Prevention better than cure, strategies to mitigate cybersecurity incidents
FYI, this story is more than a year old
Do businesses believe they can’t stop a breach? Have cyber-criminals worked out a quick and easy way to monetize cyber-crime? With Bitcoin or PayPal as payment, the ease of encryption technology and the open access to malware, everything has become much simpler for malicious actors. Ransomware has been distributed in various ways and comprises different methods of infection such as:
•Email phishing campaigns with nefarious attachments •Ransomware as a Service •File sharing •Drive-by downloads •Malvertizing •Ecommerce sites •Worms for lateral movement (Ransom works) •Malware as a service •And more
The combination of attack surfaces, variations and volume of malware appears to have driven a mindset of “it’s going to happen anyway”.
Data can be restored from backups or ransoms can be paid. In either case, time, resource and cost is a factor. Time is money and reputation and reputational damage in some cases can be irreversible.
A very good example of the damage to reputation after the breach was the case of HB Garry Federal.
Ransomware is evolving.
The next evolution and the obvious one is going beyond encryption to exfiltration. The implications and ramifications of maliciously encrypted data that is exfiltrated are frightening. Malicious actors can demand a ransom to unencrypt the data and to guarantee that data will not be released or resold.
The value of those ransoms will become exponential. If payment isn’t made then the loss of the data may be the least of business’ problems. That data may become publicly available or sold to other criminals. The legal, reputational and monetary damage could be unrecoverable.
Remember, as at the 22nd of February 2018 in Australia, the Notifiable Data Breaches scheme means businesses have to report the data breach in most cases.
Light in the tunnel.
If the security community is honest, there is no end of the tunnel. However, the tunnel is illuminated. Security is a journey, not a destination.
Looking at the above methods of distribution and styles of Ransomware we can see that there are moving targets for Cyber Criminals too. It’s not all plain sailing for them.
•Available vulnerabilities •Credentials required for escalated privileges •Defence systems in place •User awareness and cybersecurity maturity •Organisational Cyber Security Maturity and more.
As is the case with the majority of Malware, Ransomware relies on certain conditions to exist within the threat actors target, for it to be successful.
The vulnerabilities Ransomware will exploit must exist. Anti-Malware programs running must not have seen the particular variant or new sample before.It needs to evade detection of behavioural defence mechanisms.
It has to evade email and web gateway defences. It may need to rely on users to interact with it to enable its functionality. In many cases, it needs access to elevated privilege to perform its function. It has to be stealthy enough not to be seen traversing a network.There are a considerable number of barriers a threat actor needs to overcome to be successful.
With the right barriers in place in the right places, it can be near impossible for a threat actor to be successful. And is the case with physical crime, much of what cyber criminals do is opportunistic. If an attack is unsuccessful or a target too difficult to compromise, they’ll move on.
Targeted attacks are generally more sophisticated and depending on the prize, can happen over a long period of time. But the longer a malicious actor attempts to compromise a system, the greater the risk of detection.
The ASD’s Strategies to Mitigate Cyber Security Incidents is one light in the cybersecurity tunnel. And a significant one. But even the ASD has now included backup as one of the strategies in what they term, “The Essential Eight”. The Essential Eight also contains the “Top 4”. This is where it gets very interesting.