In a previous blog, we outlined the anatomy of a ransomware attack, highlighting 10 potential attack vectors for ransomware. Since then, even though alarms are ringing louder, more enterprises have ineffectively mitigated the risks associated with ransomware, and are forced to deal with successful ransomware infections by paying the ransoms or performing costly recovery operations.
2016 proved a very effective year for ransomware. According to a SentinelOne survey covered in Dark Reading, about half of all organizations have been hit by ransomware – and 85 percent of those have faced three or more attacks. These statistics make me ask myself, why has mitigation of the ransomware risk proven so difficult?
Ransomware variants are numerous, so as an attack category, it becomes harder to defend against. Carbon Black found 4,000+ attacks daily since January 2016, across more than 25 variants of ransomware families. Only one of the top five ransomware families in 2015 was also a top five family in 2016 (Cryptowall), pointing to the rapid evolution of the attack technique.
In addition to the astounding rate of change in ransomware, it’s becoming more prolific. Kaspersky Labs found that “attacks on business increased three-fold between January and the end of September,” which is “the difference between an attack every 2 minutes and one every 40 seconds.”
But the rapid evolution and growth of ransomware isn’t the whole story. Both ransomware and its targets - your enterprise assets and data - are always changing. Attackers are human beings that act fast and adapt quickly. Your enterprise is under constant stress and in a constant state of change.
The combination of the rapid evolution of ransomware (along with other cyber threats), the rapidly changing attack surface of your enterprise, and the inability of an enterprise defense posture to easily evolve prevention capabilities in lockstep, has lead to the new reality of cyber security. It’s what Gartner calls a state of “continuous compromise.”
Reactive approaches do not prevent ransomware attacks, and increase the overall cost to your business associated with remediation and recovery. Many ad-hoc snapshot approaches; for example, penetration testing a few times annually, become ineffective since they are out of date a mere hours after execution, and will always lag behind the constant change occurring in your enterprise.
It’s time for a mindshift. It’s time for enterprises to systematically use tools and processes to identify potential risks quickly and proactively, allowing mitigation strategies to evolve before an incident like ransomware occurs.
It’s time to get ahead of the problem and ask:
Ransomware protection advice from industry experts has generally developed a consistent tone. This advice has typically focused heavily on two areas: detection and recovery.
Enterprises are encouraged to focus on detection to avoid being held hostage and having to pay in the first place. This may include techniques such as upgrading your detection capabilities or relying on user training to avoid social engineering, such as dangerous emails that lead to ransomware footholds.
Enterprises are also encouraged to focus on recovery strategies, such as using multiple strategies to backup data to ensure availability after a ransomware event.
Both of these areas are absolutely valid when it comes to a ransomware defense strategy. But taken on their own, they force you to make dangerous assumptions.
First, you will need to assume that your detection capabilities will perform well enough to stay ahead of the ever evolving ransomware landscape - an assumption I would posit is difficult at best. History, in the form of statistics mentioned early in this article, does not back this up.
Second, if you are reactionary in your approach, and rely on recovery and post-ransomware availability, you are implicitly assuming that your cost to recover would be less than taking a proactive approach. I’d encourage readers to consider that the cost to ransomware is not just the ransom. Lost productivity, lost reputation, and direct remediation costs are going to far outweigh the actual ransom you pay.
To address this, today’s enterprise needs to focus on a third area - deploying a set of proactive processes and tools that can identify risks and mitigations associated with ransomware before a ransomware incident occurs. It’s time for continuous testing and validation. These techniques are the only way to keep up with constant, dynamic change of your enterprise and keep up with the rapid evolution of attack variants. Proactive visibility into your security controls will allow you to quantify risk and optimize your defenses to deal with that risk - for ransomware and for other types of cyber attacks.
Proactive and automated visibility into your security controls is a new area for many security professionals, and it’s worth learning about. Technologies are available today for more continuous identification of security gaps, validation of security postures, quantification of risk, and optimization of existing defenses. Security practitioners just need to make that mindshift and start to focus on a proactive approach.
Begin the mindshift with us. Please check back here next week for our upcoming webinar with further detail and research around ransomware. I’ll be joined by guest expert and author Kevin Beaver (Hacking for Dummies). We’ll walk you through a thoughtful approach dealing with the impact that ransomware can have on your business, and provide some suggested techniques for taking a more proactive approach to dealing with this evolving and prolific threat.