Maksim Kabakou - Fotolia

Security Think Tank: Ransomware defences: An extended to-do list

Strategies to extend ransomware protection beyond backups and intrusion detection must centre dark web monitoring, among other things

We have been fighting an onslaught of ransomware attacks for a long time, yet we are still far away from a victory. In fact, it seems we are losing the battle. Although our defences are getting better, ransomware claims more victims today than in most previous years.

Most for-profit cyber crime is concentrating on the ransomware supply chain and components such as phishing attacks, botnet data, and more effective ways to bypass network safeguards. The competition is cut-throat, and we are seeing cyber criminals recruiting insiders to sabotage their employers’ networks. Malicious actors also attempt to corrupt negotiators and use other social pressure techniques to get the highest ransom payment possible.

So how can we protect ourselves? What should we do beyond backups and network intrusion detection? More often than not, a breach occurs due to human error caused by either a phishing attack or unintentionally disclosed credentials.

While user education is still an extremely important component of a good defence, compromised access could also often pop up on dark web markets in the form of credentials or botnet logs. Not enough companies understand the complexities of the dark web markets and often rely on surface threat reports instead of taking a deeper dive into the dark web threat landscape.

Deep on the dark web, there are threat actors trading access to corporate networks and trying to leverage their access into a full-blown compromise. Corporate remote workforces and consultants often use personal devices for remote access. The ability to detect stolen credentials and compromised multi-factor authentication (MFA), based on user behaviour, would cause the bad guys to lose their access.

Even if the malicious actors get deeper into your network, privilege escalation or lateral movements should set off alerts and data exfiltration attempts would create a ripple in your outgoing network traffic.

Simple? Not so much! Dark web markets are more complex than most people think and rarely does the data identify your organisation directly. The bad guys don’t care about the targets as long as they feel the target has money to pay. Your threat intelligence partners must know how to identify your data on the dark web referentially and not only use canned search terms. Also, most access sold does not go onto public markets, so pick partners who can also monitor exclusive channels.

Teach employees to protect themselves and, most importantly, alert cyber security teams if something goes wrong. Fear of punishment sometimes causes employees to hide the fact that they were compromised. They try to change passwords, but if their system is already infected, this is ineffective. Your employees are a large part of your defence against intrusions.

Read more from the November 2022 Security Think Tank

MFA is not perfect, but it is arguably the most significant deterrent against intrusions. Most bad guys are not sophisticated enough to bypass MFA, so your investment in 100% coverage for remote and cloud access is critical.

Your log monitoring and alerting solution is not just for show. Test it often to see if your red team or pen testers set it off while acting like threat actors and trying to escalate privileges and move laterally within your infrastructure. Alerting is critical, because it is proactive rather than collecting logs post-breach. Also keep in mind that alerting must be meaningful. Too often, IT and security staff get overwhelmed by numerous alerts and ignore the most important ones.

Lastly, almost no ransomware attack today goes without a data exfiltration component. On the one hand, bad guys cannot exfiltrate the data from your network invisibly to your network monitoring tools; on the other hand, it is difficult to identify data exfiltration among all the other traffic leaving your network.

Most importantly, can you act in time to stop most data from leaving? This must be tested – monitoring solutions should be put in place along with decoy data that can be made more attractive than the really critical data on your network.

We have accomplished many things in our fight against ransomware, but the bad guys are getting smarter, and we need to continuously improve our defences against their gains. Only a cycle of continuous improvement, based on the current threat landscape, can greatly improve our chances of not becoming the latest victim of a ransomware gang.

Alex Holden is CISO at Hold Security and a member of the ISACA Emerging Trends Working Group

Read more on Hackers and cybercrime prevention

Data Center
Data Management