In recent months, much attention has been placed on the threats and potential impacts of ransomware. Indeed, breaches in our critical infrastructures – fuel, utilities, food supply, government agencies, and other supply chains – have all been affected by such exploits.
Significant Increase in Ransomware Incidents & Reporting
There is an intersection of many factors that have boosted the appeal to attack organizations using ransomware:
- Crime of Opportunity
The pandemic created an abrupt move to an all-remote workforce, which in turn accelerated the migration of internal systems to the cloud.
A Bitsight study found that home networks are 3.5 times more likely to be infected by at least one family of malware than a corporate network, and over 25% of home networks have exposed at least one or more services to the internet.1
The takeaway: Although remote workers are connecting securely to their corporate networks via VPN, the home network itself may be insecure, allowing nefarious actors to sit on the home network and use MitM (man-in-the-middle) attacks.
- Threat Actors Employing ROI Analysis
Threat actors are finding that social engineering as a delivery method has a better ROI than other brute force methods. In a Proofpoint study on cloud-based attacks, social engineering was used only 28% of the time with a 75% success rate. Brute force methods, which were used 72% of the time, had only a 9.7% success rate.
The takeaway: The threat actor willing to put resources and effort into social engineering will enjoy a higher ROI; but most threat actors are still using the “spray and pray” attacks because of the minimal cost to conduct such broad efforts.
- Perception Drives Reality
Reporting on specific ransomware attacks has also increased, as some in the media try to monetize on the news trends that attract readers.
The takeaway: As more ransomware attacks are reported and publicized, more will follow.
Pivots in Ransomware Attack Methods
Ideally, a threat actor would want to reach as many potential targets using a fully automated attack chain which can generate lures, deliver payloads, establish persistent back doors, and exfiltrate data. But security technologies and SOCs (security operations centers) are extremely well versed in preventing existing threats. As a result, the malware ecosystem continues to evolve and mature over the course of ransomware attacks.
- Move to Targeted Lures
Security technologies have matured to the point where generic blanket attacks can be prevented with a high degree of success. Threat actors have found that attacks exploiting specific and unique information from the target organization are more fruitful than generic lures, with some exceptions such as the pandemic-based lures that affect all organizations.
The takeaway: Creating attractive targeted lures requires more effort by the threat actor at the reconnaissance stage. If the reconnaissance includes soliciting an insider resource, they run the risk of being exposed.
- Complex Indirect Attack Chains
Threat actors have shifted to more complex attack chains that try to bypass well-established security controls with multiple levels of valid indirect links that eventually lead to a malicious download.
The takeaway: Higher complexity of nested links increase the chance of failure, with the potential victim not reaching the malicious payload.
- Human-Assisted Attack Chains
Another tactic that has increased dramatically is the use of human interaction via pretexting, encouraging the potential victim to explicitly download a malicious file, thereby usurping any technology-based security controls.
The takeaway: The time and resources needed to establish, run, or lease faux call centers dramatically increases their cost of doing business while reducing the breadth of the attack victims. Although this tactic may be the costliest to the threat actor, it can pay out in large dividends when successful.
- Ransomware as a Service
The security industry has seen a maturation and diversification amongst the cybercrime economy. Ransomware platforms created by underground development teams are leased as a service offering to various threat actors.
The takeaway: This disassociates the ransomware platform developer from the threat actor, limiting the capability to take down the ransomware providers, and even possibly limiting liability by distributing culpability.
Factors Driving Fundamental Changes in Attack Methods
There is a perpetual cat-and-mouse game between cybercrime actors and cybersecurity teams. In military terms, this is similar to the OODA loop – where OODA stands for Observe, Orient, Decide, and Act – a basic four-step approach to quickly identify a situation, assess, adapt, and respond.
Both the offensive threat actors and the defensive security teams employ the OODA loop in some form 2; it is the speed at which each side can adapt and respond that determines success. FireEye Mandiant Threat Intelligence reports that technology exploits are more quickly shared with manufacturers, and mitigations/patches become available within days; but exploitations are being operationalized in the wild within hours.3
As the cycle time for the cybersecurity OODA loop reduces to nano-internet time, several key factors become clear:
- Technology Security is a Mature Field
The capabilities for protecting networks, perimeters, devices, and endpoints have dramatically matured over the last 10 years.
The takeaway: Threat actors have been forced to rely on human interaction (by the potential victim) to explicitly bypass existing technology security controls.
- SOC Analysts are Overloaded with Noise
A Ponemon study found that SOC analysts are struggling with increasing workload (75%), lack of visibility into IT and network infrastructure (68%), chasing alerts (65%) and information overload (65%).4
The takeaway: There is a growing need for SOCs to employ (1) coalescing of disparate threat intelligence feeds into contextual reporting, and (2) automation to reduce false-positives (reported events) while not increasing false-negatives (non-reported incidents).
- Commoditization of Delivery Methods and Payloads
It is not only the ransomware platforms that are being modularized. The delivery TTPs (tactics, tools, and procedures) are themselves a platform service sold and resold for delivering any number of malware payloads, not just ransomware. This commoditization allows threat actors to either (1) quickly change out unsuccessful delivery methods, or (2) reuse successful delivery tactics to change out payloads as needed.
The takeaway: Security teams addressing delivery methods and payload impacts must understand these are two distinct types of malicious activity and require categorically different approaches to mitigation.
- Threat Actor Whack-a-Mole
As attribution accuracy increases through the collaboration and sharing of threat information between security teams from public sector agencies, private sector organizations, and even competitors, threat actors are more frequently going dark and re-emerging under new monikers and/or using new TTPs.
The takeaway: Identification of threat actors may play an important role in political arenas, consigned offensive (hack-back) operations and understanding overall attack motives against your organization. However, it is prudent to balance the amount of resources used for attribution versus more effective uses, such as protections against TTPs, mitigations against payloads, and business continuity plans for RPO (recovery point objectives) and RTO (return to operations).
Strategies to Mitigate the Impending Ransomware Threat
Ransomware is most damaging when an organization has no control over its data, lacks robust access controls, ignores vulnerabilities (that should have been patched), is unable to have alternate means of operations, or has not planned for the unexpected.
While not all ransomware (or other) threats can be planned for, there are fundamental strategies that can minimize the impact of any incident.
- Focus on Data Protection
Data loss prevention solutions are quite sophisticated, yet there are still reports of exfiltration and insider threat incidents resulting in information loss. The issue, it seems, is the same as it was since DLP became a moniker: lack of classification and tagging in both structured and unstructured data. In short, there is no data stewardship within most organizations.
Data stewardship should be considered as important as threat intelligence. The role of a data steward is defined by an Information Lifecycle Management (ILM) program. ILM program responsibilities include, but are not limited to: (1) discover data, (2) identify data ownership, (3) determine the golden source – source of record – for that data, (4) understand how the data is obtained/created, used/manipulated, and accessed/distributed, and (5) govern who is authorized to perform specific actions on the data.
Many organizations misunderstand the concept of data stewardship and/or ILM as either an “all-or-nothing” scope or conversely a “one-and-done” exercise. Neither is true. A robust ILM program will start by identifying the most sensitive information and deploying protections on those data elements.
Similarly, data elements themselves may have multiple classifications throughout their lifecycle. ILM programs must understand the business processes surrounding the data and adjust classifications accordingly on a dynamic basis. Stock trading is a great example of dynamic classification: a stock trade is considered confidential prior to settlement, but graduates to public status afterwards. Neither the data element nor the storage location have changed; only the execution status has changed, thereby altering its classification.
The takeaway: Work in stages, starting from the organization’s most sensitive and/or damaging data. Not all data needs to be addressed, but for those data elements being explicitly tagged, material quantification of impact costs for data loss is essential.
- Reduce Unnecessary Access
Following data classification and protection mechanisms is the need to reduce unnecessary access to the data as well as needless elevation of privileges in applications.
This can be accomplished in several stages so as not to overwhelm an organization’s fragile credentialling system: (1) Least Privilege – ensure that users, as well as other resources, can only access the data elements, applications, and systems needed to fulfill each function of their job, (2) Segregation of Duties – looking at the reduced set of privileges, ensure there are no “toxic combinations” of entitlements that allow a user, for example, to submit a request and then approve that same request, (3) start an effort to refactor the organization’s LDAP/AD implementing RBAC (role-based access control) for both end user accounts as well as service accounts (stored credentials used by systems/applications to access other systems/applications), and (4) deploy a PAM (privileged access management) system that introduces workflow and auditing to any authorized user requesting temporary elevated permissions.
The takeaway: You don’t need to create an entire Zero Trust effort, but these four methods are key principles to get you on your way there.
- Treat Delivery Different from Payloads
Even without the modularization of malware, security teams should separate the vehicle of delivery from the impact of the payload.5 Using the NIST CSF (Cyber Security Framework)6 as an example for categorizing incidents, TTPs used for malware delivery fall into the NIST CSF tenets Identify, Protect and Defend; whereas payloads are impact-based and best mitigated via NIST CSF tenets Defend, Respond and Recover. There are also other great resources to help organizations respond, such as the MITRE ATT&CK7 (for TTPs) and D3FEND8 (for countermeasures).
The takeaway: Having the correct approach to specific aspects of nefarious activity will reduce the number of resources needed, as along with the response time.
- Prioritize Operational Resiliency
Although security teams would like to achieve 100% effectiveness in security controls, there is an inflection point where the cost of resources far outweighs the cost of impact. All organizations define their business risk tolerance – the threshold of acceptable losses around this inflection point. Understanding where the business risk tolerance allows security teams to take a set of inherent risks and apply mitigations to ensure the remaining residual risks fall within that threshold.
There are three specific factors to consider when employing a security program designed to support the business-defined thresholds: (1) Recovery Point Objectives – a measure defining how much of each data classification the organization can lose without suffering an adverse impact to the business, (2) Return to Operations – alternative processes which can allow the business to operate effectively during an attack, as well as pre-defined resources needed to restore the normal operating procedures and systems, and (3) the Risk Exception process – a clearly defined and defendable set of criteria that allows residual risks above the threshold to exist either temporarily or permanently. A risk exception should not be considered mitigation as it likely increases/introduces risk to the business.
The takeaway: Elevate RPO and RTO, but not the Risk Exception process.
- Playbooks for the Unexpected
Similar to the OODA loop, managing an unplanned event falls into a strategy known as the three decision outcome avenues9 and is defined as follows: Avoid – plan to prevent or preempt possibilities of a crisis, Trap – recognize bad decisions and fix potential problems before a crisis, and Mitigate – minimize the negative effect during a crisis. This concept was originally developed into a cockpit playbook for pilots by the FAA in response to the crash of UA Flight 173 in 1978. Created as a critical thinking guideline for crisis management, this process is now integrated into the nationally standardized Incident Command System.10
There are other similar strategies for managing unplanned incidents such as Managing Without Authority,11 Executive Crisis Leadership,12 as well as many others.
It is also important to emphasize that whenever an unexpected/unplanned event occurs, an investigation post-crisis is necessary to review and codify the event handling procedures for future possible incidents.
The takeaway: Do your research to determine the response paradigm that best fits your organizational business resiliency mission, ensure the playbook is available to everyone, and keep a printed copy accessible.
Although the impact of ransomware can be devastating to both traditional business operations and critical infrastructure, it should not be the only concern. Most organizations employ skilled security professionals and mature security technologies but fall short in longer-term foresight and/or preparing for the unknown – the next wave of breaches.
This is a call for organizations to encourage their cybersecurity teams, tasked with protecting our organizations from operational harm, to think beyond ransomware, beyond the trend, and beyond the known impacts.
- BitSight (2020), “Identifying Unique Risks of Work from Home Remote Office Networks”
- Ponemon Institute (2020), “The Economics of Security Operations Centers: What is the True Cost for Effective Results?”
- Yes, in some cases the exploit is both the delivery and the impact, such as DDoS.
- FAA (-), “CRM Error Management,” https://www.hf.faa.gov/webtraining/TeamPerform/TeamCRM013.htm
- Rubin (July 2002), “Crew Resource Management,” Firehouse Magazine