The growing impact of ransomware attacks on organizations has been staggering in recent years.
Consider these sobering statistics from a recent research report:
- 85 percent of companies have experienced ransomware in the past five years
- 72 percent of those who suffered attacks have paid the ransom
- 60 percent have been hit more than once
Even among industry professionals who have followed the rise of ransomware in recent years, these statistics are grave.
The more damage ransomware causes, the higher the payout that attackers ensure. The average cost of current attacks exceeds US $1 million, and ransomware has proven especially lucrative in the healthcare sector because of the value healthcare records have on the open web. Similarly, supply chain attacks—which have risen sharply during the pandemic—are also especially costly, with ransomware ranking as the top supply chain risk in a recent ISACA survey.
Meanwhile, breach insurance has skyrocketed 400 percent over the past two years because companies are being attacked at a higher rate, and those higher rates of attack are resulting in higher levels of extortions and payment.
Considering that attackers have many advantages over security teams—often including resources, time, focus and safe harbor—it’s not surprising that ransomware has become such a beastly challenge.
So, what can be done to reverse the tide? We have already tried some measures and seen them fail, such as keeping intruders out (the attack surface is too great) and backing up our data (helpful in an emergency, but not a defensive strategy).
That brings us to some promising emerging tactics that we have not yet tried: stopping intruders in the midgame and legislative deterrence.
Elevating our midgame
We have a gap in intelligence. Too many people equate intrusion with breach, but the reality is that a lot happens in between, in the midgame—where the attacker pivots through your infrastructure, taking actions that can alert your team to the intrusion such as command and control communications, data staging, and lateral movement. This is where attackers inflict the most damage on the business, moving laterally across the network, escalating privileges. While the attackers are innovating to get in, they’re also innovating inside, hiding their tracks through encryption and erasing logs.
The challenge is that our current tactics are focused on the beginning and end. The beginning is addressed by endpoint and perimeter protection, such as firewalls and EDR. The end game is addressed by backups, incident response retainers and breach insurance. But the middle is largely unaddressed from a security operations perspective.
This has widened the gap between cyber defense and cyberattacks. Many organizations still believe that if they secure their perimeter, they will be able to prevent breaches, leading the industry to pour 75 percent of security budgets to preventing intrusion. But attackers have moved on and have shifted their innovation beyond the perimeter.
The attackers are focused where they know they can maximize damage to your enterprise: getting to your enterprise’s crown jewels by traversing the network. This is where they do their dirty work—escalating privileges, moving laterally, enumerating targets—weaving their destructive path toward their final objective.
Historically, gaining actionable visibility across your network has been hard, leaving a large gap in defensive intelligence. Unmanaged and OT devices, remote sites, and multicloud workloads—and more encryption of East-West traffic—had made it difficult to spot attack techniques. At the same time, attackers are honing defense evasion tactics that destroy logs and detect and avoid agents.
We have something to learn from attackers. Instead of trying to prevent them from getting in, our opportunity is to stop them in their tracks along their path to destruction—on the network. This is where I recommend organizations use both the MITRE ATT&CK framework and the Lockheed Martin Cyber Kill Chain. The tools, techniques, and procedures (TTPs) classified by the MITRE ATT&CK framework show us what the attackers are doing. When those TTPs are appropriately associated with the phases of the Cyber Kill Chain, a defender can take the appropriate action to break the attackers chain, hence the Kill Chain. You find where to break the chain by utilizing the MITRE ATT&CK framework.
Security teams can prepare themselves for ransomware attacks—not by building up a perimeter around them, but by deploying security measures inside that network they want to protect. This post-compromise stage is heavily overlooked. If you’re able to achieve a level of visibility in your network, you can engage in nondestructive mitigation.
Legislative deterrence
Legislation is another tactic in the fight against ransomware. There are some measures currently in debate around making payment disclosures mandatory and making crypto traceable. These measures will increase transparency, which is necessary for regulation and calming the ransomware market. The purpose of this is to create some type of deterrence against the attackers.
New approaches the path forward
Ransomware has become a central element of the threat landscape, and the amount of money involved in these attacks guarantees that attackers’ motivation will not wane—until we stop them.
To do so, we need to gain a deeper understanding of our adversaries’ motivations and be willing to invest in new approaches that can counteract attackers’ many advantages.