Fight Ransomware with a Cybersecurity Audit

February 21, 2023 TH Author Trend Micro CISO : Article, Trend Micro CISO : Detection and Response, Trend Micro CISO : Digital Transformation, Trend Micro CISO : Expert Perspective, Trend Micro CISO : Risk Management

With thousands of devices and increasingly distributed IT environments, it’s easy for organizations to lose track of open IP addresses, admin accounts, and infrastructure configurations. That creates an opening for cybercriminals to exploit with ransomware and other types of attacks. Enterprises can protect themselves by evolving traditional IT inventory practices into robust cybersecurity audit procedures as part of an overall attack surface risk management approach.

Cybercriminals are constantly hunting for openings and weaknesses to exploit with ransomware and other attacks. Enterprises can fight back by evolving traditional IT inventory practices into advanced attack surface risk management with robust cybersecurity audit procedures.

Do you know where all your IT assets are?

For a surprising number of organizations, the answer is “no”—putting them at risk of ransomware and other types of cyberattacks. In 2021, nearly 70% of respondents to the Enterprise Strategy Group’s Security Hygiene and Posture Management Survey said they had suffered at least one exploit that started with an “unknown, unmanaged, or poorly managed Internet-facing IT asset”.

To reduce the risk posed by overlooked IP addresses, forgotten devices, unused accounts and misconfigured infrastructure, organizations need to evolve their traditional IT audit and inventory practices into a sophisticated attack surface risk management (ASRM) process with robust cybersecurity audit routines.

What you don’t know can hurt you

People often talk about the “enterprise attack surface” as if it were one single thing. In fact, every device has its own attack surface: a set of vulnerabilities that can be exploited, from open ports and unpatched software to vulnerable applications and misconfigurations. All those individual frailties add up across the entire IT environment.

As a result, any unidentified element can be a potential point of attack for ransomware perpetrators and other cybercriminals: equipment like printers and computers; internet of things (IoT) and industrial internet of things (IIoT) devices; and servers, especially external-facing ones such as web, cloud and dev servers. Non-physical components of the IT environment are also vulnerable, such as user accounts—particularly those with administrator privileges.

While businesses may not know their full catalog of IT assets, bad actors certainly try to, scanning the internet constantly for exposed IPs and using discovery tools to map corporate networks, identifying critical systems, active directories, exchange servers, and more. A good cybersecurity audit process allows organizations to gather these same kinds of insights for themselves—ahead of cybercriminals—and ensure there are no unknown or undefended devices on the network.

The cybersecurity audit: Discover, assess, mitigate

The three aims of a cybersecurity audit should be to discover the full set of enterprise IT assets, assess the risks associated with them, and identify mitigation measures.

Given the sheer number of devices and distributed nature of most IT environments today, the discovery step demands automated tools that can generate a complete inventory and see what every device, application, service, account, and port is doing.

The assessment phase is critical because not all risks are equal and not every risk can be addressed at once, so the most urgent vulnerabilities need to be prioritized. These will vary from business to business but as a general rule any IP that is exposed to the internet and publicly accessible should be dealt with first.

That leads directly to the mitigation stage. Interventions may involve switching off ports, shutting down admin accounts, and patching software on user devices and in server operating systems.

Building a cybersecurity audit toolset

No single solution today can execute the full cycle of discovery, assessment, and mitigation. That’s likely not surprising to most enterprises, since 78% already use more than 50 different cybersecurity products to defend their data and systems. Even security information and event management (SIEM) and security orchestration, automation and response (SOAR) solutions have gaps, as neither assigns risk scores and so can’t fulfill the assessment part of the process.

While there isn’t a one-and-done option—yet—there are combinations of automated tools that can give organizations the full capabilities they need. These include internal attack surface discovery (IASD) solutions, external attack surface discovery (EASD) solutions, and attack surface asset analysis tools. All of these should ideally be complemented by an ASRM platform.

Since multiple solutions are required, what’s important is to choose an open cybersecurity platform that makes it easy to add on and integrate specialized tools.

Beyond human speed and scale

Automation and AI-based tools are essential to the cybersecurity audit process because there is too much complex data to manually monitor and manage. This is partly because security monitoring needs to be continuous, as specified in the U.S. National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity, for example. An interval-based approach is insufficient because the cyber threat environment is dynamic and constantly changing.

Beyond that ‘always on’ requirement, what IT security teams should be monitoring for is legitimate use: that all the devices, services, and applications in the mapped IT environment are being used in the right ways. The definition of ‘right’ will be somewhat different for every organization and can involve hundreds of interrelated rules that need to be modelled and checked.

Another area where automation and AI are critical is the regular review of security logs, which should also be part of the cybersecurity audit process. A log review will identify where incidents may have occurred, highlighting vulnerabilities to be addressed. In a platform such as SIEM or SOAR, those log entries can amount to thousands per day. An automated solution can digest and assess these much faster than human teams, generating insights for IT security staff to act on.

From ‘audit and inventory’ to attack surface risk management

IT professionals have long advised enterprises to have a complete, up-to-date picture of their IT environment and devices. In theory, that was much simpler when the enterprise network was bounded and the number of connected devices far fewer. These days, the complexity of enterprise IT requires a more sophisticated approach—beyond mere audit and inventory to encompass full-scale attack surface risk management.

Establishing a rigorous cybersecurity audit process is key to that evolved approach, using the latest tools for attack surface discovery to bring every asset and device into visibility. Since no single solution today can do the full job of discovery, assessment, and mitigation, organizations that want to position themselves well for the future should seek out an open platform that can integrate all the necessary capabilities.

Ransomware and other cyber threats will continue to exploit the dark, forgotten corners of the enterprise IT environment. With regular cybersecurity audits and a disciplined attack surface risk management approach, organizations can push back the shadows and reduce their risks.

Next steps

For more Trend Micro thought leadership on ransomware protection and other cybersecurity topics, check out these further resources:

You May Also Like

Cybersecurity in the C-Suite & Boardroom

Future Proof Your Business from Cybersecurity Threats

Prevent Ransomware with Cybersecurity Monitoring