Ransomware is nothing short of a cyber pestilence. Its financial impact in 2019 was estimated at at over $7.5 billion.
And 2021 is off to an equally inauspicious start, with many potential attacks to be aware of, along with the massive SolarWinds supply chain attack continuing to make headlines.
The $7.5 billion (and growing) question then, is how do you stop ransomware?
The answer: better threat detection and incident response capabilities.
Let’s take a look at why defenders need to increase their focus on timely detection and swift and decisive incident response–not just prevention–to effectively combat ransomware.
How Ransomware Beats Perimeter Defenses
Too much faith has been placed on firewalls, intrusion detection systems, and other perimeter defenses to stop ransomware. The idea of the keeping the bad guys at the gates is enticing, but it’s also a pipe dream. Organizations need to look for a new path forward in today’s threat environment, because stopping ransomware and other malware at the network boundaries fails for three reasons:
1. Social Engineering
What good is a fortress when your employees essentially hand over the keys to the enemy? Social engineering tactics, such as phishing emails, are the most common mechanisms for spreading ransomware. Unsuspecting users are frequently manipulated into opening links or downloading files from unknown senders or contacts who have had their accounts compromised. A ransomware infection follows.
2. Fileless Ransomware
Hackers now use fileless tactics, exploiting features that are native to legitimate applications such as Excel. For example, a seemingly innocuous spreadsheet might have an embedded macro that automatically runs ransomware scripts. Even organizations that are diligent about using next-generation firewalls and applications whitelists will miss these “zero-footprint” attacks.
3. Lateral Movement
Most importantly, preventative cybersecurity is useless against an infection that’s already on the network. Ransomware typically enters through a single compromised system (e.g. a user endpoint such as a desktop, or an exposed Internet-facing server). It then sends a message to a command-and-control (C2) server, at which point, it will be commanded to encrypt specific file types that may contain sensitive business data. Once this process is set in motion, all bets are off.
Steps to Detecting Ransomware
The first step to detecting ransomware is to aggregate log data from all your network devices, security solutions and SaaS applications for deep analysis.
Unfortunately, alert fatigue is a common problem, borne of many false positives triggered by existing security tools. While malware with known signatures will be caught in perimeter defenses, new strains of malware or suspicious file traffic might trigger an alert. There may be billions of daily networks events, and thousands of potentially harmful alerts. Businesses need a way to centrally manage all of these alerts and cross-correlate them to determine which to investigate.
The second step to detecting ransomware is being able to spot suspicious C2 traffic, including well-masked threats that bypass your initial defenses.
Most forms of ransomware “call home” to a server before they begin encrypting files. Presuming you perform continuous threat monitoring (24x7x365) using machine learning-based threat hunting techniques employed by a human security analyst, suspicious C2 traffic isn’t difficult to detect.
Coordinating Effective IR
Threats that are snagged by the first lines of defense are easy enough to block. However, once an endpoint is infected, Incident Response (IR) needs be swift and precise.
“An infected endpoint must be quarantined the moment C2 traffic is detected.”
An infected endpoint must be quarantined the moment C2 traffic is detected. Otherwise, the ransomware can move laterally to infect any accessible drives. Clearly then, responding to ransomware is a race against the clock. One lapse in vigilance can turn an ordinary day into a worst-case scenario.
Once the infected endpoint is quarantined and further forensics are conducted to ensure that the ransomware has been contained, damage control can begin. At this point, the compromised endpoint can be re-imaged, and file backups can be restored.
Acquiring the Resources for Detection and Response
The NIST Cybersecurity Framework has five functions: Identify, Protect, Detect, Respond, and Recover. Clearly, the “detect” and “respond” aspects are especially important in combating ransomware. However, they’re also the more challenging components of NIST’s framework, especially for organizations that may not have the resources or the expertise to perform continuous monitoring.
That said, organizations of every size have another option: Managed detection and response (MDR). This managed security model supplies organizations with a team of dedicated security engineers that performs continuous threat monitoring and supplies IR services. There is no more effective way for businesses to combat ransomware than with timely detection and decisive IR – MDR provides both and is available as a predictable monthly expense. Contact Chi to learn more.
Originally published on the Arctic Wolf blog, January 31, 2021.