How to mitigate fast-changing attacker behaviours from advanced to entry level
In the coming year ICT security leaders must be aware that remote working will continue to expand, offering more opportunities for threats like ransomware.
Hackers are already planning how to take advantage of new attack vectors that open as the workforce decentralizes and evolves.
According to the Sophos 2021 Threat Report it’s not just the pandemic that has altered the work force – new technology, the reliance on non-traditional platforms, and more all offer inroads for cybercriminals.
The report h flags how ransomware and fast-changing attacker behaviours, from advanced to entry level, will shape the threat landscape and IT security in 2021.
Three key trends analySed in the Sophos 2021 Threat Report include:
- The gap between ransomware operators at different ends of the skills and resource spectrum will increase.
- At the high end, the big-game hunting ransomware families will continue to refine and change their tactics, techniques and procedures (TTPs) to become more evasive and nation-state-like in sophistication, targeting larger organisations with multimillion-dollar ransom demands. In 2020, such families included Ryukand RagnarLocker.
- At the other end of the spectrum, Sophos anticipates an increase in the number of entry level, apprentice-type attackers looking for menu-driven, ransomware-for-rent, such as Dharma, that allows them to target high volumes of smaller prey.
Another ransomware trend is “secondary extortion,” where alongside the data encryption the attackers steal and threaten to publish sensitive or confidential information, if their demands are not met. In 2020, Sophos reported on Maze, RagnarLocker, Netwalker, REvil, and others using this approach.
“The ransomware business model is dynamic and complex. During 2020, Sophos saw a clear trend towards adversaries differentiating themselves in terms of their skills and targets. However, we’ve also seen ransomware families sharing best-of-breed tools and forming self-styled collaborative ‘cartels,’” said Chester Wisniewski, principal research scientist, Sophos.
“Some, like Maze, appeared to pack their bags and head for a life of leisure, except that some of their tools and techniques have resurfaced under the guise of a newcomer, Egregor. The cyberthreat landscape abhors a vacuum. If one threat disappears another one will quickly take its place. In many ways, it is almost impossible to predict where ransomware will go next, but the attack trends discussed in Sophos’ threat report this year are likely to continue into 2021.”
Everyday threats such as commodity malware, including loaders and botnets, or human-operated Initial Access Brokers, will demand serious security attention. Such threats can seem like low level malware noise, but they are designed to secure a foothold in a target, gather essential data and share data back to a command-and-control network that will provide further instructions.
If human operators are behind these types of threats, they’ll review every compromised machine for its geolocation and other signs of high value, and then sell access to the most lucrative targets to the highest bidder, such as a major ransomware operation. For example in 2020, Ryuk used Buer Loader to deliver its ransomware.
“Commodity malware can seem like a sandstorm of low-level noise clogging up the security alert system. From what Sophos analysed, defenders need to take these attacks seriously, because of where they might lead. Any infection can lead to every infection. Many security teams will feel that once malware has been blocked or removed and the compromised machine cleaned, the incident has been prevented,” said Wisniewski. “They may not realise that the attack was likely against more than one machine and that seemingly common malware like Emotet and Buer Loader can lead to Ryuk, Netwalker and other advanced attacks, which IT may not notice until the ransomware deploys, possibly in the middle of the night or on the weekend. Underestimating ‘minor’ infections could prove very costly.”
All ranks of adversaries will increasingly abuse legitimate tools, well known utilities, and common network destinations to evade detection and security measures and thwart analysis and attribution. The abuse of legitimate tools enables adversaries to stay under the radar while they move around the network until they are ready to launch the main part of the attack, such as ransomware. For nation-state-sponsored attackers, there is the additional benefit that using common tools makes attribution harder. In 2020, Sophos reported on the wide range of standard attack tools now being used by adversaries.
“The abuse of everyday tools and techniques to disguise an active attack featured prominently in Sophos’ review of the threat landscape during 2020. This technique challenges traditional security approaches because the appearance of known tools doesn’t automatically trigger a red flag. This is where the rapidly growing field of human-led threat hunting and managed threat response really comes into its own,” said Wisniewski. “Human experts know the subtle anomalies and traces to look for, such as a legitimate tool being used at the wrong time or in the wrong place. To trained threat hunters or IT managers using endpoint detection and response (EDR) features, these signs are valuable tripwires that can alert security teams to a potential intruder and an attack underway.”
Additional trends analysed in the Sophos 2021 Threat Report include:
- Attacks on servers: adversaries have targeted server platforms running both Windows and Linux, and leveraged these platforms to attack organisations from within
- The impact of the COVID 19 pandemic on IT security, such as the security challenges of working from home using personal networks protected by widely varying levels of security
- The security challenges facing cloud environments: cloud computing has successfully borne the brunt of a lot of the enterprise needs for secure computing environments, but faces challenges different to those of a traditional enterprise network
- Common services like RDP and VPN concentrators, which remain a focus for attacks on the network perimeter. Attackers also use RDP to move laterally within breached networks
- Software applications traditionally flagged as “potentially unwanted” because they delivered a plethora of advertisements, but engaged in tactics that are increasingly indistinguishable from overt malware
- The surprising reappearance of an old bug, VelvetSweatshop – a default password feature for earlier versions of Microsoft Excel – used to conceal macros or other malicious content in documents and evade advanced threat detection
- The need to apply approaches from epidemiology to quantify unseen, undetected, and unknown cyberthreats to better bridge gaps in detection, assess risk and define priorities
CISOs and security leaders can avoid huge losses by preparing for ransomware attacks before they happen, state analyst firm, Gartner.
About 27 per cent percent of malware incidents reported in 2020 can be attributed to ransomware. Ransomware — cyber extortion that occurs when malicious software infiltrates computer systems and encrypts data, holding it hostage until the victim pays a ransom — can have a bigger impact on an organisation than a data breach.
In the short term, ransomware can cost companies millions of dollars, and a potentially even greater loss over the long term, impacting reputation and reliability. From top healthcare providers and retailers in the US to insurance providers in the Middle East, ransomware attackers are proving to be a continuing cybersecurity threat.
Organisations need to focus on is preparation and early mitigation if they want to cut losses
“In some recent cases of ransomware attacks, the victim organizations have paid huge amounts to the attackers, which can be one of the reasons these attacks are getting more popular,” says Paul Webber, Senior Director Analyst, Gartner. “Instead, what organisations need to focus on is preparation and early mitigation if they want to cut losses to ransomware.”
CISOs and security leaders can reduce the likelihood of ransomware attacks, reduce exposure to vulnerabilities and secure the organization using a mitigation plan. This plan must cover the following six actions.
No. 1: Conduct initial ransomware assessments
Conduct risk assessments and penetration tests to determine the attack surface and current state of security resilience and preparedness in terms of tools, processes and skills to defend against attacks.
“Before you assume that payment is the only option, investigate using free ransomware decryption software,” says Webber.
No. 2: Enforce ransomware governance
Establish processes and compliance procedures that involve key decision makers in the organization, even before preparing for the technical response to a ransomware attack. Ransomware can escalate from an issue to a crisis in no time, costing an organization revenue loss and creating a damaged reputation.
Key people such as the CEO, board of directors and other important stakeholders must be involved in the preparation. In the event of a ransomware attack, it is likely that journalists and other external stakeholders will reach out to the board of directors for response to the attack, not the security leaders or CISO.
No. 3: Maintain consistent operational readiness
Conduct frequent exercises and drills to ensure that systems are always able to detect ransomware attacks. Build regular testing of incident response scenarios into the ransomware response plan.
Test, test and retest at regular intervals to check for vulnerabilities, noncompliant systems and misconfigurations. Ensure that incident response processes are not themselves reliant on IT systems that may be affected by ransomware attacks or unavailable in case of a serious incident.
No. 4: Back up, test, repeat ransomware response
Back up not only the data but also every nonstandard application and its supporting IT infrastructure. Maintain frequent and reliable backup and recovery capabilities. If online backups are used, ensure that they cannot become encrypted by ransomware. Harden the components of enterprise backup and recovery infrastructure against attacks by routinely examining backup application, storage and network access and comparing this against expected or baseline activity.
Prepare for critical application recovery in a systemwide ransomware attack by creating specific recovery time objective (RTO) and recovery point objective (RPO) parameters, safeguarding backup storage media and accessibility.
No. 5: Implement the principle of least privilege
Restrict permissions and deny unauthorized access to devices. Remove local administrator rights from end users and block application installation by standard users, replacing this with a centrally managed software distribution facility.
CISOs and security leaders must deploy multifactor authentication wherever possible, especially for privileged accounts. Increase authentication logging on all critical servers, network appliances and directory services, and ensure logs are not deleted. Notify security operations teams of any unexpected activity and ensure they proactively look for unusual logins/failed authentication attempts.
No. 6: Educate and train users on ransomware response actions
Research government and regional authorities that have provided guidelines on how organizations can fortify their network infrastructure against ransomware. CISOs and security leaders can use guidelines such as these to create a basic training program for all staff in the organization. However, ransomware preparedness training needs to be customised to the organisation for better results.
“Use cyber crisis simulation tools for mock drills and training that provide closer to real-life situations for better preparedness of end users against ransomware,” said Webber.
The challenges of ransomware and other forms of malware are the ever-changing tactics and agendas of hackers. Having a strategy in place for preparedness can help contain the losses and protect the organisation.