All conversations about concerns and priorities with the CISO are guaranteed to feature one thing: ransomware. This is a CISO nightmare scenario, a highly public security event that consumes a lot of data and at the same time impairs operational capabilities, all ending with expensive price tags.
About the author
Andrew Rose is Proofpoint’s EMEA resident CISO.
According to a recent survey, 44% of companies were hit by ransomware in 2020. Given the potential scale of impact, that’s a horribly high number. Of these organizations, 34% decided to pay the ransom to regain their position.
Interestingly, 98% of the paying companies were able to recover their data. This figure is only 78% of the previous year, and the level of professionalism by the attacker is high because the attacker recognizes that the method of increasing the payment rate is trusted to actually lead to data recovery. It suggests that it is rising.
An example of this heightened professionalism has been demonstrated in recent attacks on fashion brands. In this particular example, the attacker investigated the stolen data to find out more about the organization’s cyber liability policy and set the ransom to that particular number. The attacker then negotiated this amount with the victim until it finally received the agreed payment, based on an assessment of the organization’s financial position.
This kind of professionalism extends to “customer engagement”. We often see the level of technical support provided through anonymous instant messaging platforms to help victims recover once they have paid. What made this particular attack interesting was that after negotiation, the attacker provided the organization with solid advice to prevent the ransomware attack from recurring. The point of advice gives us great insight into what each of us can do to prevent an organization from invading. Dance with this painful and costly criminal. The advice included:
1. Implement email filtering
The main advice was to implement email filtering. According to statistics, about 94% of cyberattacks are initiated via email, so they are the real “fire hose” of risk of invading your organization directly. Ransomware attacks began by using the Remote Desktop Protocol (RDP) port, etc., but research shows that ransomware attacks delivered through email-based phishing campaigns are on the rise. This is in stark contrast to the previous year, when hackers first used downloaders primarily. payload.
2. Conduct employee phishing and penetration testing
Over 99% of attacks arriving via email require the user to take some action to succeed in the breach, such as executing a macro, distributing credentials, or simply paying a fake invoice. .. Employees are a major attack surface for any company, and it is imperative that they be educated and trained on how to recognize and respond to threats.
It should also be backed up with regular penetration tests to ensure that perimeter misconfigurations and unpatched perimeter devices are detected and fixed before they can be abused.
3. Check the Active Directory password policy
The third piece of advice provided by cybercriminals was to make sure that the password policy was robust enough. This starts with using multi-factor authentication (MFA) for external access. This also extends to the internal password policy. Part of the ransomware kill chain is to extend privileges to allow an attacker to access and delete large amounts of critical data before performing encryption. This can be achieved by identifying weak internal passwords or by leveraging an XLS file where the database administrator may list all key passwords in the domain.
4. Invest in better endpoint detection and response (EDR) technology
It’s becoming more and more common to see cybercriminals be creative in their attacks. One of the recent trends is actors who use legally installed tools such as PowerShell to reach their goals. In one ransomware attack, an attacker used BitLocker to encrypt the device. The lesson here is that signature-based malware detection is no longer sufficient. Smarter endpoint protection with the ability to continuously monitor suspicious activity and enable recovery is essential.
5. Better protect your internal network and isolate critical systems
Large, flat networks can be easy to manage, but attackers can easily reach their goals. An additional concentric layer of network segmentation and control that wraps critical systems and data means that a single malware infection is unlikely to affect critical services. Business IT systems are most vulnerable to risk because they constantly send and receive email. Therefore, it must be segmented from the organization’s “crown jewels” infrastructure and data.
6. Implement offline storage and tape-based backup
The concept of backup has almost disappeared as an issue – and that’s a bad thing. Today’s online automatic backups are seamless, convenient, and automated, but unfortunately they are also vulnerable to attacks. If an attacker could steal administrator credentials, the attacker could delete or damage the entire corporate backup and leave the company in the unrecovered position. The era of tapes and vans may be waning, but it’s imperative that there be a clear model for pushing backups to true offline storage and keeping them away from malicious attackers from the outside.
Six important recommendations directly from the multi-million dollar ransomware gangster keyboard. Follow this basic advice to help your organization reduce the chance of infection. Keep in mind that many of these attacks are opportunistic infections. Enterprises do not have to be fully secure. It only allows the attacker to recognize that the risks / rewards are being offered better elsewhere. It may be self-serving, but the old saying, “You don’t have to overtake a lion …” has an element of truth.
Lessons from the Dark Side: Preventing Ransomware Attacks
Source link Lessons from the Dark Side: Preventing Ransomware Attacks