Although cybercrime as a whole has seen a rise during the pandemic, arguably ransomware has been one of the more successful and lucrative attack types. According to the World Economic Forum 2020 Global Risk Report, ransomware was the third most common, and second most damaging type of malware attack recorded last year, with payouts averaging a hefty $1.45M per incident. Our own research report, the State of Encrypted Attacks Report 2020, found that there had been a 500 per cent rise in ransomware compared to 2019.
It’s clear then that ransomware didn’t reach its zenith with WannaCry back in 2017 but remains a disruptive and profitable threat to business operations. The question, however, remains: how can businesses finally protect themselves from this ever more sophisticated threat?
Where are the gaps?
Although cybercriminals are increasingly executing more complex and targeted attacks, truth be told, we may be giving too much credit to the brilliance and sophistication of the ransomware hacker. Cybercriminals by their nature are opportunistic, and many of the techniques used to successfully disseminate malware are actually very simple. It rather is the holes left by IT departments, such as failing to update security policies, or using available tools adequately, that are letting ransomware attackers into the network.
Similarly, and this might sound odd from someone in a senior position at a cybersecurity company, but businesses sometimes rely too much on the technology, and not enough on process, personnel and their skills. There is no such thing as a security tool that requires a minimum amount of attention. Even when an organisation is choosing the built-in MS defender included with Windows 10 to ensure endpoint protection, different strategies should still be evaluated, such as scanning and update scheduling, and how to monitor the AntiVirus status.
Plenty of cybersecurity tools can detect threats, and flag them to security professionals, but remediation and mitigation needs to be handled through a robust operational process that can really dig into those logs, identify the most serious threats and remediate them appropriately. Too often we see security teams are not given enough time to get to grips with the new tools at their disposal, becoming overwhelmed by the number of alerts and not having a robust triage system to help them deal with them in an efficient manner.
Security hygiene is the best defence
Better operational practices, rather than technology, is really the key issue for a lot of businesses affected by ransomware. IT teams in particular need to improve their security hygiene to keep pace as ransomware varieties change. First and foremost, security teams need to ensure their patching and vulnerability management is up to date, as well as performing access reviews.
Additionally, teams should consider the least privilege principle for raising their security posture. This is essentially ensuring that staff can only access the applications they need to perform their duties, instead of opening up the whole network for them. Implementing a strategy that prevents lateral movement can prevent attackers from traversing the entire network if they have successfully established an initial foothold.
A keen understanding and appreciation of how attackers can gain access is needed if an organisation is to put in place measures to ensure only authorised users obtain access to the necessary applications.
The internet can provide attackers all the knowledge they need about a company’s infrastructure to launch an attack, and organisations need to review how much information on their infrastructure they’re presenting online. Many will publish far more than they should, often completely oblivious to the fact that they’re doing so. A hastily thrown together development environment can act as a gateway for attackers to gain access to critical data, or a misconfigured server could be leaking data.
Even security defences themselves can provide unintended insights. A firewall or a VPN Gateway, for example, may provide information, which could be used to identify potential attack vectors.
Consider Zero Trust
Unlike more traditional security approaches, zero trust network access (ZTNA) can reduce a company’s vulnerability to attack by significantly reducing the attack surface. Zero trust starts with validating user identity combined with business policy enforcement based on contextual data from user, device, app and content to deliver authorised direct access to applications and resources. This means that no entity (user or application) is inherently trusted, removes application assets from public visibility and significantly reduces the surface for attackers.
Digital transformation and the move to remote work has fundamentally changed the way modern businesses operate. The necessarily rapid pace of change left IT departments with precious little time to fully consider new security architectures and the shifting threat landscape, now dominated by ransomware and DDoS. Now the dust has settled somewhat – and remote working is here to stay for many – security teams need to look at implementing new security models to meet these challenges. Adopting a holistic approach to the requirements of networks, applications, and security is the first step in increasing organisations’ defence against ransomware and wider cyber threats.
Contributed by Nicolas Casimir, CISO, Zscaler EMEA