Ransomware: Even when the hackers are in your network, it might not be too late
Ransomware is one of the biggest cybersecurity issues facing the world today with gangs routinely breaking into enterprise networks to encrypt files and networks.
Often, victims only realise that they’ve been compromised when files, servers and other systems have been encrypted and they’re presented with a ransom note demanding a payment in cryptocurrency for the decryption key.
But even if cyber criminals are already inside the network it’s not necessarily too late to prevent a ransomware attack; if an organisation has a good threat hunting strategy, they can detect strange or suspicious activity and counter the threat before ransomware becomes a major problem.
That’s because criminals can spend weeks in the network before triggering a ransomware attack – and even if protections designed to prevent them from entering the network have failed, this delay can provide an opportunity for preventing a full-blown ransomware attack.
The US Department of Commerce’s National Institute of Standards and Technology (NIST) cybersecurity framework (CSF) lists Identify, Protect, Detect, Respond and Recover as the five functions of securing networks. But many organisations are still attempting to rely on the ‘protect’ aspect as the main line of defence, without a clear strategy, if they have one at all, on how to detect and respond to threats which bypass protections.
“When you think about the CSF framework, I think we spend so much in the protect bucket and not enough in detect respond and recover,” said Jason Lewkowicz, Global CISO for Cognizant, speaking during a panel discussion on ransomware at VMware’s VMworld 2021 conference.
See also: A winning strategy for cybersecurity (ZDNet special report).
If criminals have already been able to breach the network, it might be difficult to believe that all is not lost, but the way attacks work means it’s still possible to cut them off and prevent a ransomware incident.
For example, it’s common for cyber criminals to gain access to networks and install malware to help examine the environment they’ve compromised – then they’ll often follow a standard routine of actions during the days or weeks they’re in the network. It’s possible to identify this activity and if it’s identified, there’s the opportunity to stop the attackers.
“Detection can actually be part of preventing ransomware. There’s a classic ransomware chain of events and it’s almost gut wrenching because it’s predictable and we see it every day,” said Katie Nickels director of intelligence at Red Canary.
“My team will see an initial malware family like QBot – then the adversaries will look around the environment, do some reconnaissance and then they install a tool called Colbalt Strike, then they move laterally. It’s the same playbook – ransomware is coming”.
If organisations have a good knowledge of their own network and a threat hunting team which can take knowledge of how these hands-on ransomware attacks work and use it to detect threats, they can be identified, removed and remediated before the problem grows to become a full-scale ransomware attack.
“If you can detect these things – these are very detectable predictable behaviors – if you could detect them early you can actually prevent the encryption, the exfiltration or a really bad outcome,” said Nickels.
“It’s interesting, because everyone thinks about prevention and protection, but early detection is actually prevention of ransomware,” she added.
Smaller businesses or those without a significant IT or information security budget could struggle to engage in threat hunting themselves, but it can be useful for helping to prevent a ransomware attack and much less costly than falling victim.
“It’s so important to have threat hunting capabilities on the team – if you don’t have that in your organization partner up within the ecosystem – because threat hunting really helps to identify those and profile that activities,” said Amelia Estwick, director of threat research at VMware.
Being able to find out if cyber criminals have compromised the network can play a major role in actually preventing an incident from taking place, or at least ensuring that the impact is reduced. Keeping a ransomware attack restricted to one part of the network is still better than letting it spread around the entire enterprise environment. It can also help cybersecurity teams learn to prevent additional attacks in future.
“We already know they’re in there, so let’s figure out how to do batten down the hatches and how are they moving throughout the system, so we can learn to better provide and develop tools to detect and prevent this from occurring again,” said Estwick.
More on cybersecurity: