In previous posts, we’ve reviewed how ransomware works, how it’s evolving, and how it’s becoming a pervasive, costly, and challenging threat to networks throughout the world. The scale of the ransomware menace is mind-boggling – various reports estimate a cost of $20 billion for 2020 alone, a 57X increase over 2015 – and it is becoming even more sophisticated through artificial intelligence and other techniques.
The costs continue to rise. Just recently, JBS, the world’s largest meat supplier, suffered a ransomware attack. The resulting disruption to operations is expected to significantly impact consumer prices for beef and pork in the U.S., Canada and Australia.
Beyond the direct financial costs, though, lie other, even more damaging impacts. Loss of brand reputation, angry customers, lost sales opportunities and productivity, fines and penalties for unmet obligations and other ‘soft’ costs, in addition to the costs of remediation and recovery, quickly add up.
As many sources have reported, 2020 had the most cyberattacks of any year on record. This was largely because so many people started working from home. The shift was so sudden that companies were left desperately searching for ways to mitigate attacks while accommodating remote workers in the COVID-19 era.
Ransomware was no exception to this shift. With growing sophistication and effectiveness, ransomware is entering a booming age. Given that, it’s not hard to predict what is going to happen – unless we all get a lot smarter, and quickly, the ransomware problem is going to get worse as we move through 2021.
However, this does not mean that there is no hope for those responsible for defending the network. In addition to maintaining offline or cloud-based backups, there are many endpoint and network protection solutions that can help prevent and defend against ransomware, for example.
Protection at the Endpoint
Endpoint protection platforms offer next-generation antivirus, IPS and other tools to detect and remove malware like ransomware. In other words, it forms one of the many necessary layers of security at the enterprise digital perimeter. Further, endpoint protection platforms also boast tools such as email security that block phishing emails, which often carry ransomware payload links.
Endpoint detection and response (EDR) can extend protection capability. It scans endpoints and applications for signs of infection, then sends an alert to security team. These alerts accelerate investigation times, and EDR can often freeze suspicious processes or programs until an investigation commences. With the right tools, ransomware can be caught and removed before it exfiltrates and/or encrypts data.
Defending the Network
Network detection and response (NDR) and network traffic analysis (NTA) solutions can form a strong first line of defense. These defenses monitor east-west traffic with advanced artificial intelligence and machine learning techniques to detect, analyze and respond to threats that might otherwise be hidden from admins. For example, abnormal traffic analysis has the potential to detect large amounts of data exfiltration (one possible indicator of a ransomware attack) and alert the security team to respond.
NDR can also detect connections to known ransomware control sites through botnet C&C prevention. Some (but not all) ransomware operations use a command-and-control (or C&C) structure to conceal the attacker’s location and identity. A variety of techniques are used to detect, block and/or divert C&C communications, effectively ‘cutting off the head’ of the botnet and rendering it inoperable.
In addition, the secure access service edge, or SASE, can address today’s most common security challenges arising from more applications living outside the data center, sensitive data stored across multiple cloud services, and users connecting from anywhere and on any device. SASE combines SD-WAN and VPN services, as well as cloud-based and other security services, to provide broad protections.
The Importance of ATT&CK
Many security solutions use ATT&CK as knowledge framework to map attacks and their corresponding defenses. Security teams can use MITRE ATT&CK to develop detection or prevention controls for each technique in the enterprise matrix.
ATT&CK can be very useful for network and security admins because it associates threat actors with the techniques and tactics that they have been known to utilize. ATT&CK provides details on more than a hundred actors and groups, including their techniques and tools.
Leveraging ATT&CK, simulations can be designed to mirror the tools and techniques used by specific actors as well. This gives a roadmap for network defenders to apply against their operational controls to see where they have weaknesses against certain actors and where they have strengths.
Considering the severity of these recent ransomware developments, it is more imperative than ever to ensure that your organization is well protected. Ransomware incidents need be dealt with swiftly and transparently in order to avoid considerable cost and reputational damage. In addition, we hope the recent high-profile ransomware attacks will strengthen demands for cybersecurity standards for the companies that play an important role in national security –instead of leaving it up to private companies themselves to protect these critical systems.