Is Ransomeware fagtuige setting in?
I keep asking myself, is fatigue of hearing about ransomware setting in?
It is understandable if fatigue is setting in, but it can not be stressed enough how important this topic is.
Why is it important? Is it the 4000+ attacks a day? That there is a successful attack rate every 11 seconds or the $20B+ damage in 2021?
Nope, the why is “Your data has value, and your data can cause harm to your business, employees, and customers.” I tell customers, “A Ransomeware attack is as devesting or more devesting than a disaster.”
That brings us to my 1st lesson learned; I can recall a customer over ten years ago that lost its infrastructure to what would now be considered a simple malware attack that formated C:\. This month, I worked with a customer hit with a more sophisticated attack that corrupted all VMFS volumes and destroyed Active Directory infrastructure. The common thread was the sheer panic of how do I recover? Have we not advanced in this space over the last decade?
Thre is an endless array of recovery technology that backups and recovers applications from VMware Cloud Disaster Recover to Veeam. The technology is there, but the process is not in many cases.
- Have Immutable Backups Ready
- Practice, Practice, Practice Recovery!
Not sure saying practice three times is enough; the ability to recover promptly is the number one thing you can do to protect your business from data loss and paying a hefty ransom.
Ransomware is no longer just a single attacker; it is full fledge business to make profits, including distributing the technology to anyone willing to pay them a percentage of the ransom.
Double exfiltration is now common in all attacks. Let’s put that in context, and the attacker will extract your data and then either encrypt or destroy your infrastructure and data. Attackers want to have the only copy of your data, enhancing your chances of paying for it.
Let’s talk about protecting your data; this is a vast topic covering multiple technologies, governance, and compliance entities.
My last couple of blogs covers layered network defense and NIST compliance. I will sum it up by saying layer your network defense from the perimeter to the data source with micro-segmentation.
Identity Management is a critical protection for your data; 76% of attacks gain privileged access to carry out and avoid detection. Limiting privileged access is a massive step in the right direction.
Endpoint Protection with NGAV and EDR has become 1st thing people think of when it comes to ransomware protection. For a good reason, this is where attacks start. The ability to see unusual behavior between correlated endpoints is as powerful as seeing unusual behavior on IPS/IDS software on the network. To be clear, one is not better than the other they complement each other in a holistic approach.
As we advance in reading telemetry data from both EndPoint Detection Response (EDR) and Network Advanced Threat Protection (ATP) with different ML/AI techniques, we can detect and prevent a large number of attacks. The cynical side of me worries that now Ransomeware is a well-funded business because our attackers will also gain the advantage of ML/AI.
Let’s not forget the basics of IT hygiene. updates, patching, following security guidelines from each vendor. Remember to trust but verify; make sure you check to ensure these guidelines are followed and updated. Early we talked about privileged account access making up 76% of attacks, and doing IT Hygiene will help stop the other 24%.
In summary, assess your security gaps, layer in process, and technologies for Endpoint and Network Protection. Protect and recover your data! Practice, Practice, Practice recovery!
To close out, I want to share one last word of wisdom “Security is a team sport.” It takes every employee in a business to ward off today’s attackers.