Cybercriminals are Driven by Making & Taking Money.

Ransomware Defense: Preventative Techniques to Combat Attack Methods of Today’s Cybercriminal Gangs

Ransomware attacks continue to be a top-of-mind security threat for CISOs. A brief scan of news headlines paints a clear picture of the current cyber threat landscape. The ransomware business is booming. Between 2019 and 2021, ransomware attack complaints increased by 82% in the U.S. alone.

Map preventative defenses to attack patterns.

Cybercriminals are typically driven by one objective: making money fast. And history shows threat actors go after the low-hanging fruit first, which they see as publicly disclosed vulnerabilities.

Unfortunately, new known vulnerabilities reached a high of 166,938 in 2021, according to new research from Skybox Security Research Lab. Compounding this threat debt, the threat intelligence analysts recorded a three-fold increase in known vulnerabilities over the last decade. Over the next two years, security executives expect an increase in attacks from social engineering and ransomware as nation-states and cybercriminals become more prolific.

Trying to scan and patch millions of vulnerabilities has left companies with exposed security weaknesses.

However, in reality, it is a small subset of exposed vulnerabilities that enable most successful cyberattacks. For example, in April 2022, a well-known ransomware-as-a-service platform called Hive targeted businesses by leveraging a set of Microsoft Exchange vulnerabilities known as ProxyShell. Although patches were released for ProxyShell, adversaries assume organizations can’t keep up with remediation. In one instance, it took less than 72 hours to complete an attack and hold a company ransom.

Stop ransomware attacks before they happen.

Adversaries are known to invest in learning a target’s unique vulnerabilities and network topology. Traditionally, defenders relied on the Common Vulnerability Scoring System (CVSS) to prioritize threats. However, these ratings create a false sense of security by assuming that “low” ranking security flaws can’t cause much of a disruption. Cybercriminals use this line of thinking to successfully carry out multistage campaigns by leveraging vulnerabilities ranked as ‘less severe’ to gain entry and move laterally.

To stay ahead of these sophisticated cybercriminal gangs, there are three foundational steps CISOs, architects and security ops should consider taking.

  1. Asset discovery for all technology environments that you are responsible for securing. This may include on-prem, cloud services, IoT devices and critical infrastructure connected to the internet. According to a 2022 cybersecurity benchmarking study, unknown assets and poor cyber hygiene were top causes of significant breaches across major organizations. Ensure complete visibility and context of your entire attack surface, as overlooking assets is a common reason vulnerability management programs fail.
  2. Threat intelligence to identify vulnerabilities exploited in the wild. Adding threat context to a vulnerability prioritization algorithm reflects the likelihood that an adversary will actually exploit a vulnerability. Threat intelligence analysts can aggregate vendor security advisories and available patches to take the manual burden off security ops. Then, use this automated intel to prioritize fixing the vulnerabilities that have publicly available exploits.
  3. Cyber risk scoring based on exposure to threat actors and potential financial impact. Advanced risk scoring with cyber risk quantification enables organizations to focus on vulnerabilities that pose a real threat. Unfortunately, many cybersecurity tools are only capable of risk scoring based on asset importance. Instead, model your unique attack paths and security weaknesses to pinpoint the vulnerabilities with the highest likelihood of financially impacting the business.

From Reaction to Prevention

These strategies build upon guidance issued by the Cybersecurity and Infrastructure Security Agency (CISA) within Binding Operational Directive (BOD) 22-01 that instructed organizations to “reduce the significant risk of known exploited vulnerabilities.” CISA also notes: “Only 4% of the total number of CVEs have been publicly exploited. But threat actors are extremely fast to exploit their vulnerabilities of choice: of those 4% known exploited CVEs, 42% are being used on day of disclosure; 50% within 2 days; and 75% within 28 days. Meanwhile, the CVSS scores some of these as ‘medium’ or even ‘low’ severity.”

Actual, preventative cyber risk reduction is best achieved through a risk-based approach. Most importantly, these risk-based strategies enable CISOs to turn the tables on threat actors—moving from reaction to prevention. As cybersecurity leaders, it is time to give the advantage back to our cyber superheroes.

                                                                                                              Source: Forbs June 17, 2022

Leave a Reply

Your email address will not be published. Required fields are marked *