How can you prepare for ransomware attacks?

If the last weeks have taught security practitioners anything, it’s that no organisation — regardless of size, sector or security budget — is immune to ransomware or the threat of a cyber attack.

In Australia, the healthcare industry has been one of the most targeted, with the Australian Cyber Security Centre (ACSC) stating that ransomware attacks against the Australian healthcare sector are growing. As an example, in 2021 large Australian organisations such as Eastern Health and Melbourne Heart group fell victim to ransomware. Of course, ransomware attacks are not exclusive to the healthcare sector, and VMware’s recent Global IR Threat Report found that over 60% of respondents had encountered ransomware attacks over the past year.

Business leaders and security professionals alike have only become more concerned about ransomware, and rightly so. This is due to a much more complex and broad attack surface than that of a decade ago. In tandem, cybercriminals have taken full advantage of the shift in working styles, becoming more motivated and sophisticated in their attack methods. In fact, the Global IR Threat Report also flagged that ransomware attacks have become increasingly malevolent, with over half of the reported encounters including double-extortion techniques. Furthermore, the Verizon Business 2022 Data Breach Investigations Report found that ransomware increased by 13% over the past year, representing an uptick greater than the past five years combined — with no relief in sight for the next year ahead.

Organisations must operate under the assumption that they will at some point be hit by ransomware. This requires having a holistic view of how such cyber attacks occur. An often overlooked element is the length of time an attacker may remain in a business’s environment before they trigger an attack. The longer they remain inside, the more information they can gather, the greater they can raise their access privileges and the more likely they are to cause catastrophic damage to your business.

Take the recent breach of Uber as an example. Information appears to demonstrate that the attacker operated within Uber’s environment for some time and has moved laterally across applications and platforms to gain broad access to a variety of highly sensitive, and potentially damaging, information. This is the biggest risk to most businesses — that the attacker will move laterally across the organisations and compromise multiple systems along the way.

This is why businesses need to choose the adequate tools and monitoring approaches to achieve ongoing vigilance and constant visibility into the normal behaviour of your applications, network, staff and systems.

Understanding how cyber attacks occur

As with anything, organisations must first ensure they have the fundamental view of risk, and an understanding of where cyber attacks arise from. Your view on risk will depend on your own business and applications used within the company. Businesses should reference known frameworks (such as NIST, Essential 8 and others) to understand which attacks are most likely in their industry or environment. Of those, which ones are the most dangerous, either in terms of pervasiveness or impact to the business? Of those that are high-risk or high-impact, which are most likely and how do they manifest? From these points, how does an attacker enter the business environment, whether it be through endpoint, email, physical access or a combination, and what mitigations are in place to prevent this type of intrusion?

Security teams must be able to see all the data and assets in an organisation in order to properly protect it and support these environments to continue running in the event of an attack. For this reason, it’s critical to establish a complete inventory of what the organisation has deployed in its environment — including what its current running state is and what the basic controls are around access and more specifically, privileged access.

Adopting the right tools

Businesses need to choose their security tools wisely. It is not just having the best tools, or best of breed, but ensuring that your tools will provide a high level of efficacy in your specific environment. Further, it is critical that these tools can work together or provide input into your management platform and enable your IT team to become response team members in the event of an attack. Finally, bringing your business back to its normal run state or maintaining some kind of business continuity is also critical and the choice of tooling, of process and how you train your staff will all contribute to the speed and success you have when responding to an incident.

Revisit your security strategy

Your security strategy should include extended visibility, analysis and response across networks and clouds in addition to apps and endpoints. Technology such as Extended Detection and Response (XDR) makes this possible by incorporating data from endpoints, network, application and cloud platforms to detect threats faster using data correlated across these domains.

Thanks to automation, XDR frees up the humans — or the security professionals on the frontlines — to look into the real threats, not the ‘noise’. During an actual ransomware attack, this is critical to ensure a business is up and running as fast as possible — as the humans then focus all of their attention on the real threat in near real time.

However, it’s important to note that network and endpoint visibility is needed for true XDR. While the collection of data from these sources is relatively straightforward, correlating this information to deliver true insights has been elusive. Encrypted network connections, turning off endpoints by a malicious actor and the sheer volume of data coming into our SIEM or other toolsets all contribute to the burnout of staff overwhelmed by the amount of information or false positives. The promise of XDR is that all this information will be correlated and only the most pertinent issues are then presented to the responders. Triage by technology of a potential incident is far more efficient than triage by human — especially when this triage can look into a data lake of similar actions to decide if the activity is, indeed, malicious or can be safely ignored.

“It’s not a matter of if, but when.” This is the mindset business leaders, and their security teams, must have before they become the next ransomware victim. By understanding the workings of attacks and adopting the right tools, organisations will be better positioned to minimise the damage during the face of such attacks. Is your business truly prepared?

Image credit: iStock.com/mikkelwilliam