Today more than ever, companies are on high alert for ransomware attacks. Even as companies seek to protect themselves, however, they may not realize how the very nature of ransomware attacks has shifted. No longer simply a freeze on your data assets through encryption methods, ransomware attacks now often steal the data they have under ransom, creating an entirely new set of security considerations when an environment has been compromised.
We spoke with David Bishop, CISO at Trustwave and Darren Van Booven, Lead Principal Consultant at Trustwave and former CISO of the U.S. House of Representatives, to discuss ransomware preparedness and what organizations might be missing from their cyber resilience strategy.
There seems to be a misconception that if you have system backups or endpoint protection, you're covered for a ransomware attack. Can you talk about the need for a holistic approach and the coordination necessary for effective ransomware preparedness?
Darren: Of course. When asked the question, "How do you think you are doing from a ransomware preparedness perspective?", most organizations I speak to will say they've got it covered. But when asked a few deeper questions about what they're doing to prevent some of the exploitation techniques that we see in incidents within their environment, they either don't know the answer, or they start realizing that, no, they're actually not prepared.
David: And I think part of the reason they're ill-prepared is that ransomware attacks today are a lot more than just ransomware. Besides installing on an endpoint and encrypting files, attackers are actively exploiting the environment to steal data so that they can further extract ransom under the threat of releasing the information to the public. Or, they'll take additional measures to corrupt, destroy or render inaccessible any backup infrastructure that you have. Nowadays, you have to be prepared on multiple fronts. It's not just securing your endpoints but ensuring you have data loss protection as well as solid backup infrastructure. Unfortunately, a lot of companies are just not doing this holistically.
It sounds like this has become more of a hybrid exploit/ransomware scenario, where decryption techniques don't cut it. Can you speak more about the risks associated with this newer generation of ransomware?
David: Years back, we used to see adversaries drop ransomware on us, and it would worm and run and completely encrypt an environment, halting everything. Then cybersecurity experts got really good at decrypting, making those attacks less effective. Beginning to exfiltrate data turned ransomware into a more typical exploit situation, where they have more leverage to force payment with stolen data. That's extortion.
Darren: Many people still don't understand the full extent of ransomware today: attackers are no longer just dropping encryption software into a system and letting it run across some flat or barely segmented environment. Now, it's a calculated strategy that includes some different adversarial playbooks that we've seen in the past, combined with more traditional ransomware.
Knowing the evolution of ransomware attacks, what are the top 3 things you'd recommend organizations do to prepare and protect themselves?
Darren: The first thing is foundational: Make sure you've maximized your overall approach to reducing the risk of email-originated threats because a lot of the ransomware that makes it into an organization is still coming through that vector. People still click on links in suspicious emails — it's human nature — so a base level of security awareness training should be part of planning there.
Also, have some kind of advanced EDR tool installed on the endpoint in the event that a malicious link has been clicked (it's bound to happen). Make sure systems are up to date and patched, and an EDR tool is on every device. We've responded to a lot of incidents where even environments that have had an EDR solution rollout have still gotten compromised because they didn't install the EDR tool everywhere. Without a full implementation, machines without EDR were being impacted. But, as mentioned before, a focus on endpoint protection, patching and email-originated threat detection is only part of the picture.
David: With all that in mind, my final recommendation would be this: For robust ransomware protection today, you need to look at your overall security strategy — and a big part of that is segmentation. If you assume for a moment that a ransomware attack is going to happen to you at some point, what have you done to minimize the impact of this type of breach in your environment? Have you identified where your critical data sets are that you depend on each day for operations or administration? Have you segmented your operational components from administrative components to prevent the spread of malware while making sensitive data more difficult to identify? Have you considered different access controls or permissions? A lot of companies don't have data segmentation in place, even in industries where connected systems and OT/IoT are at high risk for a breach. You need to understand all of the ways that your system could be penetrated in order to understand risk more broadly.
Any final thoughts to share?
Darren: It's really important to remember that segmentation applies to backups, as well. Making sure that your backups are viable and accessible in a timely fashion, should a ransomware attack require it, often means the difference between paying a ransom and not — just to get back to business at the speed work happens today.
David: Your segmentation strategy should have a recovery component to it so that your backup environments reflect the operational segments you put so much work into in the first place. If these focus areas have any gaps, the risk that ransomware will escalate into an issue for your business is much higher than if you have all of these protections in place.
Are you currently affected by ransomware? Contact us now and learn how we can help.