centric approach also provides defenders the ability to predict, detect and respond to other types of cyberattacks across the entire enterprise network earlier and faster to protect endpoints, identities, cloud, application workspaces and more. And this is why Cybereason is the only security provider that remains undefeated in the fight against ransomware, protecting organisations from threats like the DarkSide Ransomware that shut down Colonial Pipeline, the REvil Ransomware that disrupted meatpacking giant JBS and IT services provider Kaseya, the LockBit Ransomware that struck Accenture, and every other known ransomware family. Cybereason is dedicated to teaming up with defenders to end ransomware attacks on the endpoint, across the enterprise, and everywhere the battle is taking place. Learn more about the Cybereason Predictive Ransomware Protection solution, browse our ransomware defence resources, or schedule a demo at https://www.cybereason.com/platform/ ransomware-protection.
Brandon Rochat, sales director: Africa, Cybereason
CYB ER SECURI TY 2022
33