Attackers are going to do their best to breach you. And if they invest enough time and technology, they will probably succeed. Put enough obstacles in their path, however, and as you wear down their resources, you have a very good chance of stopping them. Today, defense-in-depth is viewed as a reliable and proven way to prevent ransomware.
Yet while the practice of defense-in-depth is recognized by agencies like CISA, many, if not most, organizations get the practice of building defensive layers against ransomware wrong. When you’re a target for threats that get past your firewalls, antivirus (AV) solutions, endpoint detection and response (EDR) platforms, etc., another layer of controls that work on the same principle of threat detection and response will do little to stop them.
Complex and evasive threats continue to evolve. Consider a Cobalt Strike beacon that loads into device memory at runtime, an evasive malware strain with polymorphic signatures, an exploit targeting a zero-day or the next big supply chain threat. These and other advanced threats won’t show up on telemetry-based controls or respect their signature libraries or behavior analysis. To stop them, you need to build redundancy and resiliency into your ransomware defensive posture.
Also called failure protection by NIST, redundancy is the security boost you get when you deploy multiple protection mechanisms within your environment that work through different mechanisms. When you have redundancy, you gain resiliency (i.e., the ability to withstand and recover from repeated attacks).
To achieve redundancy against modern ransomware threats, you need another control layer in your environment—one that defeats ransomware through a novel defensive method. Emerging technology like Automated Moving Target Defense (AMTD) can close this gap and prevent ransomware attacks at multiple phases, from early infiltration to safeguarding critical systems when ransomware attempts to execute.
Ransomware Threat Evolution
“Ransomware is a threat to national security, public safety, and economic prosperity.” The National Cybersecurity Strategy‘s description of ransomware risk is a nod to the new reality of ransomware—one of the most dangerous risks our world faces, cyber or not.
For individual organizations, betting on reaction and recovery against this risk is a failing strategy. Attacks now target backups, and it’s also no longer sustainable to rely on insurance— a recent report noted a 100% increase in insurance premiums.
Ransomware has existed for over 30 years. But what’s changed over the last few years is potential profits—as profits soar, malware developers and operators have dramatically upped their game, refining techniques to help malware successfully evade defense mechanisms.
Take the 2021 Health Service Executive Conti attack as an example. This ransomware attack on Ireland’s national healthcare system compromised over 80,000 endpoints and effectively shut down healthcare services in an entire country. The attack succeeded for several reasons, but a core one was that Conti could evade the AV and similar security solutions on the HSE’s endpoints.
Conti used fileless techniques to move laterally from endpoints to servers without raising any alarms. They could also load malicious code to encrypt DLLs into device memory and execute ransomware in this space (during runtime) that AVs and other solutions cannot scan.
More ransomware attacks are using this memory compromise method alongside other evasive techniques. From hijacking legitimate tools to relying on scripts that only load from memory during a device operation, threat actors are increasingly looking at security control weak spots and targeting their efforts toward them.
Ransomware Defense with AMTD
Automated Moving Target Defense (AMTD) is an emerging technology that morphs runtime memory environments. AMTD changes an application’s attack surface by deterministically moving attackable assets (such as hashed memory passwords) into unexpected places. It then leaves skeletons of the original assets to trap threats and isolate executables.
AMTD builds depth into ransomware defense and adds assurance by reducing exposure to known MITRE ATT&CK ransomware tactics, including initial access, persistence, privilege escalation, defense evasion, lateral movement, and impact.
This happens through four added layers of protection:
- Data encryption and destruction protection — Most ransomware attacks succeed in encrypting data. However, when AMTD is installed on an endpoint or server, the system resources targeted by malicious code are not where its creator expects them to be. Instead, what looks like system resources are decoys. Code that tries to execute on a decoy and encryption is automatically terminated and captured for forensic analysis while the actual system resource remains protected, thereby denying encryption.
- System recovery tamper protection—According to Acronis, leading ransomware groups, such as LockBit and ALPHV, have evolved to target backups directly, necessitating robust defenses to prevent successful attacks. Specifically, ransomware attacks target the system shadow copies backups rely on. AMTD blocks access to shadow copies by ending any unauthorized processes that try to access them.
- Credential theft protection — Credential dumping is one of the most common MITRE ATT&CK techniques in the wild. Almost all ransomware attackers will try to access passwords stored in browsers, RDPs, SAM hashes, etc. AMTD deterministically hides the location of these passwords and stops threats from finding them.
- Runtime memory protection — from Webroot found that 94 percent of attacks are now polymorphic. Many execute in memory during runtime instead of on a device disk. AMTD protects runtime by morphing (randomizing) runtime memory to create an unpredictable attack surface. It moves application memory, APIs, and other system resources while leaving decoy traps in their place. With the adoption of Generative AI this will only increase exponentially moving forward as threat actors will have the resources to adapt malware at a never seen before accelerated pace.
Coming off a year in which ransomware attacks reached record levels, it’s safe to assume attackers will continue their assault through 2024. For businesses, it’s time to go on the offensive and your best bet is to double down on ransomware assurance with defense-in-depth and AMTD.
Brad LaPorte- Chief Marketing Officer at Morphisec and former Gartner Analyst
Brad LaPorte is a seasoned cybersecurity expert and former military officer specializing in cybersecurity and military intelligence for the United States military and allied forces. With a distinguished career at Gartner as a top-rated research analyst, Brad was instrumental in establishing key industry categories such as Attack Surface Management (ASM), Extended Detection & Response (XDR), Digital Risk Protection (DRP), and the foundational elements of Continuous Threat Exposure Management (CTEM). His forward-thinking approach led to the inception of Secureworks’ MDR service and the EDR product Red Cloak—industry firsts. At IBM, he spearheaded the creation of the Endpoint Security Portfolio, as well as MDR, Vulnerability Management, Threat Intelligence, and Managed SIEM offerings, further solidifying his reputation as a visionary in cybersecurity solutions years ahead of its time.
