If you're an IT security professional, mastering mystifying terminology and arcane acronyms is a rite of passage — maybe even a badge of honor. But there's one unusually blunt cybersecurity term anyone can understand — the "kill chain." A successful attack (the "kill") doesn't just happen. It's the end result of a sequence of essential steps (the "chain") that must be completed in order. If you break the chain, you stop the attack.
The chain metaphor clarifies the problem — but it doesn't necessarily simplify it. If you want to strengthen your defenses against ransomware, you'll need to consider the entire cybersecurity alphabet — from authentication to zero-day malware defenses. In this article, I'll look at an abbreviated kill chain for ransomware with a focus on the "discover and spread" step. Then I'll introduce a strategy of automated data hygiene that can find and fix the overshared files that attackers either take hostage or use to move closer to the kill.
Step 1: Payload Delivery
Most ransomware attacks start by phishing end users, sometimes enlisting compromised Websites as temptation. Unsuspecting users take the bait, click the links, and unwittingly deposit attack payloads where they can start their work. Security professionals have tools at their disposal (email scanner, anti-phishing software, employee training) to reduce exposure to malware delivery methods, but the unfortunate truth is users are soft targets for skilled cybercriminals.
Step 2: Establish Command and Control
After that fateful download or click, the ransomware payload soon attempts to contact its command and control network (also known as C2 communications). Establishing this channel is an essential step. If successful, attackers can remotely explore the target environment, download encryption keys, and find valuable data. Defensive strategies focus on spotting and stopping C2 traffic. This can be a real cat-and-mouse game as attackers shift between connection points and IP addresses.
Step 3: Discover and Spread
Once inside and connected, ransomware perpetrators work to reach deeper into the organization and find ransom-worthy assets. They'll need to find (and compromise) accounts and systems having access to the right data.
There are three proven ways to stop ransomware attacks at this step. First, adopting two-factor authentication (2FA) should be a part of every CISO's toolkit. 2FA makes it much harder for attackers to gain control of additional accounts. If 2FA is impractical for everyone, then at least implement it on any account with access to irreplaceable and valuable data.
Second, eliminating known vulnerabilities with a robust patch management program closes off still more avenues for compromise. As patch management improves, human-focused attacks (e.g. phishing and social engineering) are rising. It's easy to see why. Compromising a well-patched system requires technical expertise. Convincing end users to cough up credentials requires only human gullibility. That, unlike technical talent, is available in spades.
Lastly, tightening access to unstructured data (the files and documents created and managed by end users) is another effective way to break the chain. Overshared files unnecessarily expand the threat surface. If 10 people need access to a file — and 50 people have access — attackers have five times as many chances to acquire the data than they should.
These files are a goldmine for ransomware artists. The files themselves can have hostage value or can help identify high-value accounts, provide technical data about vulnerable systems, or enhance social engineering attempts with insider information. An imposter posing as an IT staffer, for example, is far more convincing if she knows project code names or personal/organization details.
Security best practices recommend limiting unstructured data access to only those who need it. This "least privileges" model is, on paper, a fine philosophy. In reality, end users decide where to store and how to share files – and don't always think about security. In fact, recent research found that a typical corporate user, at any given time, owns 36 documents overshared with internal groups (unintended "share all" settings are shockingly common) and 43 documents overshared with individual internal users. Security professionals, unfortunately, have never had an easy way to find and fix these files.
Until now. With the advent of AI-based data access governance solutions, least-privilege access enforcement is now autonomous, scalable, and accurate. As organizations get a better handle on oversharing it'll be much harder for cybercriminals to move laterally within a network, hijack new accounts, and execute social engineering exploits.
Step 4: Encrypt and Extort
If you are unlucky enough to reach this phase, it's probably too late. Once encrypted, the attacker is ready to extract ransom for data that's impossible to recover without their "help." An unaffected backup is often your only hope, but cybercriminals do their best to find and encrypt backups to seal off escape routes. If the attack completes this link of the kill chain you have joined the ranks of thousands of organizations victimized by ransomware.
Monetization is the name of the game for cybercrime and it will continue to be a lucrative "growth opportunity" in 2021. The "Mid-Year Threat Landscape Report 2020" from Bitdefender highlights a seven-fold, year-on-year increase in ransomware reports. According to Cybersecurity Ventures, global ransomware damage costs are predicted to reach $20 billion in 2021 (up from $325 million in 2015).
The takeaway? Ransomware isn't going away any time soon, but kill chain analysis can help organizations develop a defensive strategy and identify new ways to keep them out of harm's way.