Into the final quarter of 2021 and we continue to read of cyberattacks against nations, enterprises and individuals. The State of Cybersecurity 2021 Part II report by ISACA paints a gloomy future as we approach the new year.
To be certain, enterprises and governments are not ready to throw in the towel. Neither should individuals. New approaches and technologies are proving to be effective against countering threats. The window is however narrowing fast, and we need to always look to the next best approach to containing threats.
FutureCIO reached out to Daniel Chu, director of systems engineering at ExtraHop, for his thoughts on NDR and the evolving attack landscape that continues to threaten enterprises and individuals.
How have ransomware attacks developed since the pandemic?
Daniel Chu: The shift to remote work setup has contributed to the increasing number of ransomware attacks during the pandemic. With employees connecting to the company network through mobile devices and home internet services, which are often unprotected, threat actors are capitalising on these vulnerabilities.
Targeting unsuspecting employees. There has been a drastic increase in social engineering attacks such as phishing, email scams and CEO fraud. Cybercriminals use these methods to infiltrate a company's network to deploy malware such as spyware and ransomware.
Statistics gathered by Interpol shows that there were about 2.7 million ransomware detections in ASEAN during the first three quarters of 2020.
One of the more recent developments that significantly contributed to the increase in ransomware attacks is the accessibility of tools and services to a wider range of cyberthreat actors. Even without a technical background, perpetrators can launch ransomware attacks using a model called Ransomware-as-a-Service (RaaS).
Through this model, users can manage ransomware attacks without the coding efforts, as the service provider handles that and earns by receiving a cut from the ransom collected.
However, beyond RaaS and social engineering tactics, a new cyber threat has emerged in the form of multifaceted extortion. Multifaceted extortion refers to the combination of data encryption with extortion tactics such as the deployment of ransomware encryptors, threats to make stolen confidential data public via a data breach and publishing stolen data on “name-and-shame” websites should the victim organisation fail to adhere to the ransom demands.
The threat of releasing proprietary data was the cybercriminals' response to organisations' attempts to mitigate cybersecurity risks. As companies begin implementing prevention and mitigation strategies, cybercriminals are looking at exfiltration and extortion as forms of leverage to ensure maximum financial gains from ransomware attacks.
Multifaceted extortion is only the beginning of ransomware's evolution, and attackers are even using aggressive methods such as employee harassment and DDoS attacks. Threat actors are adapting to the evolving security landscape by improving their technology and continuously looking for vulnerabilities to exploit.
Thus, beyond prevention and risk mitigation, awareness of cybersecurity risk developments and trends is also critical for organisations to fortify their overall security posture.
What makes Network Detection and Response (NDR) crucial for the fight against ransomware?
Daniel Chu: What has made ransomware challenging to detect is that malicious activities are often occurring within the perimeter and on the internal network bypassing a lot of existing security solutions like firewalls, IDS/IPS, and proxies.
A practical way to gain visibility with detailed telemetry is by extracting real-time insights from network data. Network or wire data is a great data source for tackling ransomware for several reasons:
- Wire data provides comprehensive visibility: this helps cover common blind spots such as IoT/BYOD devices, legacy systems, and file servers where there are no endpoint agents or logging.
- Network data is real-time data: ransomware attacks happen fast and so the detections need to be real-time as well.
- Empirical Data: as malware has found more ways to act covertly and even disable logging and endpoint agents, activity happening on the network cannot be evaded. The network is an empirical source of data looking at observed behaviours rather than self-reported behaviours.
A network detection and response (NDR) solution leverages machine learning to detect threats before any major harm is caused. By establishing a network baseline, businesses have behaviour-based detectors that empower security teams with the ability to pinpoint malicious activity, even if its pattern is not like anything the system has known or encountered before.
Implementing NDR solutions enables organisations to have full visibility to both known and unknown threats that reside within their network. Security teams can rely on an integrated, automated network and real-time traffic analysis to safeguard IT infrastructures against attacks even in the face of zero-day exploits, newly introduced malware, and evolving ransomware tactics.
While it seems daunting for those in cybersecurity, mitigating and avoiding cyber extortion is still a very attainable goal.
In the light of ransomware's development to multifaceted extortion, what measures should CIOs take for better protection?
Daniel Chu: Endpoint detection and response (EDR) technology can help reduce the risk by monitoring suspicious activities on hosts and endpoints, but it is not a comprehensive solution given the current threat climate.
With perpetrators becoming increasingly skilful at evading detection upon entry, what can stop them in their tracks is NDR technology that identifies and disarms interlopers after they have entered the network.
NDR software uses machine learning to determine a network baseline and develop behaviour-based detectors that set the alarm bells ringing when they spot unusual activity that deviates from that baseline.
Those alarms go off even if the flagged behaviour does not conform to any previously identified attack pattern. Adding NDR technology to security arsenals can help security teams stay one step ahead of cybercriminals and reduce the risk of enterprise and customer data being captured and compromised.
Beyond having protective measures in place, building an understanding of ransomware groups and families can further amplify the efficiency of security measures in place. Winning against an adversary starts by "knowing thy enemy".
Multifaceted extortion is an alarming and unfortunate trend, but the good news is that security teams are not helpless. Gathering and exfiltrating data before encrypting it is extra work for ransomware groups.
More importantly, it leaves them with an increased risk of getting caught. The process of entering the network, finding and staging the data, and finally exfiltrating it can sound the alarm by leaving signals that can be detected near real-time by an NDR solution.
Given the disruption ransomware attacks and data breaches inevitably entail, as well as the financial and reputational damage it can inflict on the organisation, strengthening defences with NDR technology is an investment that IT and business leaders should seriously consider.
What is your immediate advice to companies under attack?
Daniel Chu: The moment a business is alerted of an attack, it is crucial to identify and isolate the infected device immediately to neutralise the threat before it further spreads across the network.
This requires a high level of real-time network visibility that can only be enabled by robust network intelligence across deployments to monitor traffic and conduct analysis for threat detection, investigation, and response.
To quarantine threats, containment approaches such as EDR-based containment can come in handy. By having a network filter driver that blocks all network communication to and from the contaminated device, except for the EDR agent and SecOps tool kits traffic, IT security teams can roll out a comprehensive real-time response to ongoing threats.
Threat responses should also include steps on how to communicate with stakeholders at the onset of a cybersecurity incident. It is essential to notify them of the scope and depth of the attack, as well as the steps being taken to mitigate the risks. Hearing directly from the business rather than third parties helps sustain confidence and assures stakeholders that security protocols are in place.
Beyond data recovery and communication, it is vital to have the technical forensic and investigative capabilities necessary to preserve evidence, analyse control failures and review the security lapses and other conditions related to the incident.
Companies need to understand that a cyber threat is no longer a question of IF, but a matter of WHEN the attack will happen. Organisations must ensure that the mechanisms for detecting, monitoring, and responding to cyber threats are in place.
