New approaches to fighting ransomware are emerging

Ransomware is hitting more and more organisations in Australia and New Zealand – and the odds are that sooner or later it will impact you as well.

Ransomware incidents have risen 15 percent over the last year, with almost two-thirds of businesses suffering disruption.

Ransomware attacks aren’t just becoming more common, they’re also getting faster. Not many organisations can detect a breach and respond quickly enough to stop an ongoing attack in its tracks. Rather than focusing on detection and response once an attack has begun, you might get better results by prioritising your threat monitoring efforts. By preventing your attackers from accessing your networks in the first place, you can keep the ransomware gangs from getting their foot in the door.

Ransomware can be fast, deadly and costly

There has been positive news in the fight against ransomware, with recent arrests hitting major gangs and governments becoming increasingly active in combating the threat. Yet incidents continue, hitting giants like JBS Foods and numerous high-profile organisations across manufacturing, healthcare, education and beyond. The biggest ransomware demand of 2021 was $70 million, and that sum only represents part of the damage: affected companies also take a big reputational hit, incur heavy recovery costs and suffer losses from forced downtime.

Worse, by the time you’ve noticed a breach, it may already be too late to stop the attack. Ransomware gangs work at speed, gaining access to internal networks and typically exploiting a vulnerability within 12 hours of its discovery. Cybercriminals might gain access via a phishing attack, a malicious link or credentials stolen from the dark web, and be deploying ransomware less than six hours later.

Response times are a problem no matter how big you are

Large organisations may have the resources to respond within those six hours but can easily be slowed down by bureaucracy. Procedures need to be followed and IT actions signed off, all of which adds to their response time. Dealing with a compromised supplier or partner may take even longer to manage.

Small and medium-sized businesses are in an even tougher spot. A select few may have endpoint protection and Security Information and Event Management (SIEM) technology to monitor threats and respond at pace. But most will have limited patching, anti-virus firewall and event-logging resources that are unsuited to emergency response.

For some orgs, threat monitoring can be a better option

Most standard anti-ransomware measures kick in only after an attack has been attempted and identified. However, there is another approach that seeks to minimise the chances of an attack from occurring in the first place. Threat monitoring can help your organisation manage threats before they get too big to handle. Done properly, it will allow you to identify access points and supply-chain vulnerabilities that are at risk from data theft and malware, then remediate them before any attack even takes place. Sounds great in theory, but what does it look like in the real world? A good threat monitoring solution has three main characteristics:

1. it’s undertaken at scale
2. it uses properly defined parameters
3. it is continuous

The first step is to decide what to monitor. Let’s drill into those areas and how threat monitoring works in practice.

Monitoring open-source data and the dark web

Are you aware of how much of your critical data is out in the wild? Open-source data and the dark web are both used by criminals to scrape sensitive data, but they can be a vital tool for cybersecurity teams too. Monitoring should be specific to your organisation, and can include a combination of:

1. Human intelligence and analysis
2. Breach datasets
3. Information about your brands and employees on social media and forums
4. Lists of compromised credentials and other breach data, particularly on the dark web or Github
5. General surface, deep and dark web analysis across different languages
6. Maintaining different threat personas

Aggregating data from these sources is key if you are to build an effective program and identify potential risks before they become a problem.

External attack surface monitoring

The clue’s in the name: rather than looking out at the threats outside your organisation, external attack monitoring gives you an outside-in view of your vulnerabilities. It explores internet-facing assets, their relationship to your business and the risks they carry. Again, this is a process that must be carried out continuously, and at scale. The key steps in this type of monitoring are:

1. Assess the vulnerabilities and role of known assets in your organisation
2. Scan to discover unknown assets – legacy apps, shadow IT and data can be a serious threat
3. Map assets across different locations, departments and partners and ensure these are managed consistently and effectively
4. Use fingerprinting to confirm patching is up-to-date across services, apps and software
5. Identify malicious infrastructure
6. Monitor traffic for insider threats
7. Analyse technical data to identify threats, and adjust your security in response
8. Assess whether suppliers and partners are leaking your data

The resulting data can be aggregated into reports that give a dynamic, easily digested view of business risk.

Monitoring as a solution

While incredibly useful, attack surface and digital threat monitoring is not a one-stop ransomware killer, unfortunately. For it to work, you must have the resources and company-wide support to act on its findings. Threat monitoring works best when supported by traditional measures such as firewalls and anti-phishing training. It can also operate alongside emerging approaches like zero-trust. In any case, whether you go with threat monitoring or conventional security measures, you’ll still need back-ups and a recovery plan in case the hackers do get inside your defences.

But the great strength of monitoring the dark web, open-source data and external attacks is that it allows you to limit possible attack routes before cyber criminals find them. Compare that with detection and response, which is often toothless against nimble ransomware gangs, and it’s clear why scaled and cost-effective threat monitoring is increasingly becoming the ransomware defence of choice.