Aiming for the right defense strategy against ransomware threats
Steve Caimi is a security specialist Cisco with nearly 25 years’ experience in cybersecurity.
Ransomware had a banner year in 2020, taking advantage of pandemic-related shifts in network access for remote work, distance learning and telehealth. For critical infrastructure sectors, the threat of seeing data locked up or having systems knocked offline is a risk that these organizations simply can’t afford.
While cyber defenders are improving their cyber defenses, hackers are upping their game too. They’re getting better at getting inside, they’re affecting more systems and they’re doing more with the data they steal. That is why organizations need a security strategy that can adapt to the changing threat environment.
For ransomware, financial gain is the endgame. We are seeing a growing trend in “big game hunting” — or targeting big-revenue organizations — because attackers know these organizations can, and will, pay up.
Two of the top attack vectors should come as no surprise to security leaders: email and web browsing. For a long time, these have been the easiest methods to deliver harmful links or malicious attachments to users.
But ransomware-related links are arriving in other ways too. SMS text and iMessage are increasingly used. Social media platforms, like Facebook and LinkedIn, are exploited with fake accounts or by hijacking accounts and taking advantage of those messaging services to deliver phishing attacks. Even URL shorteners and QR codes are growing in popularity because they are easier ways to disguise a malicious hyperlink.
And though the delivery method is changing, the code ransomware actors use is known to the security community. Ryuk is an example of a threat that has been around for a number of years (since 2018) but persists as a top threat. According to Cisco Talos, Ryuk uses a nasty combination of attack techniques including phishing, malicious links and attachments, vulnerability exploitation, code injection and even a “Wake-on-LAN” feature, which is used to turn on powered-off devices.
And attackers will continue to use these channels to deliver tried and tested attacks because, frankly, they work. People are human and they click.
Mitigating the level of risk
Traditionally when organization leaders discuss ransomware mitigation, they look for a specific tool or capability they can buy.
There are email, web and endpoint security technologies that can help scan for threats. And data backup and restore capabilities also ring as a simple solution. While these are good on their own, it doesn’t take into account the realities of the enterprise system. To be truly effective today, cybersecurity technologies must be well-integrated and modern.
A recent security practices study sought to uncover statistical correlations with security practices and program outcomes, surveying nearly 5,000 security professionals from around the globe. The study found that using modern, integrated technologies is one of the top security practices that leads to real business outcomes.
In fact, out of 275 possible combinations of security practices, respondents pointed to seven practices that best contribute to key outcomes: a proactive technology refresh, well-integrated technology, timely incident response, prompt disaster recovery, accurate threat detection, program performance metrics, the use of effective automation.
Aiming for the right defense strategy
First, let’s not blame people. We should educate and stimulate, but accept that no one is perfect. That’s why cyber defense technologies have gotten much better. We need to look beyond just ransomware to a broader question: how can we make our security operations more efficient and effective?
While our SecureX platform is a relatively new integrated offering at Cisco, our security strategy which is the baseline for SecureX’s capabilities is not. We are on a relentless mission to make cybersecurity simple, integrated and automated.
Cisco SecureX is our answer to a modern, cloud-native (vendor agnostic) solution that our partners can integrate with their existing security technologies to unify visibility, orchestration, detection, response and much more. Its capabilities are unmatched and — just as important — we include it with any and all of our security technologies.
To work towards the right defense strategy, we recommend that leaders specifically take a closer look at their security strategies to make sure they are meeting these critical areas:
- Secure your email with a solution that includes advanced phishing capabilities and applies modern trust analytics to spot impersonators, suspicious content, malicious attachments and harmful links. If you’re using Office 365, make sure the solution you pick is optimized for it.
- Secure your web access with Secure Access Service Edge (SASE) so that users are protected from wherever they are. SASE uses cloud-delivered security and cloud-managed networking capabilities to keep users from harmful sites that deliver ransomware, even if they click.
- Secure your endpoints where ransomware attackers often look for a foothold. An attack starts with a single exploited system or device. If ransomware somehow manages to reach an endpoint, advanced malware protection can isolate the attack and stop it from spreading.
- Secure identities with authentication tools such as multi-factor authentication (MFA), secure workloads and applications and domain-based message authentication reporting (DMARC). All of these tools can help authenticate both user and device trust throughout the enterprise network.
- Educate your users with cyber awareness training and phishing simulations so that everyone becomes a part of your cybersecurity solution.
And lastly, it is recommended that organizations work towards a zero-trust strategy that assumes nothing can be trusted: users, devices, applications, even our so-called “trusted” suppliers, business partners and service providers.
All cyber programs can benefit from well-established cybersecurity best practices. At Cisco, we embed these into our security program and decision making and we recommend our partners look at existing guidance to do the same.
Learn more about how hard Cisco is working each day to be a trusted cyber partner.