Over-reliance on one defensive layer leads to ransomware attacks: prepare early, check often
Since its first appearance more than 20 years ago, ransomware has become one of the most discussed cyber threats -- affecting companies of all sizes, across all industries.
We cannot go a couple of days without seeing a new breach headline as a result of a ransomware attack (today's attack on healthcare is a prime example). The threat environment is becoming more dangerous because enterprises are not adequately prepared to protect, defend, respond or remediate.
What’s the Current Vibe on Ransomware?
From the creation of yet another version of Mirai to the rise of Locky and Cerber, the growing presence of ransomware attacks should serve as a wake-up call for enterprises who think their perimeter is unbreachable. Yet, a recent survey on ransomware found that only 14 percent of respondents feel that enterprises should assume malware, including ransomware, has already invaded their network perimeters.
Ransomware typically infiltrates an organization through a phishing attack, hijacked website or cloud share, bypassing any endpoint protections. So, why did 83 percent of respondents say they are confident they can detect ransomware at their endpoints?
Ransomware myths don’t help the situation. Approximately 74 percent of respondents thought professional criminals capable of creating sophisticated new variants are among the primary causes of ransomware attacks; however, 100,000 ransomware infections a day and ransomware-as-a-service readily available proves that almost anybody can launch an attack and penetrate a system.
Surprisingly, only 56 percent of respondents, including those who’ve already been victims of an attack, said they have a ransomware response plan in place, confirming the fact that enterprises are overconfident in their ability to detect and defend against ransomware.
What Needs to be Protected?
The highest concentration of data targeted in ransomware attacks is usually on the shared folders, with 10 to 1,000 times more data than on a laptop or a workstation. In the 2017 Varonis Data Risk Report, we found that 20 percent of all shared folders were open to every employee. It only takes one infected user, then, to spread ransomware to 20 percent of your data.
In the same Varonis Data Risk Report, almost half of the environments we analyzed had 1,000 or more sensitive files (PII, credit card credentials, medical records, IP, etc.) open to everyone. When an organization can be crippled from a ransomware attack, they should see this as their canary in the coal mine incident and lock down access before it’s stolen or abused by a malicious attacker.
If you go to Google trends, you’ll see that the searches for ransomware started spiking in the first three months of 2015. While there have been a few dips, it keeps coming back to the same level -- suggesting that organizations are still trying to figure out ransomware. Before ransomware, IT staffers and executives had put their faith and efforts primarily in firewalls and perimeter security, but now many have shifted their attention to protecting endpoints -- "chasing the threat." Instead of chasing threats, security leaders should begin the data protection journey by taking a defense-in-depth approach, building layers of defense around the assets they are most concerned with protecting. Look at any defense layer and ask, "What happens if this layer fails?"
Many of the vulnerabilities exploited by ransomware have been around for decades – employees have broad access to a lot of data inside their organization that they don’t necessarily need, and use of that data isn’t monitored. These weak layers of defense -- layers closest to the data -- are what can make ransomware and insider threats so catastrophic.
In order to flip the outside-in, perimeter defense model, an organization must determine where its most valuable data is, who has access to it, who is using it and whether any of the data is accessible to too many people. This is how organizations can begin to determine if there is data that can be locked down or archived to reduce vulnerabilities, and then monitor for unusual behavior that may indicate a ransomware or other attack is underway.
Ransomware attacks may be running rampant, but that doesn’t mean enterprises should give up hope altogether. By strengthening layers of defense close to the data -- adopting a least privilege approach and monitoring user behavior, enterprises will not only bolster their ransomware defenses -- they’ll be more protected against insider threats other and sophisticated cyber adversaries, too.
David Gibson is responsible for building brand awareness, aligning product functionality with market demand, and driving sales through marketing, education, as well as direct pre and post sales efforts. Since joining Varonis, Mr. Gibson has held positions as sales engineer, sales engineer manager, and director of technical marketing. Prior to Varonis, Mr. Gibson was a NY systems engineer for Tripwire, and worked as a network management and security engineer at International Integrated Solutions, ltd. Mr. Gibson has worked in the IT industry for over 15 years.