Dan is a 20 year veteran of the ICT industry working for global and local vendors in bringing new and innovative technologies to market in the ANZ region. During his career, Dan has been passionate about bringing a local voice and insights to global technology challenges. As the Editor of GetCyberResilient.com Dan casts a keen eye across the hot topics, trends and pulse of local security practitioners to curate stories from near and far that are most impactful in addressing our evolving risks.
Ransomware is hitting more and more organisations in Australia and New Zealand – and the odds are that sooner or later it will impact you as well.
Ransomware attacks aren’t just becoming more common, they’re also getting faster. Not many organisations can detect a breach and respond quickly enough to stop an ongoing attack in its tracks. Rather than focusing on detection and response once an attack has begun, you might get better results by prioritising your threat monitoring efforts. By preventing your attackers from accessing your networks in the first place, you can keep the ransomware gangs from getting their foot in the door.
Ransomware can be fast, deadly and costly
There has been positive news in the fight against ransomware, with recent arrests hitting major gangs and governments becoming increasingly active in combating the threat. Yet incidents continue, hitting giants like JBS Foods and numerous high-profile organisations across manufacturing, healthcare, education and beyond. The biggest ransomware demand of 2021 was $70 million, and that sum only represents part of the damage: affected companies also take a big reputational hit, incur heavy recovery costs and suffer losses from forced downtime.
Worse, by the time you’ve noticed a breach, it may already be too late to stop the attack. Ransomware gangs work at speed, gaining access to internal networks and typically exploiting a vulnerability within 12 hours of its discovery. Cybercriminals might gain access via a phishing attack, a malicious link or credentials stolen from the dark web, and be deploying ransomware less than six hours later.
Response times are a problem no matter how big you are
Large organisations may have the resources to respond within those six hours but can easily be slowed down by bureaucracy. Procedures need to be followed and IT actions signed off, all of which adds to their response time. Dealing with a compromised supplier or partner may take even longer to manage.
Small and medium-sized businesses are in an even tougher spot. A select few may have endpoint protection and Security Information and Event Management (SIEM) technology to monitor threats and respond at pace. But most will have limited patching, anti-virus firewall and event-logging resources that are unsuited to emergency response.
For some orgs, threat monitoring can be a better option
Most standard anti-ransomware measures kick in only after an attack has been attempted and identified. However, there is another approach that seeks to minimise the chances of an attack from occurring in the first place. Threat monitoring can help your organisation manage threats before they get too big to handle. Done properly, it will allow you to identify access points and supply-chain vulnerabilities that are at risk from data theft and malware, then remediate them before any attack even takes place. Sounds great in theory, but what does it look like in the real world? A good threat monitoring solution has three main characteristics:
it’s undertaken at scale
it uses properly defined parameters
it is continuous
The first step is to decide what to monitor. Let’s drill into those areas and how threat monitoring works in practice.
Monitoring open-source data and the dark web
Are you aware of how much of your critical data is out in the wild? Open-source data and the dark web are both used by criminals to scrape sensitive data, but they can be a vital tool for cybersecurity teams too. Monitoring should be specific to your organisation, and can include a combination of:
human intelligence and analysis
information about your brands and employees on social media and forums
lists of compromised credentials and other breach data, particularly on the dark web or Github
general surface, deep and dark web analysis across different languages
maintaining different threat personas
Aggregating data from these sources is key if you are to build an effective program and identify potential risks before they become a problem.
External attack surface monitoring
The clue’s in the name: rather than looking out at the threats outside your organisation, external attack monitoring gives you an outside-in view of your vulnerabilities. It explores internet-facing assets, their relationship to your business and the risks they carry. Again, this is a process that must be carried out continuously, and at scale. The key steps in this type of monitoring are:
assess the vulnerabilities and role of known assets in your organisation
scan to discover unknown assets – legacy apps, shadow IT and data can be a serious threat
map assets across different locations, departments and partners and ensure these are managed consistently and effectively
use fingerprinting to confirm patching is up-to-date across services, apps and software
identify malicious infrastructure
monitor traffic for insider threats
analyse technical data to identify threats, and adjust your security in response
assess whether suppliers and partners are leaking your data
The resulting data can be aggregated into reports that give a dynamic, easily digested view of business risk.
Monitoring as a solution
While incredibly useful, attack surface and digital threat monitoring is not a one-stop ransomware killer, unfortunately. For it to work, you must have the resources and company-wide support to act on its findings. Threat monitoring works best when supported by traditional measures such as firewalls and anti-phishing training. It can also operate alongside emerging approaches like zero-trust. In any case, whether you go with threat monitoring or conventional security measures, you’ll still need back-ups and a recovery plan in case the hackers do get inside your defences.
But the great strength of monitoring the dark web, open-source data and external attacks is that it allows you to limit possible attack routes before cyber criminals find them. Compare that with detection and response, which is often toothless against nimble ransomware gangs, and it’s clear why scaled and cost-effective threat monitoring is increasingly becoming the ransomware defence of choice.