FINAL WORD
Jeffrey Kok , Vice President of Solution
Engineer , Asia Pacific and Japan at CyberArk
Ransomware has become a preferred means of extortion by opportunistic attackers for two key reasons . First , many organizations fail to practice proper security hygiene when it comes to backup and recovery . Attacks targeting backups may be few and far between , but once data on endpoints and servers is encrypted and held for ransom , organizations are forced to choose between losing important data forever or forking over Bitcoin to ( hopefully ) get their data back .
Second , many organizations rely too heavily on traditional anti-virus solutions , which are often not effective in blocking ransomware . These solutions work by maintaining an inventory of known malware and blocking future executions of that malware . However , as ransomware files slightly morph with each new version – and new versions are created by the minute – these solutions have little chance of preventing infection .
From this point , data will be exfiltrated and ransomware will be deployed to encrypt files and demand hefty ransoms . Moreover , endpoint defenses , including Endpoint Detection and Response ( EDR ) tooling are disabled or bypassed using both custom tooling and hands on keys approaches .
Perhaps the most troubling thing about targeted ransomware attacks is that just because an organization has been targeted once , it does not mean it will not happen again .
To maintain persistence on target networks , attackers often construct backdoors that allow them to re-enter at will . Most companies cannot withstand the business impact of one ransomware attack , let alone two .
Opportunistic or targeted , the initial attack vector remains the same
What is a targeted ransomware attack ?
In recent years , more sophisticated attackers have shifted to targeted ransomware approaches in search of bigger payouts and target very specific organizations based on their ability ( or need ) to pay large ransoms , using customized tactics , techniques and procedures ( TTPs ).
Attackers seeking huge payouts are very creative , often going to great lengths to understand a victim ’ s technology stack so they can identify and exploit vulnerabilities , while pinpointing the most valuable data to encrypt and hold for ransom . They are also extremely patient , escalating privileges to circumvent security systems and evading detection for an extended period before deploying the ransomware payload . During this time , attackers often target data backups so the organization cannot restore files after they have been encrypted .
Threat actors often follow a familiar attack path : steal valid credentials from a corporate identity and use these credentials to infiltrate the company via Remote Desktop Protocol ( RDP ) or Virtual Private Network ( VPN ). Once inside , the attackers will escalate privileges and move laterally to establish persistence on the network .
To maintain persistence on target networks , attackers often construct backdoors that allow them to re-enter at will .
Whether opportunistic or targeted , ransomware attacks start at the endpoint . Inadequately protected desktops , laptops and servers are pervasive – and each one provides a potential entry point for attackers to steal and encrypt data .
By examining numerous ransomware attacks , one thing is abundantly clear : relying on a single endpoint security solution – endpoint detection and response and anti-virus – is not sufficient to stop every threat . In fact , organizations are wise to adopt an assumebreach mindset to reduce the chances of ransomware encrypting files , even if it does enter their environments .
Ultimately , a defense-in-depth approach is necessary , layering a variety of security controls to eliminate gaps , reduce exposure and strengthen overall security posture .
Privileged Access Management is a critical , yet often overlooked , component of an effective endpoint security strategy . If a malicious attacker or insider gains access to a privileged credential , he or she will appear to be a trusted user , which makes detecting risky activity more challenging .
In combination with endpoint detection and response , anti-virus / NGAV , application patching and OS patching , organizations can significantly reduce risk by managing and securing privileges on endpoint devices . By implementing restriction models that only trust specified applications run by specific accounts and under specific circumstances , security systems can detect ransomware quickly and with certainty . By taking this comprehensive approach to endpoint security , organizations can defend from every angle and block attacks before they cause harm . p
84 INTELLIGENTCIO APAC www . intelligentcio . com