Changing Approaches to Preventing Ransomware Attacks
Conducting scaled and cost-effective attack surface and digital threat monitoring gives organizations of all sizes the best chance of identifying and defeating their adversaries
Attempting to detect ransomware is generally a losing proposition. Security teams usually report the moment an exploit or vulnerability is released to the public. Attackers typically begin exploiting the vulnerabilities within 12 hours. Access to internal networks happens quickly. More problematic, the timeline from initial access to escalating privileges and deploying ransomware can be less than six hours. In other words, whether it’s a set of credentials found on the dark web and a lack of two factor authentication, or the exploitation of an internet facing application, a malicious actor needs very little time before they are sending emails to executives with ransom requests.
Defending against this type of threat is challenging. Enterprises are better served by focusing on systematically identifying initial access vectors and supply chain risks that serve as the precursors to data theft and ransomware attacks. Open source, dark web, and external attack surface monitoring at scale and with the proper collection parameters is an important tool for identifying and preventing attacks.
Challenges for Small and Medium Size Enterprises
Responding within six hours is difficult, if not impossible, for small and medium sized enterprises. In general, they do not have the resources to implement fast reaction emergency patch management cycles and have a limited number of security resources. Those limited resources are likely focused “on-network,” conducting basic blocking and tackling such as configuration and patch management, network and application firewall configurations, anti-virus, identify access management controls, and logging endpoints and Windows events. At best, they have implemented endpoint detection and response and a SIEM, possibly through a MSSP.
Challenges for Large Enterprises
Large enterprises with more abundant resources have a fighting chance, but can sometimes be hampered by bureaucracy. It requires focus and execution to quickly remediate initial access and supply chain exploits. Security and audit functions routinely identify vulnerabilities, but depend on information technology functions (and proper processes) to patch or roll out credentials. This becomes more complicated if acquisitions and/or subsidiaries are involved. In those scenarios, the unique business entities’ patch and configuration management may not be centrally managed. Meanwhile the threat hunting team within security operations is watching attackers take advantage of exploits and attempting to keep them out of the environment to prevent them from moving laterally and escalating privileges. This is not uncommon. And it’s always a problem.
Stop Attackers in Their Track with“Outside the Firewall” Threat Intelligence
As previously stated, monitoring inbound and outbound malicious traffic flows to ransomware actor command and control nodes is usually a losing proposition given the speed at which actors can take control of a network. This is especially true for small and medium enterprises. However, with properly defined and continuous monitoring in place “outside the firewall,” the improper misconfigurations and mistakes that ransomware actors take advantage of can be detected and remediated before an attack occurs.
Monitoring Digital Threats on the Open Source and Dark Web
● Identifying the proper forums and online outlets to scale digital threat monitoring is critical, especially when looking for credentials to employee devices. When internal entry points and exploits are being attempted, it is critical that organizations do the following:
● Monitor personalities, brands and groups of interest on social media and closed forums
● Perform surface web, deep and dark web monitoring complemented with human intelligence and analysis that aggregates breach datasets based on client-specific requirements.
● Establish and maintain personas and mis attributable infrastructure
● Monitor and detect Data leakage including Github leaks
● Support all relevant languages
Monitor Your External Attack Surface
External attack surface monitoring combines the most critical elements of asset discovery, shadow IT, malicious/anomalous traffic detection (global netflow) and threat actor infrastructure mapping into a single finished contextual analysis. The result is an outside-in view of business risk that is easily-consumable by stakeholders. This is not just vulnerability management continuously scanning the perimeter.
External attack surface management goes beyond discovering a list of IPs or websites. It’s a contextual understanding of how internet-exposed assets tie back into your business and the risks they present. Conducting the following at scale can prevent attackers from exploiting weakness to access your network.
● Scan continuously to discover unknown assets
● Fingerprint assets, services, applications, software, etc. to ensure patching is up to date
● Map assets by corporate locations, subsidiaries, and third parties ensuring consistency and centralized management
● Identify the posture of discovered assets (vulnerabilities, shadow IT, etc.)
● Determine geographic or business unit-based discrepancies
● Identify malicious actor infrastructure and insider threat traffic
● External threat hunting: This is an active analysis of technical data to identify actual threats you are facing. With this information, you can augment security controls to maintain confidentiality, integrity and availability of data, systems and networks
● Data leakage detection: determining if key supplier are leaking data to your organization
● Determine the business context of discovered assets
While there is no silver bullet for protecting against ransomware actors, it’s critical to prevent them from accessing your environment or exploiting a weakness in the technology supply chain. Conducting scaled and cost-effective attack surface and digital threat monitoring gives organizations of all sizes the best chance of identifying and defeating their adversaries.