Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11/11/2020
10:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

How to Avoid Getting Killed by Ransomware

Using a series of processes, infosec pros can then tap automated data hygiene to find and fix files that attackers key in on.

If you're an IT security professional, mastering mystifying terminology and arcane acronyms is a rite of passage — maybe even a badge of honor. But there's one unusually blunt cybersecurity term anyone can understand — the "kill chain." A successful attack (the "kill") doesn't just happen. It's the end result of a sequence of essential steps (the "chain") that must be completed in order. If you break the chain, you stop the attack.

Related Content:

Rising Ransomware Breaches Underscore Cybersecurity Failures

The Changing Face of Threat Intelligence

New on The Edge: 9 Cyber Disaster-Recovery Planning Tips for a Disaster-Prone Time

The chain metaphor clarifies the problem — but it doesn't necessarily simplify it. If you want to strengthen your defenses against ransomware, you'll need to consider the entire cybersecurity alphabet — from authentication to zero-day malware defenses. In this article, I'll look at an abbreviated kill chain for ransomware with a focus on the "discover and spread" step. Then I'll introduce a strategy of automated data hygiene that can find and fix the overshared files that attackers either take hostage or use to move closer to the kill.

Step 1: Payload Delivery 
Most ransomware attacks start by phishing end users, sometimes enlisting compromised Websites as temptation. Unsuspecting users take the bait, click the links, and unwittingly deposit attack payloads where they can start their work. Security professionals have tools at their disposal (email scanner, anti-phishing software, employee training) to reduce exposure to malware delivery methods, but the unfortunate truth is users are soft targets for skilled cybercriminals.

Step 2: Establish Command and Control 
After that fateful download or click, the ransomware payload soon attempts to contact its command and control network (also known as C2 communications). Establishing this channel is an essential step. If successful, attackers can remotely explore the target environment, download encryption keys, and find valuable data. Defensive strategies focus on spotting and stopping C2 traffic. This can be a real cat-and-mouse game as attackers shift between connection points and IP addresses. 

Step 3: Discover and Spread 
Once inside and connected, ransomware perpetrators work to reach deeper into the organization and find ransom-worthy assets. They'll need to find (and compromise) accounts and systems having access to the right data.

There are three proven ways to stop ransomware attacks at this step. First, adopting two-factor authentication (2FA) should be a part of every CISO's toolkit. 2FA makes it much harder for attackers to gain control of additional accounts. If 2FA is impractical for everyone, then at least implement it on any account with access to irreplaceable and valuable data.

Second, eliminating known vulnerabilities with a robust patch management program closes off still more avenues for compromise. As patch management improves, human-focused attacks (e.g. phishing and social engineering) are rising. It's easy to see why. Compromising a well-patched system requires technical expertise. Convincing end users to cough up credentials requires only human gullibility. That, unlike technical talent, is available in spades.

Lastly, tightening access to unstructured data (the files and documents created and managed by end users) is another effective way to break the chain. Overshared files unnecessarily expand the threat surface. If 10 people need access to a file — and 50 people have access — attackers have five times as many chances to acquire the data than they should.

These files are a goldmine for ransomware artists. The files themselves can have hostage value or  can help identify high-value accounts, provide technical data about vulnerable systems, or enhance social engineering attempts with insider information. An imposter posing as an IT staffer, for example, is far more convincing if she knows project code names or personal/organization details.

Security best practices recommend limiting unstructured data access to only those who need it. This "least privileges" model is, on paper, a fine philosophy. In reality, end users decide where to store and how to share files – and don't always think about security. In fact, recent research found that a typical corporate user, at any given time, owns 36 documents overshared with internal groups (unintended "share all" settings are shockingly common) and 43 documents overshared with individual internal users. Security professionals, unfortunately, have never had an easy way to find and fix these files.

Until now. With the advent of AI-based data access governance solutions, least-privilege access enforcement is now autonomous, scalable, and accurate. As organizations get a better handle on oversharing it'll be much harder for cybercriminals to move laterally within a network, hijack new accounts, and execute social engineering exploits.

Step 4: Encrypt and Extort 
If you are unlucky enough to reach this phase, it's probably too late. Once encrypted, the attacker is ready to extract ransom for data that's impossible to recover without their "help." An unaffected backup is often your only hope, but cybercriminals do their best to find and encrypt backups to seal off escape routes. If the attack completes this link of the kill chain you have joined the ranks of thousands of organizations victimized by ransomware.

Monetization is the name of the game for cybercrime and it will continue to be a lucrative "growth opportunity" in 2021. The "Mid-Year Threat Landscape Report 2020" from Bitdefender highlights a seven-fold, year-on-year increase in ransomware reports. According to Cybersecurity Ventures, global ransomware damage costs are predicted to reach $20 billion in 2021 (up from $325 million in 2015).

The takeaway? Ransomware isn't going away any time soon, but kill chain analysis can help organizations develop a defensive strategy and identify new ways to keep them out of harm's way.

Karthik Krishnan is Founder/ CEO, Concentric. Prior to Concentric, he was VP, Security Products at Aruba/HPE where he managed their security portfolio. He was VP, Products at Niara, a security analytics company focused on user and entity behavior analytics. Niara was acquired ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-23727
PUBLISHED: 2020-12-03
There is a local denial of service vulnerability in the Antiy Zhijia Terminal Defense System 5.0.2.10121559 and an attacker can cause a computer crash (BSOD).
CVE-2020-28175
PUBLISHED: 2020-12-03
There is a local privilege escalation vulnerability in Alfredo Milani Comparetti SpeedFan 4.52. Attackers can use constructed programs to increase user privileges
CVE-2020-13524
PUBLISHED: 2020-12-03
An out-of-bounds memory corruption vulnerability exists in the way Pixar OpenUSD 20.05 uses SPECS data from binary USD files. A specially crafted malformed file can trigger an out-of-bounds memory access and modification which results in memory corruption. To trigger this vulnerability, the victim n...
CVE-2020-13525
PUBLISHED: 2020-12-03
The sort parameter in the download page /sysworkflow/en/neoclassic/reportTables/reportTables_Ajax is vulnerable to SQL injection in ProcessMaker 3.4.11. A specially crafted HTTP request can cause an SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.
CVE-2020-23726
PUBLISHED: 2020-12-03
There is a local denial of service vulnerability in Wise Care 365 5.5.4, attackers can cause computer crash (BSOD).