Updated: Jul 14, 2022
Morphisec's Michael Gorelik shares insights from a SANS report which explores the current state of ransomware defense
Ransomware attacks have undergone a pandemic-accelerated evolution in recent years and defenses have struggled to keep up. To help understand this evolution, Morphisec sponsored a report from SANS exploring the current state of ransomware defense. It examines the latest adversary trends prowling the attack landscape and the most potent defenses against them. The report confirms that ransomware continues to be a devastating threat that puts every organization at risk. But it also provides hope: with the right team, technology, and techniques, ransomware can be avoided. Here are its highlights.
Emerging trends in ransomware attacks
The conditions of the Covid-19 pandemic proved to be a perfect incubator for ransomware attacks. Companies suddenly switched to new locations, technologies, and security policies, while shifting more work to the web and cloud.
In response, ransomware attacks became more frequent, successful, and devastating. Threat actors adopted new and updated techniques, tactics, and procedures (TTPs) to help malware evade detection and bypass defenses, including the following.
Attackers “canvas” a target for reconnaissance information that enables their attacks or emboldens their ransom demand. Knowing where and how to move laterally within an organization makes an eventual attack more likely to succeed and deliver (or exceed) the expected payday.
But that can also work in the defender’s favor if an attack encounters a roadblock or situation that doesn’t match what the threat actor’s intelligence planned for.
Arms race mentality:
When new vulnerabilities are discovered, it incites an arms race to weaponize them on one side and defend against them on the other. Attackers often win because of the time it takes to develop and implement patches – often weeks or months – when an attack takes minutes.
Threat actors’ speed advantage reinforces the need for defenses that stop new and emerging threats earlier in the attack chain. Widely used behavior - and signature-based defenses such as next generation antivirus (NGAV) and endpoint detection and response (EDR) - struggle with unknown and evasive threats.
To evade detection solutions such as NGAV and EDR, attackers have adopted fileless, in-memory, runtime attacks, and exploit native binaries en route to their final target. Preventing ransomware depends on seeing and confronting an attack early. Evasiveness makes attacks exceedingly difficult to stop. The SANS report notes that legacy defenses like disk-based file analysis are not up to the task.
Driftnets vs. spear phishing
Many malware attacks cast a wide net. They’re not aiming at specific entities, but rather, use automation to try and target as broad a range of targets as possible. One successful example of automation is a minor recent trend of ransomware groups partnering with banker trojan downloaders.
However, today’s successful ransomware attacks are increasingly manual and highly targeted. This allows them to quickly adapt to an organization and customize their attack—with devastating results.
Latest techniques in ransomware defense
The evolution in ransomware attacks has forced advances on the defensive front. So while these attacks remain more damaging than ever, they don’t always entail an inevitable cyber emergency. The SANS report highlights several countermeasures available against ransomware attacks.
Preventing remote access abuse:
Hackers exploit remote access for entry into networks and, in many cases, privileges to move laterally and find high-value targets. Preventing remote access abuse takes multiple layers of security. VPNs and MFA at the perimeter, EDR and NDR tools to spot and stop incoming threats, plus defense-in-depth or zero trust strategies secure the space inside the perimeter.
Remote access abuse has exploded since the advent of COVID-forced remote work. Key to preventing this abuse is implementing a Defense-in-Depth approach. You should always assume that any given layer of defense can eventually be penetrated, so you need a final layer of defense to protect your endpoint application memory and resources.
Ransomware attacks can, and do, penetrate many levels of security. That’s why cyber defenses are expanding past the perimeter to address things like specific applications.
Preventing fileless malware:
Most current security solutions were not designed to detect or stop fileless malware. That’s why ransomware utilizes this method of attack, along with native binary exploits. Attacks that infiltrate a network and advance forward without raising alarms are difficult to detect until after encryption occurs—but not impossible.
Instead of looking for traditional red flags, consider monitoring native system files for anomalous behaviors and looking for distinctive patterns created by adversary C2 communications. More broadly, incorporate security solutions that specifically protect against fileless attacks.
You don’t want to solely depend on a security team’s diligence to find and stop evasive threats.
Towards a successful ransomware strategy
The SANS report highlights new and emerging technologies that effectively defend against advanced ransomware threats. Whether as standalone solutions or, preferably, part of an integrated Defense-in-Depth security posture, all companies should have these security stack layers in their arsenal.
Encrypted traffic analysis (ETA):
Attackers are encrypting their network traffic to cloak their movements from detection tools. ETA can search the unencrypted metadata signatures this traffic leaves behind to find evidence of attacks. Another option is to rely on security solutions that defend against attacks without having to detect them in advance.
Moving Target Defense (MTD):
This innovative technology prevents attacks by morphing and moving the expected memory resources threat actors expect to find. MTD defends against attacks without having to detect them first—a big advantage when it comes to advanced, unknown attacks.
Since a protected asset is accessible only to authorized users and remains in motion and out of reach to everything else, all attacks fail whether they are previously known or entirely new. MTD creates a dynamic attack surface threat actors can’t penetrate so they move on to easier targets.
AI event aggregation, correlation, and intrusion prevention:
Automation can increasingly run point on all aspects of cybersecurity, from correlating and detecting events to running remediation playbooks. Automation will always move faster and more methodically than humans doing the same thing.
That’s good news for cybersecurity because it allows lean, under-resourced security teams to have an impact that far exceeds their staff size. Put differently, everyone can stand up to ransomware.
Michael Gorelik is the Chief Technology Officer of Morphisec, an Israeli-founded cybersecurity company which focuses on breach prevention. This article was shortened and republished with the consent of Morphisec. Read the original article here.