How to get your business ransomware ready [Q&A]
Taking proactive measures like updating and patching systems promptly and undertaking penetration testing improves the ability to withstand a targeted attack.
But when security teams are flooded with non-critical alerts 'vulnerability fatigue' can set in. We spoke to Amitai Ratzon, CEO of penetration testing specialist Pentera, to find out how enterprises can avoid this and improve their ransomware readiness.
BN: What approach have security operations teams historically taken to prepare their organizations for a ransomware attack?
AR: Ransomware has become the attack method of choice for financially motivated criminals. In fact, it's predicted that a ransomware attack will occur every 11 seconds in 2021. Because of the recent explosion in activity, security operations teams are being forced to look long and hard at how they are preparing for an attack.
At first (roughly a decade ago) organizations leveraged anti-virus to ensure attackers could not penetrate the network perimeter. With AV being signature-based and attackers constantly changing their behaviors to go undetected, SOC teams quickly came to the painful realization that it's when -- not if -- an attacker will breach perimeter defenses. As EDR emerged, teams began deploying the technology to detect malicious behavior inside the network, prevent attackers from advancing toward high-value targets post-breach, and remediate damage before it’s too late.
In recent years, accelerated cloud adoption and the complexity of modern environments has shown security teams that detection on the endpoint is not enough. As a result, organizations are increasingly opting for XDR, extending detection and response across the cloud and entire enterprise attack surface. While these advancements in technology and growth of cyber insurance and incident response services have helped, continued headlines of successful attacks show there is still much work to be done.
BN: How have recent high-profile attacks such as Colonial Pipeline and JBS Foods changed this approach?
AR: What these attacks have shown is organizations are attempting to combat ransomware when it’s already too late. The first line of defense cannot be defense, rather, it must be offense. Similar to how military operations work -- you can't wait for the adversary to strike to determine if your shield can absorb the blow. In wake of these attacks, organizations are realizing that a different approach -- more than simply adding another layer of prevention and detection tools to technology stacks is required.
This shift in mindset mirrors advice from the White House following the Colonial Pipeline and JBS Foods attacks, urging businesses to update and patch systems promptly, and use a 'third party pen tester to test the security of your systems and your ability to defend against a sophisticated attack.'
While this is a step in the right direction, penetration testing and red-teaming have been around for many years but organizations are still falling prey to ransomware attacks. The reason is these practices are highly manual, and only provide a point-in-time snapshot of organizational security posture. The IT network is a living organ undergoing constant change. Implementing the best practices outlined by the Biden administration requires continuous, automated assurance of an organization’s attack readiness.
BN: How does vulnerability fatigue impact security operations teams' abilities to effectively prepare for a ransomware attack?
AR: Existing legacy vulnerability management tools flood CISOs and security teams with non-critical alerts -- there were more than 15,000 vulnerabilities found in 2020, while only eight percent were exploited by attackers. The percentage of vulnerabilities exploited by ransomware groups is even less.
However, the accepted train of thought among security operations teams is to be 'patch perfect.' This mindset fuels the never-ending game of patching whack-a-mole -- when one vulnerability gets found and added to the queue for patching, another pops up. This amount of patching can be overwhelming -- tiring already overworked and understaffed security teams, and making it impossible to effectively mitigate risk and focus on improving cyber resiliency.
BN: What role does collaboration and automation in the SOC play in ransomware attack preparedness?
AR: Offensive (red) and defensive (blue) security teams are increasingly collaborating to secure against ransomware and advanced threats. This collaboration powers 'purple team' methodologies, and builds simulation exercises into SOC workflows and improves cross-team communications.
While 92 percent of organizations conduct both red team and blue team exercises, traditional approaches are manual and cumbersome, leaving many organizations unable to reliably and consistently test their downstream investigation and response processes. As a result, security engineers frequently struggle to ensure their tools can keep up with detecting the latest emerging and advanced threats. By automating information sharing workflows between red and blue teams, security operations can more effectively prepare for -- and respond to -- ransomware attacks.
BN: What are the best practices and procedures for security operations teams to ensure they are ransomware attack-ready?
AR: Enterprises are now understanding that a critical component to a more cyber resilient operation is security validation. Security validation is not a tool one should adopt as their security maturity increases, but a foundational item every SOC must have to assess and asure at all times that security as intended is indeed exposing reality.
The cornerstone of security validation is carrying out continuous and automated testing, focusing on the adversary point of view. This means automating the actual tactics and techniques of the attacker -- reconnaissance, sniffing, spoofing, cracking, (harmless) malware injection, file-less exploitation, post-exploitation, lateral movement and privilege escalation - all the way to data exfiltration. This provides security teams a complete attack operation view to provide a true assessment of their resiliency against real attacks, and allows them to focus on remediation that matters.