Does ransomware respect the holiday season? With ransomware attacks attempted every 14 seconds, it’s not likely attackers take any days off. The threat of ransomware keeps growing, and in Q1 2019, researchers noted a 118 percent rise in malware strains in this category.
Behind these rising numbers are cybercrime syndicates that continue to push ransomware onto enterprise networks. One of the threat actors that specializes in attacking companies is the group that operates the Emotet Trojan. After a three-month summer hiatus, Emotet command-and-control (C&C) servers appear to have resumed activity, delivering malicious binaries once more.
Although it started as a banking Trojan in 2014, Emotet changed its course to become a malware distribution botnet that delivers various malware strains for other organized cybercrime groups. This has made Emotet one of the top threats in the cybercrime arena, its infrastructure being used to distribute TrickBot, another banking Trojan, and subsequently spread the Ryuk ransomware to compromised enterprise devices. This combination is dubbed “triple threat,” and it has affected public administration organizations, healthcare facilities and various other companies across North America and in Europe.
But the “success” of Emotet is not just based on its advanced malware design; it can also be attributed to unprepared organizations. A recent study conducted by the Ponemon Institute on behalf of IBM found that the vast majority of organizations surveyed are still unprepared to properly respond to cybersecurity incidents, with 77 percent of respondents indicating they do not have a cybersecurity incident response plan applied consistently across the enterprise. As the chance of suffering a major security incident seems to be increasing over time, security teams understand that readiness and response capabilities are important to help keep businesses running if ever an attack affected them.
The following 10 security gaps, I believe, might increase the potential of your organization falling victim to a ransomware attack. Paying attention to them can help mitigate the risk.
1. Keeping Legacy Systems on the Infrastructure
Quite often, organizations have an operating system (OS) that has not been upgraded for a variety of reasons. When it comes to security, that can translate into risk. The majority of malware and most active ransomware families rely on vulnerabilities in legacy desktop operating systems. Take, for example, the notorious SMB service in the Windows OS. That protocol, kept active while vulnerable, enabled the WannaCry ransomware attacks and the subsequent NotPetya, which spread like wildfire in 2017.
Since support for Windows 7 ends on Jan. 14, 2020, your teams should be planning to upgrade. If, for any reason, your organization cannot replace or upgrade all legacy systems, you can at least set extended preventive measures, place compensating controls around these systems, limit access to them and be sure to have them tested by penetration testers to understand the potential for impact.
2. Having Limited Visibility Into Assets and Their Vulnerabilities
For any defender, it’s important to know what needs to be defended and where the critical assets are located. In many organizations, the most valuable assets are humans and information they collect and use. This approach also allows the organization to prioritize the security level according to the value of data and the assets that manage it instead of trying to protect everything.
The number of vendor-reported vulnerabilities has increased exponentially over the past few years. It is imperative for any organization to recognize existing vulnerabilities and mitigate them according to its risk appetite.
3. Forgetting to Implement System Hardening Policies
Another factor for infection is the so-called attack surface. Unused services, open ports and overlooked operating system functions often attract uninvited guests. Keep in mind that no operating system just comes secure by design; it needs to be locked down as far as possible. In an ideal scenario, you are able to detect systems that are noncompliant with your security policies and address that with the necessary modifications or controls.
4. Relying on Perimeter Protection and Antivirus
A few years ago, firewalls were the answer many security teams used to divide the world into an internal “good” and an external “bad” while relying on antivirus to protect the rest. With the emergence of advanced threats, this concept has become virtually obsolete.
Don’t forget that ransomware and other threats most often enter your organization via a phishing email, unfortunately aided by an employee, and not by breaching perimeter defenses. Antivirus tests consistently show that not even “best-of-breed” products are bulletproof when it comes to stopping advanced threats.
5. Keeping a Flat Network Topology
Not just ransomware, but all kinds of malware and those delivering it really love a flat network. This type of topology can help spread malicious payloads more quickly and jump easily from system to system. Modern-day threats, such as Emotet and its varied payloads, are able to better explore the flat network environment, download additional tools and modules to abuse open ports, or even crack active directory passwords.
To make things harder for potential attackers, consider a hierarchical network design that would follow fundamental security design principles. Small but meaningful changes can help provide an added level of built-in security without having to rebuild the network.
6. Relying on Online Backups
With the scale of cloud storage growing over time, online backups have become a very popular method of storing data. These cloud-based storage assets can be efficient and effective, and many organizations might choose to skip offline backups entirely. But is that the wise thing to do in a threat landscape that includes destructive attacks?
Organizations that rely on cloud-based backups alone could potentially pay the ultimate price for a gain in efficiency, since ransomware can encrypt data on any kind of storage. Therefore, I believe the wiser choice would be to keep backups in a redundant way — both online and offline — and to test them periodically.
7. Exercising Limited Control Over User Access
How effective is a closed door with a key sticking out of it? All too often, organizations are compromised through the use of stolen credentials, weak passwords or orphaned accounts. Skipping on proper access management, advanced password policies and multifactor authentication (MFA) should no longer be an option. Better yet, support and enforce user access control with an identity access management (IAM) solution to add a layer of security that can make it easier to create user groups and limit access privileges to the necessary extent.
8. Waiving Security Monitoring and Analytics
In the physical world, any preventive measure (such as a safe) can be circumvented by a threat actor with enough time to repeat countless attempts to break it. This is also true for preventive cybersecurity measures. Set controls to report on circumvention attempts and continually test control effectiveness to be sure that your preventive measures are doing their job properly.
9. Underestimating Security Awareness
Most threats, including ransomware infections, need some human interaction to get into the network and onto devices in the first place. The people in your organization can potentially be part of the biggest threat or your strongest allies, depending on how you prepare and train users. User awareness training can be an effective and cost-efficient measure.
10. No Incident Response Plan or a Team to Lead It
And this brings us to the last point. Regardless of the maturity of your organization in term of its security strategy and program, never forget that that there could come a day when your organization is struck by a meaningful security incident. The only thing that would count in that situation would be the ability of your organization to manage the crisis, contain the threat and recover back to normal operations.
According to the “2019 Cost of a Data Breach Report,” having an IR team and allowing it to drill the scenarios most relevant to your organization can help save an average of $680,000 in case of an incident. Containing the attack in under 30 days can help save more than $1 million.
Figure 1: Formation and testing of an IR team can save an average of $680,000 in breach costs (Source: “2018 Cost of a Data Breach Study: Global Overview, Benchmark” research sponsored by IBM Security, independently conducted by Ponemon Institute LLC, July 2018).
Keeping your team effective and your customers served in such situations is priceless. Change the security paradigm you work with — the chances of being hit by a cyberattack keep rising. We must focus on how we will respond. And while this shift surely requires some planning and repeated training, it is bound to pay off.
Associate Partner Security Services, IBM
Principal Consultant, X-Force Cyber Crisis Management, IBM