Oscar Wilde’s quote “life imitates art far more than art imitates life” is an apt description of today’s state of cybercrime.
Stories about criminals infiltrating networks and IT systems to hold data ransom and even cripple an organisation may once be fictional but are now a reality. Moreover, such ransomware attacks are on the rise. One in four incident response engagements that cybersecurity company Mandiant undertook last year involved ransomware. Top factors driving this trend include accelerated digital transformation efforts and the evolution of ransomware attacks.
“Many organisations are aggressively reinventing their operations using technology. Digital transformation initiatives are great for the business but they also expand the attack surface so organisations should couple those initiatives very tightly with security,” says Steve Ledzian, vice president & chief technology officer, Asia Pacific, FireEye Mandiant.
Besides that, ransomware is posing multiple threats to the business apart from disrupting IT systems. “Cybercriminals are now breaking into the victim’s network and stealing sensitive information, such as customers’ personally identifiable information or the company’s intellectual property, before remotely deploying ransomware onto business-critical servers,” he adds.
“This allows them to make multiple extortions and exert maximum pressure to get the victim to pay a very high ransom. The victim receives a demand to pay the threat actor to not only unlock the encrypted data, but also prevent sensitive data from being made public or sold to the dark web,” continues Ledzian.
Overreliance on prevention
Due to the mischaracterisation of ransomware, many organisations in Asia Pacific are unprepared to face modern ransomware attacks, which Mandiant terms as multifaceted extortion. They usually believe that having multiple layers of defence is enough to protect themselves.
See also: Tackling Ransomware as a Service
However, this is far from the truth. Ledzian shares that there is no 100% effective way of preventing cyberattacks as the “nature of hacking is thinking of creative ways that either designers of those security solutions or cyberdefenders hadn’t considered, and sidestepping existing security controls”.
Additionally, cybercriminals need to be right only once to infiltrate an organisation’s systems, while defenders must be vigilant and successful all the time to protect those systems.
As such, Ledzian advises organisations to augment prevention with detection and response capabilities to be more cyber resilient.
They should expect their prevention capabilities to fail from time to time. They also need to be able to notice the failure (i.e. an intrusion) when it happens and address it before the attacker inflicts more damage to the business.Steve Ledzian, vice president & chief technology officer, Asia Pacific, FireEye Mandiant
Steps to take after a multifaceted extortion attack
Since no organisation is immune to cyberattacks, what should they do if they fall victim to multifaceted extortion? The initial steps, says Ledzian, are to coordinate with their legal counsel, cyber insurance provider, an experienced ransom negotiation firm; and work with an incident response firm like Mandiant to get a full situational awareness of the attack.
“The latter enables victims to understand the attacker’s capabilities to counter their responses, as well as leverage forensic investigation to understand how the hacker got in and how much control the attacker has over their network. Victims can then use those insights to make informed decisions for the remediation and recovery processes,” he adds.
Once their systems are back up and running, organisations must proactively strengthen their security posture to avoid repeat cyberattacks. “We’ve provided suggestions that can help organisations – even those that haven’t been attacked before – harden their environment to prevent the downstream impact of multifaceted extortion in our Ransomware Protection and Containment Strategies whitepaper. Many of the recommendations can be implemented with either no or low cost as they are focused on helping organisations configure the things they already have,” he says.
For instance, they can look at ways to harden against common exploitation methods, better protect static passwords, and further reduce the exposure of their privileged and service accounts.
Ledzian also highlights the need to look at the human aspect of cybersecurity. As humans are usually the weakest link, organisations should prioritise security awareness training. Training employees to spot suspicious activities and avoid clicking on suspicious links or emails can help stop threat actors from infiltrating the network and gaining access to business-critical systems and data.
He adds that those trainings should be complemented with a strong security culture in order to develop a security-conscious workforce. Says Ledzian: “It’s important for the leadership team to express how serious they view cybersecurity, such as by making it a boardroom agenda, as that will trickle down the organisation.”
Testing your ransomware resiliency
Most organisations in Asia Pacific would have incident response plans and playbooks. But those plans and procedures serve little purpose in an actual crisis if they have never been rehearsed or tested.
Unless the checklists are part of their muscle memory, employees are more likely to panic and take the wrong steps when things get chaotic and there is pressure from every corner.
Here is where tabletop exercises can help. These exercises use scenario gameplay to evaluate an organisation’s cyber crisis processes, tools and proficiency in responding to cyberattacks from both strategic and technical response perspectives.
During a tabletop exercise, people pivotal to the incident response process – including senior leaders from the legal, security, and communications teams – are presented with an evolving set of scenario prompts based on real-world cyberattacks. They are then encouraged to respond as they would if the scenario was real.
Thereafter, they will review if their actions and decisions run concurrent to or diverge from the organisation’s documented plans and processes. In many cases, the tabletop can exposes gaps played out in the scenario that the formal plans never anticipated in the first place. Those surprises can then be safely worked out in the scenario rather than in the pressure of a real crisis.
If the tabletop exercise is conducted by external security experts like Mandiant, participants can also get strategic recommendations and learn incident response best practices that will help them better handle similar scenarios in future.
“Business leaders might think they don’t have a part to play when it comes to responding to a ransomware attack, but in reality, a lot of the decision-making needs to come from them. Tabletop exercises can help them understand that and get hands-on practice on how to respond to crisis effectively, while complementing the company’s ransomware prevention capabilities,” Ledzian says.
Since the threat landscape is constantly evolving, he suggests conducting tabletop exercises every quarter to keep everyone up to speed on any needed changes to the organisation’s response strategy.
Getting ready for the future of ransomware
Although ransomware has become pervasive globally and across industries, organisations in Asia Pacific took an average of 76 days to notice an intrusion, according to The FireEye Mandiant M-Trends 2021 report. This gives cybercriminals plenty of time to infiltrate mission-critical servers and steal data before they are discovered by victims.
Organisations therefore need to have strong prevention, detection, and response capabilities to be better prepared for ransomware, even if it evolves into a multifaceted extortion attack. But gaining those capabilities is no walk in the park so organisations should consider working with cybersecurity experts like Mandiant to proactively review, test, and enhance defences to improve their ransomware resiliency.
Featured photo: Unsplash
