Gartner predicts that by 2025, at least 75% of IT organizations will face one or more attacks, as free-rein researchers document a dramatic increase in ransomware attacks during 2020, pointing to sevenfold or higher rates of growth.
In the report, the risk of new ransomware models debuted in the top five emerging risks in the third quarter as the previous quarter’s top risk, “cybersecurity control failures,” has matured into an established risk.
One security specialist noted that ransomware attacks are often misunderstood, thought of as a single, isolated attack like the 2016 Wannacry event. The reality, however, is that ransomware is deployed as part of a larger attack that may involve penetration of a network, stealing of credentials for critical systems accounts, attack on the backup administration console or data theft.
Jonathan Jackson, director of engineering for APAC at BlackBerry, acknowledged that ransomware attacks have become a lot more sophisticated as ransomware actors recognise them as an incredibly lucrative business.
“We are now seeing the rise of Ransomware-as-a-Service, with affiliations coming into play, making it easy for anybody to deploy ransom on a target and a system using stolen credentials or phishing campaigns. The attacks have become bolder, fuelling a bigger market and challenge for organisations in APAC.,” he went on.
Catalyst in APAC
In reflecting on the drivers of the ransomware spread in the region, Jackson attributed this to the massive shift to work from home in early 2020 and the challenges faced by security teams to adapt to the new work model.
“The switch to allowing everyone to access the same but from unsecured home networks or Wi-Fi networks led to organisations having to build in loopholes by allowing VPN access from anywhere and introducing RDP (remote desktop protocols),” he added.
The result is a substantially expanded attack surface in the past 24 months that has allowed cybercriminals to gain access to information, creating a big challenge for security organisations trying to patch their systems while trying to maintain control of the corporate parameters which are now distributed.
Failure to detect and respond
While acknowledging security solutions and practices are have been around for years, Jackson commented that traditional anti-virus processes with signature-based solutions can no longer keep up with the sheer number of malware variants that are created.
“We see an average of about 400,000 malware variants created globally every day. If you’re trying to create a signature for every single one of those zero-day attacks, you are way behind the curve and can never keep up,” he added.
With new capabilities like sandboxing, heuristics, early math models, and artificial intelligence surfacing in the last five years, the cyber war has shifted from prevention to endpoint detection and response (EDR) — a tool to mitigate the attack once it has happened, threat hunt, find it and stop the breach after it has occurred.
“The challenge here is finding a balance between the two because just relying on EDR is not going to meet the needs of organisations going forward as we are effectively allowing someone to initiate attacks against you. There are ways to proactively prevent attacks from happening pre-execution and that is going to be the key moving forward,” he explained.
The profile of prediction and prevention approach
According to Jackson, very powerful and huge mathematical models of known good and known bad files are being built.
“We have math models that learn and grow, and they fight with next generations of math models to ensure that the efficacy and effectiveness of that math model supersede the next one. BlackBerry is now in the seventh year of iterating its math model and we see about a 98% effective rate — prevention is possible using machine learning and artificial intelligence,” he elaborated.
Why zero-trust make sense
Jackson believes that zero-trust is a healthy approach for organizations striving to adopt more rigour in their cyber resilience strategy.
“Without technicalities, zero-trust means that I need authenticate myself, the app that I am using, the files I am accessing, the cloud-based system I am trying to deposit files in, the laptop I am on, and the way I am using my keyboard. With zero-trust, nothing is trusted and that everything is bad. Everything needs to earn that trust to gain access to the system. Organisations need to find a model that will help them achieve this,” he opined.
XDR alongside zero-trust
Extended detection responses (XDR) look at multiple pieces of constructs or feeds that come into a data lake where you can then correlate information and make informed decisions on. These work by bringing together data from your antivirus solutions, SIEM (security information and event management) solutions, IPS (intrusion prevention systems), IDS (intrusion detection systems), email systems, identity systems, and firewalls.
Jackson suggests that for security organisations that are time-poor, faced with a massive skills gap, and have alert fatigue, XDRs can help to reduce the noise and complexity, allowing math models or machines to make decisions for us in terms of the threats that exist out there in the world.
What to do in preparation for 2022
He noted that ‘at the moment’ people remain the weakest link. Thus, continuing education, awareness, training through things like gamification, will be important in making sure the organization stays cyber-fit.
He suggests acquiring managed detection services from security vendors who can operate security operations centres (SOCs) and act as the company’s 24/7 response and attack prevention mechanism to help security teams and business leaders sleep better at night.
“One trend that we are seeing is with Friday afternoons and Saturday mornings — cybercriminals know that people log off for the weekend and thus ramp up attacks over the period. As organisations are not ready for that, having somebody who can deal with cybersecurity 24/7, 365 days a year will help businesses get their weekends back as well,” he concluded.
Click on the PodChats player to listen to Jackson’s predictions about ransomware in 2022 and how to enhance the organization’s readiness against cyberattacks in the coming year.
- What are the characteristics of ransomware? Has it changed from before the pandemic?
- What is catalysing the growth in ransomware attacks in Asia Pacific?
- Why are the current detect and respond approach to cybersecurity inadequate against ransomware actors and their evolving tactics?
- What does a prediction and prevention approach look like and how can it fend off more complex and organised threats of tomorrow?
- Would the adoption of zero-trust framework strengthen an organization against ransomware attacks?
- Beyond zero trust, what else is needed?
- What can we expect in 2022 and what should we do in anticipation of that?
- Beyond the tools, what else should enterprises do to stay cyber fit?