The recent attacks caused by the Darkside ransomware attack impacted not just the company that was attacked, but also the entire Eastern US as it created significant demand for petroleum products and the recovery took weeks.
In more recent news, Conti ransomware has targeted US healthcare and first responder networks as well as more than 400 organizations worldwide. No organization is too small or insignificant for an attacker, and recent events show us just how damaging an attack can be. "With great power comes great responsibility," a popularized quote that is now alternatively known as the Peter Parker Principle, is a lesson the industry should adopt when considering their defenses. To determine that great responsibility, I am inclined to ask, "Why is this still possible today and what can be done to prevent the attacks before they happen?"
For the last decade, there has been a growing reliance on detection as a means of gathering better visibility to the threat we know as ransomware. In many cases, this has become the primary means of response to these attacks and requires response tools like incident response services as well as forensic analysis to determine the root cause and best response. After the attack, there is a microscope placed on the organization, industry, and, more directly, the response teams within the organization. What follows is pressure to change either people, process, or tools to better deal with future attacks.
In researching how these attacks are made possible, it is easy to see the common actions that enable these attacks despite the target. Often the initial attack is through social engineering, phishing, or drive-by downloads to establish a foothold or command-and-control through a vulnerability in software or Web applications. Next is discovery, lateral movement, privilege escalation, and in some cases, data exfiltration. Ultimately, the last stage of the attack is the ransom of the machine(s), where an organization is often put in the precarious position of having to pay a ransom or deal with the lengthy impact of the attack.
Organizations can no longer wait until the attack happens to have a security policy, patch management program, least privilege mindset, and most importantly, a user awareness training program that is run at least quarterly with every employee in the organization. Taking this proactive approach to regularly review all security policies allows organizations to not only stay ahead of the changing landscape, but also keep our most critical assets (employees) part of the overall security practice. Stopping the phishing attacks by recognizing the illegitimate communications from email, social media, and websites on corporate devices is an integral part of any security practice.
Having a prevention mindset means setting our prevention capabilities to "prevent" instead of relying on detection and response. Often, we mistake better visibility for better security, and there is no replacement for excellent pre-execution prevention when it comes to your endpoint security.
Good visibility of the lateral movement, privilege escalation, and data exfiltration is important, but without a team analyzing and acting on the alerts, the data itself is less valuable. Equally important to the forensic data collection should be the process of evaluating the data and making informed decisions on the access controls, endpoint policies, running processes, and external connections on each endpoint. If, as an organization, we are not responding to all events quickly we run the risk of missing the indicators of the attack that could have been avoided.
In security, it's OK to challenge the norm on a regular basis. It should not be OK to review your security measures and configurations only in hindsight. The time for review and challenge is before the attack — and often. There should be at least quarterly reviews of all tools for visibility, effectiveness, and tuning to close security gaps. There should be annual reviews of the exceptions applied for compatibility and business continuity to make sure they are still needed and close any open gaps in security that these exceptions pose. Finally, there should be a monthly review of the application and operating system vulnerabilities and an action plan for patching that closes the exposure.
Just like Peter Parker, we too have a responsibility as both consumers of information and users of technology to be inquisitive of the access we have and the potential impact it can have on our lives, professionally and personally. As we see in the examples of healthcare and petroleum, something that we use to support our daily lives can affect us deeply when it is no longer there.
While your company may not be affected today, the threat posed by ransomware is there for us all, whether at home or at an office. It is the task of everyone in an organization to ask for a prevention focus along with a regular review, training, and data analysis effort. If we focus on enabling our tools and our employees to be part of the security practice, it is very possible to stop the threat of ransomware and stop the impact it has on us all.Robert is the Field CTO for Deep Instinct. He has worked with many customers, partners, and investors over a 20-year span in his time in Sales Engineering and Professional Services to overcome the challenges in the growing threat landscape. As that threat landscape changes, ... View Full Bio