Technology Will Fail: Why Managing Intrusions is Critical in the Fight Against Ransomware

By Steve Moore, Chief Security Strategist, Exabeam

When you take a step back and consider these statistics, you will quickly realize the gravity of what is at stake for organizations when it comes to effectively securing their confidential information – and that there is still a lot more to be done to combat this growing trend.

According to cybercrime prosecution statistics, 2022 is expected to see a worldwide annual spend of nearly $134 billion to both prevent and also deal with the aftermath effects of cybercrime – and that figure is estimated to rise even higher.

Nearly 70% of business leaders feel their cybersecurity risks are increasing, and a recent CISA alert has validated these concerns. The alert from the U.S., U.K. and Australian governments is a detailed and well thought out technical and architectural advice document for cybersecurity teams in the face of high-impact ransomware incidents trending upward.

As noted in the alert, “Cybersecurity authorities in the United States, Australia, and the United Kingdom assess that if the ransomware criminal business model continues to yield financial returns for ransomware actors, ransomware incidents will become more frequent. Every time a ransom is paid, it confirms the viability and financial attractiveness of the ransomware criminal business model. Additionally, cybersecurity authorities in the United States, Australia, and the United Kingdom note that the criminal business model often complicates attribution because there are complex networks of developers, affiliates, and freelancers; it is often difficult to identify conclusively which actors are behind a ransomware incident.”

Now more than ever it is critical for cybersecurity managers and their teams to drill the top causes of these incidents into their brains – phishing attacks, stolen credentials, brute force attacks and exploiting existing vulnerabilities.

You may be thinking, ‘these tactics are nothing new,’ but what’s different today is the sophistication of the cybercriminals’ services and networks. On what seems to be a disturbingly regular basis, there are underground criminal networks emerging, dedicated to helping one another with payments, data restoration and technical support – mirroring even the best IT support organizations. Sophisticated criminal groups are even exchanging stolen credentials from breaches and sharing code with one another – putting organizations in multiple groups’ lines of fire.

When building out their security stacks and security operations center (SOC) teams, the tactics of the adversaries and these advanced cybercriminal networks should always be at the forefront of leaders’ minds. The CISA’s alert is an excellent starting point for determining the correct tools needed to combat attack methods. They truly get it. In particular, the importance of limiting adversaries’ ability to move laterally across a network is a strong point they raise.

To minimize the impact when they do strike, security teams need the ability to detect this type of behavior in real time. The CISA ransomware alert also advises readers to ‘Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a network-monitoring tool.’ In this section, the agency emphasizes endpoint detection and response as the solution, but this is just one piece of the puzzle.

There is room for improvement here. Many organizations do not understand what user behavior is considered normal within their environment – and do not have the proper capabilities to illustrate it. Spotting abnormal activity is essential in the ransomware fight, and legacy tools that have been available for decades need to be supplemented. We would put the emphasis on credential-based security, leveraging data science to build baselines and attack timelines of user behavior as the goal.

The CISA alert reinforces just how critical it is to make cybersecurity prevention, awareness and best practices an integral component of all organizations. Education, preparedness and action will enable your organization to effectively respond to and prevent data loss that can compromise your relationship with your clients and further strain your current operations.

Further, while the CISA alert serves as a valuable checklist, the defender’s capabilities must grow beyond this advice. It’s not a matter of if, but when these preventative suggestions will fail.  If teams are not properly prepared to manage intrusions, they will not be able to fully absolve themselves of risk.

We recommend a follow up ‘playbook’ for security alerts like this from the issuing agency that will actually help SOCs determine how to ingest data properly, make decisions and strategically create analytic capabilities. The technical aspects are important, but the people and the investigation strategy are what will make the most significant impact.

The concept is simple – just like fire drills in schools.  The differentiating key factor is repetitive action.  This cannot be a one and done deal.  For example, you cannot write the ‘playbook’ but then never revisit it or execute on it. Taking the right, practiced action is truly the fundamental and consistent step that will protect your organization from the majority of data breaches.


No posts to display