To fight cyber extortion and ransomware, shift left

Continue reading the Ransomware Spotlight series:

Ransomware is a ‘noisy’ threat. When it hits, there’s no hiding it: attackers lock up systems and issue explicit instructions about what organizations need to do—and pay—to set their data and devices free.

That’s why most bad actors engage in cyber extortion only once they’re ready to be exposed, after they’ve already achieved other malicious goals such as exfiltrating data, setting up clandestine command and control structures, or selling access to other parties.

Knowing this, many organizations are “shifting left” when it comes to cybersecurity: taking steps earlier in the threat lifecycle to prevent attacks, and implementing measures to detect breaches before they cause extensive harm. This two-pronged ‘secure and defend’ approach is essential to the mitigation stage of the detect, assess and mitigate cybersecurity cycle.

Understanding the cyber extortion lifecycle

All cyberattacks begin with hackers gaining access to systems—whether through vulnerable end user devices, open IP addresses, insecure websites, misconfigured cloud services, compromised credentials, or misused privileges from inside the organization itself.

Once they have access, attackers move laterally to other devices and systems, working toward the most sensitive or highest-value assets. That typically leads to data exfiltration—siphoning off customer identities and payment information or other sensitive records for sale or further exploitation. These activities are carried out in secret to avoid detection, and ransomware is deployed only after attackers have wrung as much value as they can out of the organization.

Leaving cyber extortion to the end makes business sense since, according to Trend Micro’s Understanding Ransomware Using Data Science report, most victims don’t pay. (Those that do, however, effectively subsidize another six to 10 attacks.) In the minds of most bad actors, it’s better to succeed at other cybercrimes and leave a ransom on the table if it comes to it.

While in the network, attackers often add back doors and other structures so they can maintain access and return to strike again—even after a ransomware attack is executed. This so-called maintenance phase can go on for months or more. The web company GoDaddy suffered repeated cyberattacks over multiple years because perpetrators were able to stay in its network even after the initial attack was thought to have been resolved.

By shifting cybersecurity left and taking earlier, preventative action, organizations can block unauthorized access, detect lateral movements when they happen, and respond to unusual behavior in the network long before ransomware gets dropped.

Step 1: Secure the enterprise sooner

The first goal of shifting left is to implement as many measures as possible for blocking threats and cyber extortion schemes from entering the network in the first place. The previous blogs in this ransomware series outline a range of actions organizations can take to strengthen their overall security posture: enforcing good passwords, implementing multifactor authentication, maintaining control over credentials, and keeping applications and operating systems up to date.

Sandboxing is another good way to prevent threats from infiltrating the enterprise or getting too far, especially when it comes to email and web browsing. Isolating and screening attachments and web pages before they run on endpoint devices prevents malware or harmful scripts from getting through, though it can slow things down by introducing lags in email and online performance.

All these techniques can be integrated into an attack surface risk management (ASRM) solution that continuously assesses a business’ attack surfaces, both internal and external. Constant monitoring is needed because the attack surface is always changing due to user mobility, new devices, new threats, and corporate moves such as acquisitions or partnerships. Determining and prioritizing uncovered risks is often a challenge for many enterprises: ASRM helps clarify what needs the most attention.

Experts today largely agree that the foundation of cyber risk management should be a zero-trust approach, especially for identity and access management (IAM), since identity is inherently untrustworthy. Extended detection and response (XDR) technologies are an excellent way to implement zero-trust principles because they provide visibility and control across the entire enterprise environment.

As noted in Trend Micro’s report on ransomware and data science, “Implementing zero trust can help defenders profile known ransomware indicators so that they are better informed when updating their security policies and developing new alert rules. Defenders can also be informed immediately upon any signs of suspicious behavior in their organization’s systems.”

Ideally, ASRM will be part of a comprehensive, unified cybersecurity platform that minimizes complexity and brings all the pieces of the organization’s security framework together under one roof.

Step 2: Defend when threats break through

Even with the best security approach in place, it’s impossible to repel every attack. Breaches are inevitable—not a question of “if” but “when”. The key is to detect them as soon as possible and be ready to take action.

That requires an incident response plan with business continuity measures and cybersecurity insurance considerations built in. Working out how to keep the business running is critical, especially with respect to ransomware and other forms of cyber extortion, since their whole purpose is to shut operations down.

Secure redundant systems and well-maintained backups that can be spun up quickly provide a rapid means of bouncing back when an attack succeeds. These are most important for business-critical systems, which should be identified clearly and prioritized in any business continuity plan.

As with securing the enterprise, XDR is essential to a strong defense and should be incorporated into the incident response plan. XDR reaches beyond endpoints to all the potential locations an attack might target, including cloud infrastructure, network traffic, operational technologies (OT), internet of things (IoT) and industrial internet of things (IIoT) deployments, and more.

While having a plan is important in and of itself, an organization needs to be confident the plan will work when called for. That requires everyone (including 3rd parties) with a role in executing it to be clear on what they are expected to do, and for the plan to be tested at least once a year and kept up to date as threats and business needs evolve. Enterprises should also make an effort to understand their cloud providers’ and software vendors’ incident response plans—what’s in place and how those measures complement their own.

Shift left with the right tools to fight cyber extortion

An ASRM solution supported by XDR and based on zero-trust principles—built into a unified cybersecurity platform—gives organizations the tools they need to secure and defend while minimizing the complexity of managing a multitude of point products. Those with limited in-house resources can establish a robust secure-and-defend approach by working with a managed security service provider whose offering includes managed XDR.

Recognizing that breaches are inevitable is realistic, not defeatist—and by shifting left, organizations can gain more control than ever before over their ability to defend against ransomware and cyber extortion schemes. With the right defensive measures in place and a well-articulated incident response plan, attacks that do penetrate the network can be caught and disposed of faster.

Next steps

For more Trend Micro thought leadership on cyber extortion and attack surface risk management, check out these resources:

Read More HERE