Ransomware rampage -- how to fight back against attacks [Q&A]

Amid a tumultuous 2023 marked by economic anxieties and rising geopolitical tensions, threat actors seized the opportunity to weaponize fear and uncertainty. While ransomware trends had previously ebbed and flowed, experiencing a 23 percent decrease in just the first half of 2022, they took a shocking turn in 2023, skyrocketing by a staggering 95 percent.

We spoke with Andrew Costis, chapter leader of the Adversary Research Team at AttackIQ, to discuss why ransomware has taken headlines by storm and how the industry can empower security teams with the tools to fight back.

BN: Why do you think there has been a re-emergence in the popularity of ransomware?

AC: 2023 unveiled a chilling cybersecurity paradox: surging ransomware attacks fueled by economic anxieties and geopolitical tensions, yet security budgets endured unprecedented cuts. CISOs across industries reported widespread slashes, crippling their ability to invest in proactive defenses. This reactive approach, born of financial constraints, left enterprises vulnerable to increasingly sophisticated attacks. Adding to the growing threat landscape, leaks of ransomware builders and malicious code empowered new actors, while the increased usage of critical zero-day exploits observed in many 2023 attacks further amplified the danger.

Even as cyber threats loom, a tide of resilience is rising. Organizations are starting to shift their approach, prioritizing strategic allocation of resources, embracing innovation, and empowering their workforce to become a human firewall against attacks. By weathering financial storms with grit and innovation, businesses can emerge not just unscathed, but fortified. Security doesn’t have to be a burden. With the right investments, it can be a strategic initiative that paves the way for growth in a complex landscape.

BN: What is the benefit of an assume breach mindset to combat this increase in attacks?

AC: Shifting from a traditional fortress mentality to a proactive, 'assume breach' mindset is fundamental to building a truly resilient defense against cyber threats. Understanding and adapting to adversary tactics, techniques, and procedures (TTPs) becomes paramount in this new paradigm. The MITRE ATT&CK framework plays a pivotal role in this transition, providing a centralized repository of real-world adversary TTPs and empowering organizations to gain a nuanced understanding of their evolving threat landscape.

By leveraging ATT&CK, organizations can implement more efficient and effective security strategies tailored to their specific vulnerabilities and adversary behaviors. As the threat landscape continues to evolve at an unprecedented pace, embracing a threat-informed approach with ATT&CK as its cornerstone will be essential for organizations to maintain a robust and secure posture in the face of ever-present cyber dangers.

BN: What is the most common error you see organizations make when it comes to their security controls?

AC: Unfortunately, many organizations still cling to a passive approach to cybersecurity, relying solely on the acquisition of security products without actively verifying their effectiveness. This complacency leaves them exposed to a multitude of dangers.

The key is to ensure these tools are effective: EDR policies must be accurate and reflect the latest threat landscape, and configurations must adhere to best practices. Just like a home security system only works if it's turned on and regularly tested, robust cybersecurity requires active vigilance and continuous verification.

BN: How can organizations use the MITRE ATT&CK Framework to stay ahead of the latest threats?

AC: The MITRE ATT&CK framework is a valuable tool in this endeavor, offering a comprehensive catalog of probable tactics, techniques, and procedures (TTPs) employed by attackers. By harnessing threat intelligence and ATT&CK, security teams can gain a crucial edge in their defense strategies.

The ATT&CK framework serves a dual purpose: it educates security practitioners on collecting threat intelligence and empowers them to utilize that data effectively. By leveraging ATT&CK, security teams can reap several key benefits:

• Identify key adversaries in their industry to understand the specific threats and allow for focused threat hunting and mitigation strategies.
• Gain insights into adversaries' operational tactics and techniques, enabling security teams to assess vulnerabilities and prioritize defenses accordingly.
• Share threat intelligence and insights with other analysts, fostering a collaborative environment and enriching understanding of the evolving threat landscape.
• By focusing on countering specific threat actors and their known TTPs, teams can optimize their resources and build a more resilient security posture.

BN: As we move further into 2024, do you expect to see any major shifts in ransomware tactics?

AC: The true threat of 2024 may lie in the emergence of super-syndicates: highly streamlined criminal conglomerates formed through the merging of diverse cybercrime groups. These syndicates encompass the entire cybercrime spectrum, from initial access brokers and malware-as-a-service providers to the most sophisticated ransomware operators.

These syndicates' unprecedented levels of collaboration and coordination pose a significant threat. They may utilize stolen data and advanced intelligence to identify and exploit specific vulnerabilities in high-value targets, maximizing their impact and financial gain. Collaboration between various cybercrime groups within these syndicates could also streamline the attack process, leading to faster execution and potentially reducing opportunities for detection and prevention.

This shift emphasizes the need for organizations to adopt a proactive and comprehensive approach to cybersecurity. This includes continuous threat intelligence gathering, EDR testing, strengthening defenses across the entire attack chain, and investing in security awareness and training for employees. Adopting a threat-informed defense framework with its combination of proven approaches, repeatable processes, and continuous security control testing, can significantly enhance resilience and minimize the impact of future attacks.

Image credit: 8vfand/Dreamstime.com