Ransomware pushes dilemmas: will you pay ransom money, what about your reputation? Read here why speed is part of the intervention discussion and why it is important.
With the recent media attention for ransomware attacks, cybersecurity has once again entered the next phase. Cyberattacks have become part of the public debate and have a direct impact on the reputation of organizations. The ability of security teams to keep up with the variety of threats in terms of knowledge and manpower has decreased considerably in recent years. It is therefore high time for the industry to take serious steps in this direction and to find a solution to the common problems through collaboration.
There are many ways to approach today's cyber challenges, but they all start with the awareness to act now. And while there are plenty of security issues that deserve attention, it is important to focus on the most important: the absolute speed at which new threats operate requires an even greater speed of our cyber security operation.
Speed, the trump card of the cybercriminal
There are constantly stories circulating about highly sophisticated cyber criminals, who develop complex attacks that it is impossible to detect in time. Unfortunately, the focus is mainly on how and where a cybercriminal will be able to penetrate, but hardly on the speed of action by the cybercriminal.
Of course, cyber criminals have become more and more cunning, but ransomware is not technically very different from the trojans of the past. What really poses a new threat is its speed. By this I mean the speed at which criminals can penetrate in order to do a lot of damage in the limited time they have. This threat is only helped by our wait-and-see attitude.
Most cyber criminals use the known tactics, techniques and procedures. However, they carry out more attacks and have become much faster, taking less time to access systems and files. By the time reactive organizations have noticed an attack and understood how it could have happened, cybercriminals have long since bypassed or even taken over security, run queries, downloaded or destroyed data, and so on.
Even the less seasoned cybercriminal is able to do a lot of damage when an organization is unable to recognize and immediately defuse an attack.
Proactive is the winning mindset
In 2020, we can no longer afford to limit our actions to a technical analysis afterwards, so that a threat can be stopped a next time. As an industry, we have become accustomed to thinking in the number of minutes, or even hours, it takes to detect an attack, when in reality a few seconds of damaging action can already be disastrous.
Talking about the value of reducing "dwell time" (the average number of days an intruder can hang around) makes little sense if, at the same time, the cybercriminal's speed of action increases much faster.
A CISO can often describe perfectly afterwards why a cyberattack could be successful and what impact this had on the organization. How nice it would be if there were less need for such lectures, because we are better able to recognize and disable threats in real-time.
Ransomware in 2020 (and beyond)
Recent developments in the field of ransomware show that cybercriminals are now using additional coercive means to extort organizations beyond data encryption. Nowadays, data leaks and other threats are unfortunately also part of this.
The lightning-fast "DopplePaymer" attack - which was able to carry out more than 2,000 malicious activities in less than 7 seconds - on a heart clinic in Mexico revealed that the criminals had captured sensitive information in addition to encrypting data. The criminals threatened to leak or sell the information if they didn't get the ransom money.
We can expect more of this kind of criminal behavior. Cyber criminals don't shy away from anything, even if it endangers the lives of patients. They have no problem leaking sensitive information if the victim does not pay, and we need to be prepared for other threats. Think for example of the dumping of sexually tinged files, as happened in a previous attack. The attackers cleverly responded to the sentiment surrounding personal reputational damage.
In addition, taking over email accounts is used as a means of coercion. These are used to send malicious spam that appears to originate from the victim. The possibilities to cause considerable damage are therefore numerous.
Sensitive spots in the map
Most organizations only realize they are victims of a ransomware attack when the first machines are encrypted. But by that time, most "kill chains" have already been executed. The attackers have already established themselves, stolen identifications and authorizations, downloaded sensitive data and spread throughout the corporate network. The question is how quickly you, as an organization, are able to intervene - if this is only after the initial encryption, it is clearly too late.
Often it is even less relevant whether or not the criminals were able to access the company's critical data. The fact that data - whatever it is - has been stolen has an immediate impact on the organization's reputation. Often, cyber criminals are only interested in up-to-date data as proof that they have succeeded in their attack.
Moreover, the speed with which attackers can penetrate and penetrate systems makes the old legacy security checks and subsequent analysis less and less effective. In addition, the faster the computers, the faster the cyber criminals. As a result, the attacks themselves do not even have to be so technically advanced and the cybercriminal can therefore focus on devising new means of coercion. This does not only apply to endpoints such as workstations and servers; virtual environments (VDI) and cloud applications are also sensitive. In order to counter such rapid threats, the right technology, intelligence and security must be deployed both in the cloud and on endpoints.
The traditional cyber security approach is getting harder and harder, assuming that the speed of action by cybercriminals only increases. Fortunately, more and more organizations are realizing that speed is the new reality. They are changing their strategy, employing the right talent and adapting their IT security and risk management accordingly.
Often these are companies that have been victims of ransomware before. Organizations, however, do have the ability to take preventive action now. It is high time for the CISO to get down to work today on the theme of 'speed is the new reality' and to protect the organization permanently from potentially harmful consequences.
This is possible by setting up the operational security organization with the right tools, knowledge and procedures based on real-time action. Here it is important to focus on endpoint security with fully independent detection of suspicious behavior and to combine this with an automated response to it. In this way, one's own speed could become a winning asset against cyber crime.
Eric van Sommeren is Director Sales Northern Europe for SentinelOne. He shares his passion for endpoint security software as a guest blogger for EASI.