By Mark Adams, Regional Sales Director, Northern Europe at Cohesity
Ransomware is everywhere. Unless you’ve been living under a rock for the past ten years (which might have been a good idea this past two years), you’ll have seen headlines on TV and front pages of newspapers that discuss the effect of ransomware. From meat suppliers in America, to media houses in the UK, international airlines and logistics companies, even hospitals and healthcare organisations. Especially in hospitals and healthcare organisations. There is no industry that is not getting targeted; nobody is safe.
Earlier this year, the US government announced it’s now giving ransomware attacks the same priority level as terrorism.
These days organisations of all sizes and industries understand that the need for cyber resilience is apparent. But, unfortunately, just as companies are getting better at defending themselves, criminals are also getting more cunning. Just look at the evolution of ransomware. It’s not just affecting a company, but it’s becoming more and more personal. It’s been a near-constant game of cat and mouse that has gone on for over twenty years.
The ongoing attack on backup and recovery
Traditionally, ransomware revolved around encrypting production data and asking for a sum of money for the key. It was a pretty simple process, transactional, if you will. That’s still part of it to this day. But a few years ago, we saw the attack vectors expanding to include a direct elimination of backup and recovery files and targets. This was particularly mean because for companies that had the foresight to backup their data at regular intervals, not only was their data now encrypted but the ability to recover without paying the ransom was made more difficult.
Attackers have evolved once more. Now, they don’t just encrypt data and block recoveries. Now they do data exfiltration, threatening to throw the data on the dark web or auction it on the public World Wide Web. This latest vector is extra worrisome since no company works alone anymore. Modern business requires extensive relations with suppliers, customers, and partners. Can you really afford the brand damage and public shaming that cyber attackers now resort? Most likely not.
The blast radius for ransomware has expanded, and this latest tactic is problematic to defend. As a result, it is becoming more apparent that a perimeter defence approach is not enough, and threat defence and recovery are required.
Data Exfiltration 101: New dog new tricks
No matter how advanced your security arrangements, it can be complicated to isolate illegitimate from legitimate communications on a network with no clear anomaly or change in the network behaviour.
Hacking groups are wise to this, so large-scale smash-and-grab style data exfiltration is often too easy to detect, and a more discreet approach is used with exfiltration.
Large-scale data exfiltration is a very different attack style than ransomware, and it requires different skills and tools to be successful. Hackers know this.
The recent cases we have seen using data exfiltration to encourage the victim further to pay the ransom have not involved huge volumes of data. In fact, the attack against Allied Universal only involved the exfiltration of 5 GB of data, which is small by modern standards. Hackers are selective about what data they are taking, aiming for low-volume high-impact data versus stealing any significant volume. Allied Universal, as an example, had sensitive business files and cryptographic keys stolen – not vast volumes of personal data. So how do you combat this new threat?
For years, large organisations have addressed security threats with a tactical “point tools” approach. When security operations complained that managing disparate tools had become a nightmare, vendors responded with common management and administration tools that sat on top of independent security technologies. This was far from an ideal solution, but “good enough” for the latest threat du jour that came along. Unfortunately, point tools and cobbled together solutions are no longer adequate – in reality, they never were.
Why? Well, it’s twofold. Firstly, today’s combination of massive threat volume, changing threat vectors, sophisticated adversaries, and new targets simply overwhelms status quo security defences. And secondly, with all those different tools comes the issue of making them all work together or even be consolidated without creating blind spots that enable an attack to happen.
Trust issues
When an attack happens, it’s awful. You feel sick to your stomach. You know it’s not just about recovering data and systems; it’s the heavier weight of letting down customers and stakeholders, suppliers, partners. We see organisations struggle with rebuilding the trust because they didn’t do enough to give themselves a fighting chance when they had time.
Security vendors have been advocating for a Zero Trust model for some time. And it is a valuable defence mechanism to stop ransomware in its tracks. The term itself was coined more than a decade ago by analysts at Forrester with a general premise that all network traffic should be considered untrusted. It is the modern alternative to perimeter-based security and built on the principle ‘never trust, always verify.
Arguably a zero-trust security strategy would have prevented ransomware attacks like the Colonial Pipeline and JBS, by preventing it from spreading across the operations while keeping the operation running.
But in 2021, it is time to go beyond zero trust.
For example, investing in software solutions that bring together data security and data governance in a single converged offering enables you to:
- Use AI/ML-based classification technology to identify sensitive data — including personally identifiable information (PII) — in backup and production data and determine who has access to it, helping to harden environments before attacks occur.
- Automate and simplify data classification with predefined policies for common regulations like GDPR, CCPA, and HIPAA to meet compliance and governance mandates.
- Detect behavioural anomalies in near real-time, such as when a user suddenly accesses large volumes of sensitive data. This activity could be a precursor to a data exfiltration event.
- Trigger remediation workflows as determined by policy through integration with leading security orchestration, automation, and response (SOAR) platforms.
Minimising the Blast Radius of Ransomware
Certainly, because data exfiltration is becoming more common, it must be clear what data you have as a company, where it is located, how it is classified and who works with it. Only then can it be determined whether deviant behaviour occurs within those datasets. Data fragmentation is therefore not only difficult to extract the right information from, but also hinders installing appropriate security measures.
In doing so, we need to use the same method as cybercriminals who use automation, machine learning and AI to map an environment to determine where the most valuable data is. For example, where are personal information, addresses or other types of sensitive information? From a policy-based approach, you then start to look at how you’re going to protect the data and how you can recover it.’
The problem is that people consciously or unconsciously think too quickly about data and where they put it. So they take information from the corporate share drive and put it on their desktop, after which they forget about it. With the required data governance to go beyond zero trust, that can’t happen because the moment it’s identified that data is in the wrong place, a decision can be made to block access or put the data in isolation.
Of course, the detection and response is not human work but lightning-fast automated actions based on ML and AI. Here systems learn what normal behaviour is and determines what happens when actions deviate. This is why platforms must work together. There is strength in that unity.
The increased use of data exfiltration combined with ransomware requires a shift in strategy. First, assess if you’re currently mitigating against data exfiltration and exercise as many preventative measures as possible.
Cybercriminals never stop evolving, neither should we.
