Ransomware is the preeminent cyber threat facing both public and private sector organizations. By one estimate, around four in 10 organizations experienced a ransomware attack (PDF) in the last two years. Moreover, the stakes of ransomware incidents have risen right along with their frequency. Today's ransomware attacks are complex feats of extortion that combine data theft, malware deployment, denial of service, and other techniques. Ransomware attacks have been linked to disruption of critical infrastructure, from hospitals to gas distribution pipelines.
Tackling ransomware threats is a top priority for both law enforcement and private sector security firms. The recent attacks affecting critical infrastructure in the US inject urgency into the government's response to the ransomware threat.
For example, following the attack on the Colonial Pipeline, servers and bitcoin wallets used by the DarkSide ransomware group and its affiliates were seized and disabled, forcing the group to cease operations. At the same time, the Biden administration rallied like-minded countries to its Counter Ransomware Initiative (CRI) to work on improving cross-border coordination in areas like criminal investigations and prosecution as well as diplomatic cooperation.
The bad news: Neither stepped-up response nor better international cooperation will make the ransomware problem disappear. Organizations need to improve their ability to detect and prevent emerging ransomware attacks. To quote Chief Brody from the movie Jaws, "You're gonna need a bigger boat" to stop ransomware, or at least a different boat. So, what does this new ransomware-catching boat look like? Here are some thoughts.
Quality Threat Intelligence Is Key
Ransomware is too diverse a threat to succumb to any "silver bullet" security solution. To stop ransomware, organizations must first develop an in-depth understanding of the tooling, capabilities, and behaviors of ransomware groups likely to target them. To get to this level of understanding, your organization needs up-to-date threat intelligence.
What constitutes ransomware threat intelligence? It can be strategic, tactical, or operational. Ideally, you will use some of each. Strategic threat intelligence helps organizations understand what kinds of threats (and threat actors) they will face. Operational threat intelligence includes information about the "how" and "where" of an attack. It can also help organizations identify the actors behind specific threats and malicious tactics, techniques, and procedures (TTPs). Tactical threat intelligence is specific to a campaign. It provides you with the network, file, and other indicators associated with ransomware groups.
You Have Local Threat Intel … Use It!
If your organization is just setting up its threat intelligence program, you may encounter a common problem: where to start? After all, many security teams often have little or no budget to fund threat intelligence programs.
The good news is that the answer to that question is right under your nose, and costs you almost nothing to leverage. Threat intelligence harvested from your environment is among the most valuable and actionable information your team has. Collect it! What kind of threat intelligence? When it comes to catching ransomware groups in the act, everything goes into the pot: network scans, to start, but also malicious emails, malicious redirects, intrusion detection alerts, endpoint scans, and more.
Use Free Threat Intelligence Feeds
After you make the most of your internal threat intelligence, consider using some of the many free external threat intelligence sources. Open source threat intel feeds come in many forms and include information feeds from VirusTotal, the FBI's Infraguard, SANS ISC Storm Center, and offerings by IT and security vendors.
However, as the saying goes, you get what you pay for. Free threat-intelligence feeds are offered as-is and are often voluminous and poorly tailored to the needs of your organization. That can make them difficult to operationalize. Improperly used, data from these free feeds can inject noise into threat hunting and threat intelligence functions, impairing response. Use them with care!
Timely, Reliable Data Is Key
Finally, threat intelligence data loses value over time. And the window of opportunity to act on threat intelligence may be measured in days or weeks, not months.
Threat intelligence providers that can't deliver you actionable intelligence in a timely manner should be sidelined. Also, pay attention to the availability and security of those feeds. Mature threat intelligence programs demand stable, always-on streams to feed ongoing analysis. But that creates risks, as well, including from data poisoning or malicious attacks that exploit the access provided to threat intelligence providers.
Engage in threat hunting and leverage threat intelligence. Both may be new territory for your team. The good news is that you're closer to setting up a threat hunting operation than you imagined. By leveraging internal threat intelligence as well as free threat feeds from reputable sources, your organization can begin to get a jump on emerging threats and attacks to your organization. With online adversaries and threats constantly evolving, that small edge in detection and response may be the difference between business as usual and a very bad day for your organization!