Do you want to avoid becoming a victim of Ransomware? And are you responsible for protecting your enterprise against cyber attacks?
In below Expert Talk by Swiss IT Security Group (Blog and Video), Maik Morgenstern - CTO of AV-TEST and Tobi Träbing - Technichal Director EMEA of XM Cyber will share examples, learnings and suggestions on how avoid becoming a victim of Ransomware and how to prevent major damage to your enterprise.
Tobias Träbing: “Maik, what lines of business are the main targets for ransomware attacks?”
Maik Morgenstern: “Everyone is a target, no matter if small and medium business or fortune 500 enterprises. All attackers have in mind is the maximum financial gain. Different studies do list top 10 however, according to their own data:
Trellix reports Banking, Utilities and Retail as top three for 2021 while Sophos reported Media, Retail and Energy/Utilities for 2022. Other targets include transport, professional services, education and even healthcare.
Although certain lines of business seem to be more prone to attacks than others, ransomware remains a constant threat for all enterprises and has been growing in importance over the last few years. But of course, companies are ill advised to focus on ransomware only. In fact, cybercrime has become a whole business sector on its own.”
Watch the full Ransomware Video:
By pressing the play button, a YouTube video is loaded and you consent to the transmission of data to Google. Google's privacy policy applies: https://policies.google.com/privacy
Tobias Träbing: “Can you describe the landscape of security incidents? What are the most important categories?”
Maik Morgenstern: “This is all interconnected. Identity theft may be used to set up phishing sites or other social engineering attacks which will leads to credential theft and this in turn is the major infection vector that leads to ransomware. An IBM study said that in 2021 45% of ransomware attacks happened through phishing or social engineering: Attackers are no longer breaking in, they are logging in.
Security incidents in general are usually made possible by vulnerabilities in IT infrastructures. Ransomware attacks, on the other hand, are in certain ways special cases of security incidents because they rely heavily on the human factor, on mistakes made or careless user behavior. Those flaws cannot easily be fixed, but in the end, what matters much more is to ensure that mistakes and careless user behavior do not lead to catastrophic effects. Therefore, the principle of Attack Path Management does not focus on preventing the ransomware attack, but on minimizing the damage by stopping the attack in its early stages.”
Maik Morgenstern: “Tobi, what are the most common exposures that lead to ransomware compromise? And what are some best practices you recommend to reduce risk?”
Tobias Träbing: “Ransomware families often exploit known and common software vulnerabilities and IT Security misconfigurations like over-permissive user credentials or same local credentials to propagate themselves through the network.
Understanding the chaining of the different security issues is key to overcoming security threats, particularly ransomware families. Essential steps/recommendations that have proven to be successful in limiting security issues are:
- Continuous visibility of attack techniques and vectors to understand exposure
- Implementation of a robust and intelligent vulnerability management process (not only covering software vulnerabilities but all security-related issues)
- Implementation of a robust IT security hygiene program to overcome siloed issues holistically to reduce any negative impact of infections/attacks
As in most areas of IT, the threat landscape changes rapidly. Every year, there are a few attacks that make it to the front page, either because of the amount of damage, the spotlight on the target or the innovative nature of the attack.”
Tobias Träbing: “Maik, in that respect, what have been the trends in 2022? Which areas are the most prominent ones? Which incidents were the most notable ones?”
Maik Morgenstern: “When we look at the history of ransomware, it all started with malware that was locking your devices, then threatened to delete your data and finally evolved to what people nowadays understand as ransomware: Malware that will encrypt your data and demand a ransom to decrypt them. In the past few years a new approach was used: Double Extortion Ransomware. On top of just encrypting files, the data is also exfiltrated and the attacker threatens to release the data if no ransom is paid. Besides that, we see a constant improvement in the technologies used as EPP and EDR products that is making successful attacks harder.”
Demand for continuous and automated attack simulations increases
Many ransomware attacks are successful only because of lucky timing. The internal security tools may have already detected the attack, but one single user unaware of the consequences can still unleash the catastrophe.
Maik Morgenstern: “Is timing a crucial factor for ransomware attacks? How do Attack Path Management Services factor in when it comes to reducing cyber risk and closing security gaps?”
Tobias Träbing: “Yes, timing is definitely a crucial factor for ransomware attacks. Some attacks will only be successful at a certain time of the day or on a certain day of the week, for example because you may reach less security conscious or focused staff at night or on weekends. In the early morning, a phishing e-mail may reach an employee that might otherwise have already received a warning from the IT department.
And timing is also a critical factor in understanding attack paths and exposures within companies. Very often, companies and responsible stakeholders use “ad-hoc” processes or timely inefficient ways to assess the infrastructure like vulnerability scans and penetration tests. These analyses only provide a snapshot of a given timeframe or even environment – this will not help companies keep control of the ever-changing landscape of their environment.
We now see more and more Cloud and IaaS providers being used, enabling businesses to run operations even faster than before – yet this dynamic is increasing the risk of overlooking exposures and security issues.
As the Attack Path Management Services run continiously 24×7 the platform can tell organizations at any given point in time:
■ what their exposures are and
■ how changes within the environment are affecting these exposures.
APM Services therefore help to:
■ quickly and easily understand the impact of new security issues (e.g., Log4j),
■ measure and quantify the cyber risk to communicate that to other stakeholders easily and
■ understand what can be done toovercome the exposures in the most efficient way”
Unusual attack paths - understanding the hacker
Although cyber attacks in general and ransomware attacks in particular leave anyone thinking about them with an uneasy feeling, they also provoke a certain sense of fascination.
Tobias Träbing: “Maik, what is the most unusual ransomware attack you have encountered?”
Maik Morgenstern: “Probably when Lockbit attacked a children’s hospital and then later posted a public apology and provided a decryptor for free. This case is also a great example for one of the most interesting trends in the “ransomware industry”. After the incident, Lockbit blamed a “partner” for the infection. This bizarre constellation was made possible by the fact that Lockbit provides “affiliates” access to their malware in return for a cut of the ransom profits: “Ransomware as a service”.
The world of IT moves fast. An attacker moves even faster. As IT security tools become more and more sophisticated, so do the attacks. And the attacker often seems to be the decisive step ahead.”
Tobias Träbing: “In what ways have attacks become more sophisticated?”
Maik Morgenstern: “In the beginning of the ransomware era, an infected system would be encrypted right away, and a ransom would be demanded by the attacker. Attackers wouldn’t know whether this was an interesting, high-profile target or not.
Attackers did learn that they could earn more money if they attack certain organizations with more sensitive data. So, they will carefully assess the situation once they have access to a network to decide whether this a good target. They will then start to move through the network and look for the most sensitive data and systems to exfiltrate or to encrypt. This allows attackers to use their resources on those targets that would possibly pay higher ransom fees.”
How to beat the hacker
Maik Morgenstern: “Tobi, how can Attack Path Management Services help? How do they support organizations in preventing and mitigating ransomware risks?”
Tobias Träbing: “Attack Path Management Services, by using XM Cyber platform, continuously assess all different attack vectors and techniques of ransomware families to understand how they could spread within the network. Being able to understand the underlying security issues like for example software vulnerabilities, IT security hygiene and risky user behavior is key to stopping and preventing ransomware attacks.
The platform provides with that an overview of the network, how attackers can see your network, and with the managed services from your company, SITS Group, companies will understand what needs to be fixed to stop the attack paths of ransomware families to all entities (cloud, on-prem, hybrid), but most importantly, to critical assets to ensure business continuity and confidentiality, integrity and availability of data.”
Tobias Träbing: “What are the most effective measures to prevent ransomware attacks?”
Maik Morgenstern:
■ Backups of all data on a regular basis.
■ Identify data and systems that need special attention or extra protection.
■ Use defense in depth with several security layers. Even if one layer fails, there are still others that can stop or at least detect the attack.
Tobias Träbing: “What is the best reaction in case something has already happened?”
Maik Morgenstern: “Follow your recovery plan and use your backups. This would be the ideal solution but is probably not the reality for most companies. If something happened and you can’t recover your data and systems, your best bet is to work with IT security experts that will try to decrypt your data. It is not advisable to work with the attackers, as there is no guarantee for decryption.
It is obviously not enough to identify vulnerabilities; they also need to be fixed. However, experts agree that the sheer number of exposures makes it impossible to fix every single weak spot. It is therefore more important than ever to prioritize wisely.”
Maik Morgenstern: “How do Attack Path Management Services prioritize exposures?”
Tobias Träbing: “It is crucial to understand that adversaries or automated spreading of malware is exploiting multiple issues:
■ software vulnerabilities
■ misconfigurations, and
■ risky user behavior
In the past, companies usually addressed these three main pillars of breaches by the singular approach to them, for example by using a vulnerability scanner for software vulnerabilities, configuration management tools for misconfigurations and so on. However, using all the data in a single platform is key to understanding the overall exposure. Rather than just working off long lists of software vulnerabilities, the XM Cyber platform helps to understand the exact exposure with other security issues, like misconfigurations.
Since we are always focused on understanding the impact of the above towards critical assets, the platform can easily prioritize the security issues with the related impact to the risk of the critical asset.
With that, organizations can work on the most critical security issues first, to protect their critical assets. In addition, the platform automatically identifies critical key junctions within the environment – so-called Choke Points. Rather than addressing security issues on different machines, customers can easily cut off attackers at those Choke Points and break the Attack Path.”
Start now! Within only a few weeks you see what hackers see.
Tobias Träbing: “What are the challenges that prevent enterprises from protecting themselves more effectively?”
Maik Morgenstern: “One major reason is probably the complexity of today’s organizations, both on a personal as well as on a technical level. Access to systems needs to be managed on different access levels for different persons. Who can access which systems and which data? Also, all systems have to be kept up to date with security patches and configurations need to be evaluated and verified constantly. Defense in depth means that you will have different layers of protection and detection, which will help secure your company. Yet, at the same time this also means that you will have to manage a lot of security systems.”
Maik Morgenstern:“Tobi, can you explain why XM Cyber’s attack graph modeling combined with SITS services enable organizations to stay one step ahead of attackers and continuously reduce their cyber risk?”
Tobias Träbing: “Understanding the different attack paths, combined in an overall graph model, is really key to understanding what attackers can do in organizations’ networks. Eliminating the key junctions (choke points) and using guided remediation can help organizations step up their security levels.
However, using the SITS Services takes that even further. With the collaboration of SITS and XM Cyber, organizations are being enabled to use the in-depth security knowledge of the SITS experts alongside their service offering – such as
■ further adoption of the platform
■ detailed and tailored remediation proposals and implementation
■ alignment with risk management frameworks
■ review and adoption of existing security processes
■ incident management integration
■ immediate support in case of new highly critical vulnerabilities (e.g. Log4j)”
Bottom line
Being in control of your IT infrastructure is the foundation of successful ransomware protection.
Ransomware protection starts with understanding what the attacker is aiming at.
Even well-protected enterprises can become victims of ransomware attacks.
It is therefore crucial that enterprises know their critical assets and protect them accordingly.
Don’t wait! Start now! Within only a few weeks you see what hackers see.
Has this talk caught your interest? Feel free to contact Maik and Tobi with your questions and take a look at our data sheets for more information about our Attack Path Management Services.
