Long before the COVID-19 pandemic started burning through our planet, the networks were already battling another scourge: ransomware.
“Increasingly, the attack will start with some level of network infiltration, where trojans can be planted and once the attackers are in, they can identify assets with greater value to go after. Their technique may involve disabling backups and defenses before they encrypt the data. Also, servers with important data are at greater risk,” says Fleming Shi, the chief technology officer at Barracuda Networks.
Shi knows. The founding engineer of Barracuda Networks’ web security product offerings is at the front lines of the ransomware battle with over 20 patents under his belt.
He observes that today’s ransomware threat actors are not just bored hackers. Criminal organizations and even states are also getting into the game, using spy craft tactics.
“State-sponsored attacks are certainly possible and it’s convenient and effective if well designed for the bad-acting state. It can cause major disruption in today’s divisive political climate,” Shi notes.
Vendors have a role
Security hygiene is crucial. Keeping data well segmented and following preventive and detective procedures to ensure new vulnerabilities are discovered and rooted out quickly help. A good and responsive backup and restore can minimize the pain of disruptions.
For hackers, who can now trade privileged credentials on the dark web, proactive measures are more difficult. It is also where vendors should play their part.
“I believe much of the responsibility to stay ahead of the attackers should belong to the vendors who are providing security solutions to companies,” he says.
Shi points to the public cloud as an example where solutions need to interact efficiently with public cloud platforms.
“From ingestion of telemetry, sensory data to instrumentation, orchestration via native APIs is a good strategy to stay on-pace where threat intelligence are already embedded,” Shi observes.
Meanwhile, companies should stop looking for a single tool to rule them all. Instead, Shi sees the need for a stronger security program that has multiple tools covering all attack surfaces, while integrating with SIEM and SOAR solutions.
“Then you can get more correlated data, [coordinate a] threat hunt and remediate much more effectively and efficiently,” he explains.
The ransomware pandemic is not new and well-studied. So why are well-established companies still victims?
Part of the reason is that companies overlook that ransomware is evolving. “Cyberattacks are succeeding and advancing largely due to increased sophistication and social-engineered tactics,” says Shi.
He notes that while companies may have the tools and processes in place, they will continue to be victimized if they don’t practice and use them effectively or train the user community and install preventative measures.
Human nature is also to blame. Ransomware is designed to take advantage of our human emotions and failings. The same behavior also delays any immediate actions that could stem the ransomware tide.
“I believe it’s human nature to ignore and avoid thinking about the worst scenario, therefore it’s really important to have a rigorous set of rules and practices in-place defined by a security team in any organization,” says Shi.
Security shifts left
So, what happens when you become a victim? Transparency is crucial and companies should not be public shaming the victims. In fact, protecting the identity of the victims can even encourage others to come forward, contributing to a more proactive defense.
“For example: as soon as there is a signal, the security team should take over the asset and ensure they are trained to focus on step-by-step results in response, not pointing fingers nor engaging in a blame game. This is the only way to ensure a strong culture which bands everyone together against cyber crimes,” says Shi.
As companies in-source their development and build DevOps teams, they also need to make security as part of the design process—not see it as a hinderance to innovation.
“In the cybersecurity industry, there is a new phrase developing, that’s ‘Security is Shifting Left.’ This means development should understand that security practices should be at the forefront of any development work,” Shi says.
As a result, source-code level security analytics and governance are quickly becoming a standard procedure, “especially in today’s DevSecOps world where everything moves much faster in the CI/CD pipeline,” says Shi.
Cyber insurance conundrum
Companies are now looking to invest in cyber insurance as they battle cyber threats.
Shi notes that getting cyber insurance is important as part of being resilient against cyberattacks but should not be seen as a panacea. “Insurance was invented for accidents and mishaps, attackers are targeting insured organizations, and that’s no accident.”
Instead, Shi advises companies to assume that they will not pay the ransom when they develop a mitigation strategy. “Otherwise the laziness will end up helping the cyber criminals to get stronger.”
“Also, please guard insurance information as top-secret and don’t brag that you have how much coverage, because the threat actors are listening. They will come after the most lucrative pay-out with a vengeance,” he adds.
Prepare to be a victim
The world of business does not sit still; neither does ransomware.
Shi sees ransomware becoming more sophisticated. “The recent classes of ransomware and their attacks have grown to be more sophisticated. They are becoming more targeted and especially targeting high-valued enterprises where the pay-day is much bigger.”
Instead, companies need to think ahead and plan for a quick and solid recovery, while raising awareness among its staff.
“Design resilience into the security program so even under attack, the recovery process should be well defined and practiced often, so it’s not painful and uneasy,” Shi concludes.
Photo credit: iStockphoto/ValeryBrozhinsky