The case for full-spectrum security

Adam Khan at Barracuda Managed XDR explains why full-spectrum security is essential to protect against today’s ransomware threats 

 

Ransomware is a major security challenge for all organisations and the evolving nature of attacks requires constant vigilance. To better understand what is happening and what that means for security strategies, we continuously monitor the threat landscape, from the big trends to the individual, unfolding ransomware incidents. 

 

Both perspectives highlight the importance of securing the entire attack surface – attackers will target any security gap they can find – and being able to detect and respond at speed to the presence of intruders.

 

Cyber-attacks, including those that end with ransomware are not tidy and not linear – attackers are opportunistic and will try different things to achieve their goals, sometimes at the same time, and quickly pivot and adapt if things aren’t working.

 

Ransomware isn’t going anywhere

Data from Barracuda Managed XDR shows a fourfold increase in ransomware threats during 2024. This rise if likely driven by Ransomware-as-a-Service (RaaS) activity. The 

 

The cyber-criminals developing the RaaS platforms invest time, resources and skills into creating advanced and evasive toolsets and templates, boosting the chances of success for affiliates. High-profile RaaS groups, like Akira and RansomHub, have lowered the barrier to entry for ransomware, enabling lower-skilled attackers to launch more effective ransomware campaigns.  

 

Lessons from real ransomware incidents 

Against this backdrop, ransomware attacks are increasingly multi-stage and multi-level, with attackers ready to adapt to exploit any areas that are left unprotected and exposed. 

 

This is particularly important as cyber-attacks are getting faster and the increased speed of attacks means these gaps can be exploited very quickly. 

 

In one instance, attackers spent just 74 minutes on an unprotected server, but that was long enough for them to elevate their privileges and release Akira ransomware.

 

The following two incidents highlight what can happen when security cover is incomplete.  

1. In one attack, the threat actors used credentials for a domain admin account to breach an unprotected desktop server. With complete security cover, the domain controller’s anomalous activity would have been detected, and the attack neutralised at this point. Instead, the attackers had another two hours to hunt for information and more before they were spotted and shut down.
2. In another incident, attackers targeted a “ghost” account had been created for contractor and left active but unmanaged when the contractor left. The attackers used the account to access the network via an open VPN that didn’t have multifactor authentication (MFA) in place. They also targeted an unprotected server and were able to elevate their privileges to administrator-level and leverage that to execute the ransomware stage of the attack. However, as soon as they landed on protected devices visible to security tools, the attack was detected and neutralized. 

Both incidents show how attackers actively seeking out security blind spots that give them the chance to persist, and shift tactics when they need to. 

 

A layered approach to cyber-security

The trend towards faster, more complex and evasive attacks means that the best protection is a comprehensive, layered defence with integrated and extended visibility. This should be accompanied by a strong focus on cyber-security basics, which should include:  

• Enforcement of MFA: because so many attacks rely on compromising user accounts, MFA should be implemented on all access points, especially VPNs. This will prevent attackers from easily accessing the system simply by acquiring credentials.
• Password policy: regular password rotation policies will also prevent stolen details from remaining valid.  
• Audit active user accounts: active accounts should be assessed to ensure that password controls and least-privilege access is enforced and identifying and disabling unused accounts. 
• Extended visibility: organisations must ensure they have extended visibility and security management across the entire digital attack surface. This requires a platform approach to security. 

Integrating network, endpoint, server, cloud, and email security through extended detection and response (XDR) provides a much higher level of threat detection and response capability than disparate tools working separately. 

 

A comprehensive XDR solution means every corner of the IT infrastructure, from emails to cloud applications, is visible to the security team. The entire environment benefits from a full spectrum of defensive tools and strategies, minimising the attack window for even the fastest-moving threat actors.  

 

---

 

Adam Khan is VP global Security Operations at Barracuda Managed XDR

 

Main image courtesy of iStockPhoto.com and PeopleImages